Skip to main content
CVE-2024-8053 HIGH POC This Week

In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing unauthenticated attackers to access the PDF generation service. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Denial Of Service Open Webui
NVD
CVSS 3.1
8.2
EPSS
0.8%
CVE-2024-10109 HIGH POC PATCH This Week

A vulnerability in the mintplex-labs/anything-llm repository, as of commit 5c40419, allows low privilege users to access the sensitive API endpoint "/api/system/custom-models". Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Denial Of Service Anythingllm
NVD GitHub
CVSS 3.0
8.3
EPSS
0.1%
CVE-2024-10648 HIGH POC This Week

A path traversal vulnerability exists in the Gradio Audio component of gradio-app/gradio, as of version git 98cbcae. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Denial Of Service Gradio
NVD
CVSS 3.0
8.2
EPSS
0.2%
CVE-2024-10830 HIGH POC This Week

A Path Traversal vulnerability exists in the eosphoros-ai/db-gpt version 0.6.0 at the API endpoint `/v1/resource/file/delete`. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Db Gpt
NVD
CVSS 3.0
8.2
EPSS
0.2%
CVE-2025-0452 HIGH POC This Week

eosphoros-ai/DB-GPT version latest is vulnerable to arbitrary file deletion on Windows systems via the '/v1/agent/hub/update' endpoint. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Information Disclosure Db Gpt Windows
NVD
CVSS 3.0
8.2
EPSS
0.2%
CVE-2024-8616 HIGH POC This Week

{name}/json` endpoint allows for arbitrary file overwrite on the target server. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure H2O
NVD
CVSS 3.0
8.2
EPSS
0.1%
CVE-2024-12039 HIGH POC This Week

langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess attempts for password reset. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Dify
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2024-8238 HIGH POC This Week

In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function from RestrictedPython. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Python RCE Ssti Aim
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2024-4023 HIGH POC PATCH This Week

A stored cross-site scripting (XSS) vulnerability exists in flatpressblog/flatpress version 1.3. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Flatpress
NVD GitHub
CVSS 3.0
8.1
EPSS
0.2%
CVE-2024-12776 HIGH POC This Week

In langgenius/dify v0.10.1, the `/forgot-password/resets` endpoint does not verify the password reset code, allowing an attacker to reset the password of any user, including administrators. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Dify
NVD
CVSS 3.0
8.1
EPSS
0.2%
CVE-2024-10762 HIGH POC PATCH This Week

In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Lunary
NVD GitHub
CVSS 3.0
8.1
EPSS
0.1%
CVE-2024-9099 HIGH POC PATCH This Week

In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Lunary
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2024-8026 HIGH POC This Week

A Cross-Site Request Forgery (CSRF) vulnerability exists in the backend API of netease-youdao/qanything, as of commit d9ab8bc. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Qanything
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2024-10906 HIGH POC This Week

In version 0.6.0 of eosphoros-ai/db-gpt, the `uvicorn` app created by `dbgpt_server` uses an overly permissive instance of `CORSMiddleware` which sets the `Access-Control-Allow-Origin` to `*` for all. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Db Gpt
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2024-9847 HIGH POC PATCH This Week

FlatPress CMS version latest is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow an attacker to enable or disable plugins on behalf of a victim user. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable. Public exploit code available.

CSRF Flatpress
NVD GitHub
CVSS 3.0
8.0
EPSS
0.1%
CVE-2024-9362 HIGH POC This Week

An unauthenticated directory traversal vulnerability exists in Polyaxon, affecting the latest version. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Path Traversal
NVD
CVSS 3.0
7.5
EPSS
2.4%
CVE-2024-7034 HIGH POC This Week

In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handling of user-supplied filenames. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Path Traversal Open Webui
NVD
CVSS 3.1
7.2
EPSS
3.0%
CVE-2024-7959 HIGH POC This Week

The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF). Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Open Webui
NVD
CVSS 3.1
7.7
EPSS
0.4%
CVE-2024-10051 HIGH POC This Week

Realchar version v0.0.4 is vulnerable to an unauthenticated denial of service (DoS) attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Denial Of Service Realchar
NVD
CVSS 3.0
7.5
EPSS
0.9%
CVE-2024-10624 HIGH POC This Week

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the gradio-app/gradio repository, affecting the gr.Datetime component. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Denial Of Service Gradio
NVD
CVSS 3.0
7.5
EPSS
0.8%
CVE-2024-12537 HIGH POC This Week

In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the `api/v1/utils/code/format` endpoint. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Open Webui
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-8524 HIGH POC GHSA This Week

A directory traversal vulnerability exists in modelscope/agentscope version 0.0.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Agentscope
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2025-0187 HIGH POC This Week

A Denial of Service (DoS) vulnerability was discovered in the file upload feature of gradio-app/gradio version 0.39.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Denial Of Service Gradio
NVD
CVSS 3.0
7.5
EPSS
0.6%
CVE-2024-11824 HIGH POC PATCH This Week

A stored cross-site scripting (XSS) vulnerability exists in langgenius/dify version latest, specifically in the chat log functionality. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Dify
NVD GitHub
CVSS 3.1
7.6
EPSS
0.1%
CVE-2024-7036 HIGH POC This Week

A vulnerability in open-webui/open-webui v0.3.8 allows an unauthenticated attacker to sign up with excessively large text in the 'name' field, causing the Admin panel to become unresponsive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Open Webui
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2025-0317 HIGH POC PATCH This Week

A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to upload and create a customized GGUF model file on the Ollama server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Ollama AI / ML Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-6851 HIGH POC This Week

In version 3.22.0 of aimhubio/aim, the LocalFileManager._cleanup function in the aim tracking server accepts a user-specified glob-pattern for deleting files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Aim
NVD
CVSS 3.0
7.5
EPSS
0.4%
CVE-2024-12864 HIGH POC This Week

A Denial of Service (DoS) vulnerability was discovered in the file upload feature of netease-youdao/qanything version v2.0.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Denial Of Service Qanything
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2024-12070 HIGH POC This Week

A Denial of Service (DoS) vulnerability exists in the file upload feature of haotian-liu/llava, specifically in Release v1.2.0 (LLaVA-1.6). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Denial Of Service Large Language And Vision Assistant
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2024-10912 HIGH POC This Week

A Denial of Service (DoS) vulnerability exists in the file upload feature of lm-sys/fastchat version 0.2.36. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Denial Of Service Fastchat
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2024-8063 HIGH POC PATCH GHSA This Week

A divide by zero vulnerability exists in ollama/ollama version v0.3.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Ollama AI / ML Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2024-12063 HIGH POC This Week

A Denial of Service (DoS) vulnerability exists in the file upload feature of imartinez/privategpt version v0.6.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Denial Of Service Privategpt
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2024-10714 HIGH POC This Week

A vulnerability in binary-husky/gpt_academic version 3.83 allows an attacker to cause a Denial of Service (DoS) by adding excessive characters to the end of a multipart boundary during file upload. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Denial Of Service Gpt Academic
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2024-10225 HIGH POC This Week

A vulnerability in haotian-liu/llava v1.2.0 allows an attacker to cause a Denial of Service (DoS) by appending a large number of characters to the end of a multipart boundary in a file upload. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Denial Of Service Llava
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2025-1451 HIGH POC This Week

A vulnerability in parisneo/lollms-webui v13 arises from the server's handling of multipart boundaries in file uploads. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Lollms Web Ui
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-12866 HIGH POC This Week

A local file inclusion vulnerability exists in netease-youdao/qanything version v2.0.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal Qanything
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-10650 HIGH POC This Week

An unauthenticated Denial of Service (DoS) vulnerability was identified in ChuanhuChatGPT version 20240918, which could be exploited by sending large data payloads using a multipart boundary. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Chuanhuchatgpt
NVD
CVSS 3.0
7.5
EPSS
0.2%
CVE-2025-0312 HIGH POC PATCH This Week

A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to create a customized GGUF model file that, when uploaded and created on the Ollama server, can cause a crash due to an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Ollama AI / ML Red Hat +1
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-12055 HIGH POC PATCH This Week

A vulnerability in Ollama versions <=0.3.14 allows a malicious user to create a customized gguf model file that can be uploaded to the public Ollama server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Buffer Overflow Denial Of Service Ollama AI / ML +2
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-8966 HIGH POC This Week

A vulnerability in the file upload process of gradio-app/gradio version @gradio/video@0.10.2 allows for a Denial of Service (DoS) attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Denial Of Service Video
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-11171 HIGH POC PATCH This Week

In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Librechat
NVD GitHub
CVSS 3.0
7.5
EPSS
0.2%
CVE-2025-29214 HIGH POC This Week

Tenda AX12 v22.03.01.46_CN was discovered to contain a stack overflow via the sub_42F69C function at /goform/setMacFilterCfg. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Tenda Buffer Overflow Stack Overflow Ax12 Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-8438 HIGH POC GHSA This Week

A path traversal vulnerability exists in modelscope/agentscope version v.0.0.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Agentscope
NVD
CVSS 3.0
7.5
EPSS
0.2%
CVE-2024-10935 HIGH POC This Week

automatic1111/stable-diffusion-webui version 1.10.0 contains a vulnerability where the server fails to handle excessive characters appended to the end of multipart boundaries. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Stable Diffusion Webui
NVD
CVSS 3.0
7.5
EPSS
0.2%
CVE-2024-7765 HIGH POC This Week

In h2oai/h2o-3 version 3.46.0.2, a vulnerability exists where uploading and repeatedly parsing a large GZIP file can cause a denial of service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service H2O
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-7983 HIGH POC This Week

In version 0.3.8 of open-webui, an endpoint for converting markdown to HTML is exposed without authentication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Open Webui
NVD
CVSS 3.0
7.5
EPSS
0.2%
CVE-2024-12534 HIGH POC This Week

In version v0.3.32 of open-webui/open-webui, the application allows users to submit large payloads in the email and password fields during the sign-in process due to the lack of character length. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Open Webui
NVD
CVSS 3.0
7.5
EPSS
0.2%
CVE-2024-6866 HIGH POC PATCH This Week

corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Information Disclosure Flask Cors Suse
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-10569 HIGH POC This Week

A vulnerability in the dataframe component of gradio-app/gradio (version git 98cbcae) allows for a zip bomb attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Gradio
NVD
CVSS 3.0
7.5
EPSS
0.2%
CVE-2024-11449 HIGH POC This Week

A vulnerability in haotian-liu/llava version 1.2.0 (LLaVA-1.6) allows for Server-Side Request Forgery (SSRF) through the /run/predict endpoint. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure SSRF Authentication Bypass Large Language And Vision Assistant
NVD
CVSS 3.0
7.5
EPSS
0.1%
Prev Page 2 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy