OpenCode developer thdxr has announced the resolution of a critical security vulnerability discovered by a Cloudflare security researcher. The flaw involved a web front-end parameter that could be exploited to direct users to malicious servers. By embedding inline scripts in forged Markdown sessions, attackers could trick users into clicking links that execute arbitrary commands on their computers via terminal API. The official fix includes disabling the parameter, adding CSP headers, and enforcing password verification. DeFiLlama founder 0xngmi commented on the issue, noting that a similar vulnerability was previously found in Cursor, which allowed arbitrary code execution on any computer with the software installed. He speculated that the pressure of AI competition might have led to security oversights in product delivery.