Insecure Default Initialization of Resource Affecting engramx package, versions <2.0.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-ENGRAMX-16421359
- published5 May 2026
- disclosed22 Apr 2026
- creditgabiudrescu
Introduced: 22 Apr 2026
New CVE NOT AVAILABLE CWE-1188 (opens in a new tab)How to fix?
Upgrade engramx to version 2.0.2 or higher.
Overview
engramx is a The context spine for AI coding agents. 9 built-in providers + mcpConfig plugin contract (wrap any MCP server in 10 lines), generic MCP-client aggregator (stdio), pre-mortem mistake-guard, bi-temporal mistake memory, Anthropic Auto-Memory bridge, SSE stre
Affected versions of this package are vulnerable to Insecure Default Initialization of Resource through the HTTP server's lack of authentication and permissive CORS configuration. An attacker can exfiltrate sensitive data and inject persistent payloads by enticing a user to visit a malicious web page, which can interact with the local server endpoints such as /query, /stats, and /learn.
Workaround
This vulnerability can be mitigated by not running the server or UI components, or by setting a strong ENGRAM_API_TOKEN and terminating the server before browsing the web.