Previous versions of OpenCode started a server which allowed any website visited in a web browser to execute arbitrary commands on the local machine. Make sure you are using v1.1.10 or newer; see link for more details.

The disclosure timeline is concerning.

Reported 2025-11-17, and multiple "no responses" after repeated attempts to contact the maintainers... not a good look.