patchleaks
every patch tells a story vulnerability.
§00 — patch intelligence, from diff to PoC
Read the
patch.
Ship the
proof.
// Automated vulnerability analysis across 41k+ open-source projects.
patchleaks.sh
◼ tty 01
v21.5 on disk
A living plugin
Running in production. Tens of thousands of installs.
I
CVE debugging
II
Zero-day detection
III
Verifier sort
commit · upstream
4a8fc23
→
yoast/wordpress-seo
21.5 → 21.6
183 files · 12 security-sensitive hunks · 4 functions touched
plugins/auth/login.php
on disk · v21.5
1// plugins/auth/login.php · v21.5
2public function authenticate($user, $pass) {
3 $q = "SELECT * FROM users WHERE "
4 . "name='" . $user . "' AND "
5 . "pass='" . $pass . "' LIMIT 1";
6 $row = $db->query($q)->fetch();
7 if ($row) {
8 $_SESSION['uid'] = $row['id'];
9 return true;
10 }
11 return false;
12}
CVE-2025-8819
critical
CWECWE-89 · SQL Injection
CVSS9.8 · critical
vectorAV:N · AC:L · PR:L · UI:N
KEVlisted · actively exploited
affectedYoast SEO ≤ 21.5
fixed21.6
articles/cve-2025-8819.md
● writing · claude-haiku-4.5
codebase · wp-content/plugins
indexed
avatar-upload.php180 loc● 5
smtp/send.php244 loc● 4
api/submit.php412 loc● 3
members/profile.php299 loc● 2
lib/db.php322 loc● 2
templates/reset.php112 loc● 1
redis/admin.php511 loc● 1
api/validate.php188 loc
sink rules · 6 cwe classes
loaded
CWE-89mysqli_query|->query\(|.execute\(0
CWE-78system|passthru|shell_exec|exec\(0
CWE-22file_get_contents|fopen|include\(0
CWE-79echo \$|print \$0
CWE-434move_uploaded_file\(0
CWE-352wp_verify_nonce|check_admin_referer0
InputTracer · send.php
tainted flow
source$_POST['email']send.php:44
rename$input = $_POST['email']send.php:45
concat$query = "... WHERE email = '$input'"send.php:51
sink$db->query($query)send.php:53
iteration 1
Initial pass · AI triage
queued
›scanning 48 grep matches · 6 CWE classes
›→ 31 discarded as non-reachable / non-user-input
›→ 17 candidates elevated to deep scan
iteration 2
Deep scan · ReAct verification
queued
›loading tree-sitter index · 1,284 fns · 11 files
›running 11-tool ReAct loop per candidate
›→ midpoint reflection · 4 likely defenses confirmed
11-tool ReAct loop · live trace
grep_search->query($0.08s3 hits
read_functionsendResetMail0.12s42 loc
check_user_input$_POST['email']0.04sunsanitized
find_callerssendResetMail0.21s3 routes
submit_verdictvulnerable0.01srecorded
iteration 3
Defense check · 3-iteration pipeline
queued
›iteration 1 · identify defense APIs · query_docs
›iteration 2 · follow wrapper chains · trace to native
›iteration 3 · final verdict with data-element evidence
candidates · awaiting verification
● 8 findings
#1CWE-89
send.php:53
#2CWE-79
profile.php:201
#3CWE-434
avatar-upload.php:66
#4CWE-89
reset.php:77
#5CWE-89
db.php:140
#6CWE-352
admin.php:288
#7CWE-78
submit.php:410
#8CWE-22
validate.php:102
▸ True positive · exploitable
0 / 4
◂ False positive · defended
0 / 4
#1
CWE-89
shipped
send.php:53
user $_POST flows into SQL via concat; no prepare()
confidence
0.00
#2
CWE-79
shipped
profile.php:201
echoed unsanitized $_GET['ref'] in <a href>
confidence
0.00
#3
CWE-434
shipped
avatar-upload.php:66
extension check via .jpg substring; .php.jpg bypass
confidence
0.00
#4
CWE-89
shipped
reset.php:77
token query lacks WHERE binding; second-order SQLi
confidence
0.00
#5
CWE-89
db.php:140
wrapper calls wpdb->prepare() internally
confidence
0.00
#6
CWE-352
admin.php:288
check_admin_referer() present in parent handler
confidence
0.00
#7
CWE-78
submit.php:410
value whitelisted via in_array() before shell_exec
confidence
0.00
#8
CWE-22
validate.php:102
realpath() + basedir check present
confidence
0.00
writeup.md● generated
poc.sh● generated
semgrep.yml● generated
article published● draft ready
inputs1 codebase · no CVE · 14k loc
pipelinegrep → tracer → 3 iterations → react → verifier
output4 zero-days · shipped
install base
pluginyoast-seo
version21.5
downloads13.2M active
php>= 7.4
cwe-89 · signature
pattern->query($
languagePHP
contextauth code path
hit count3 lines
commit metadata
authoryoast/core-team
subjectsecurity: harden login flow
files183
reviewed bysec-triage
tree-sitter diff
functionauthenticate
lines removed6
lines added7
ast depth+3
NVD correlation
cveCVE-2025-8819
cvss9.8 · critical
EPSS0.84
kevlisted
article draft
modelclaude-haiku-4.5
length412 words
sections5
statusready for review
codebase mount
plugins5
files41
lines14,280
languagesPHP · JS
grep sweep · live
cwe classes6
sink patterns80
files scanned41 / 41
sink hits80
inputtracer
targetsend.php:53
sources$_POST $_GET
hops3
verdicttainted
iteration 1 · triage
modelclaude-haiku-4.5
input48 grep hits
discarded31
forwarded17
iteration 2 · react
tool calls63
reflections2
stalls0
verdict13 remain
iteration 3 · defense
wrappers5 unwrapped
docs queried9
confirmed safe5
still suspect8
ready for verifier
tp suspected—
fp suspected—
confidence avg0.88
verifierpending
verifier · live
findings8
decisions0 / 8
avg latency0.42s
backendclaude-sonnet-4.5
verifier · live
findings8
decisions8 / 8
avg latency0.42s
backendclaude-sonnet-4.5
sort complete
true positives4
false positives4
precision50.0%
recall · est100%
artifacts shipped
writeups4 articles
pocs4 curl · 2 py
rules6 semgrep
advisories4 drafts
run summary
inputs1 repo · no cve
wall clock02:41 min
ai tokens187k
zero-days4 confirmed
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
§01
Patch diff analysis
Reduce multi-thousand-line commits to the few hunks that actually move the security needle.
ANALYSIS
open
§02
Zero-day detector
Pattern-match CWE signatures against uncommitted code before an advisory is ever written.
ZERO-DAY
open
§03
Rule generator
Derive grep/semgrep rules from verified vulnerabilities. Run them across your entire library.
RULES
open
§04
PoC synthesis
AI drafts a reproducer from the patch. Reviewer verifies. Report shipped.
OUTPUT
open
§02
How the pipeline reads a patch
FOUR STAGES · DETERMINISTIC
stage 01
Reduce
The average security patch is buried under formatting, tests, vendored assets. We strip those noise hunks and keep what alters control flow, input handling, or crypto.
183 files → 12 hunks → 4 functions
stage 02
Match
Each remaining hunk runs against a CWE signature bank — taint analysis for injections, auth-check elisions, race windows, and crypto misuse.
CWE-89 · CWE-384 · CWE-352
stage 03
Reason
Claude Haiku reviews reduced hunks with CWE context and the project's own utility functions. It writes a one-paragraph verdict and a confidence score.
confidence 0.94 · model claude-haiku-4.5
stage 04
Ship
A reviewer approves. PatchLeaks emits a CVE-ready writeup, a PoC request payload, detection rules, and a KEV flag — all from one pull request.
writeup · poc.sh · semgrep.yml
§01
Live advisory feed
UPDATED EVERY 60s
| CVE | Severity | Target | Class | Age | — |
|---|---|---|---|---|---|
| Loading live feed… | |||||
10,240
CVEs indexed
152
patches parsed
187
PoCs generated
47
languages supported
--:--:--Z
last feed sync
§ready
Point it at a repo. Read the report.
Free for open-source projects. API available for security teams. No telemetry beyond what we say.