Skip to main content
CVE-2024-6842 HIGH POC PATCH THREAT Act Now

AnythingLLM version 1.5.5 exposes sensitive system settings including search engine API keys through the unauthenticated /setup-complete endpoint. Attackers can steal API keys, enumerate system configuration, and leverage exposed credentials to compromise integrated services.

Authentication Bypass Anythingllm
NVD GitHub
CVSS 3.0
7.5
EPSS
77.3%
Threat
5.3
CVE-2024-8859 HIGH POC PATCH THREAT Act Now

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 26.9%.

Path Traversal Mlflow AI / ML
NVD GitHub
CVSS 3.0
7.5
EPSS
26.9%
CVE-2025-2539 HIGH POC THREAT Act Now

The File Away plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax() function in all versions up to, and including, 3.9.9.0.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 20.8% and no vendor patch available.

WordPress Authentication Bypass
NVD GitHub
CVSS 3.1
7.5
EPSS
20.8%
CVE-2024-11170 HIGH POC PATCH This Week

A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of file paths by the multer middleware. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Path Traversal Librechat
NVD GitHub
CVSS 3.0
8.8
EPSS
2.9%
CVE-2024-12390 HIGH POC This Week

A vulnerability in binary-husky/gpt_academic version git 310122f allows for remote code execution. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE Gpt Academic
NVD
CVSS 3.0
8.8
EPSS
2.6%
CVE-2025-1040 HIGH POC PATCH This Week

AutoGPT versions 0.3.4 and earlier are vulnerable to a Server-Side Template Injection (SSTI) that could lead to Remote Code Execution (RCE). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Ssti Autogpt Platform
NVD GitHub
CVSS 3.1
8.8
EPSS
1.7%
CVE-2024-9415 HIGH POC This Week

A Path Traversal vulnerability exists in the file upload functionality of transformeroptimus/superagi version 0.0.14. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal File Upload Superagi
NVD
CVSS 3.0
8.8
EPSS
1.3%
CVE-2024-10954 HIGH POC This Week

In the `manim` plugin of binary-husky/gpt_academic, versions prior to the fix, a vulnerability exists due to improper handling of user-provided prompts. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Gpt Academic
NVD
CVSS 3.0
8.8
EPSS
1.3%
CVE-2024-10950 HIGH POC This Week

In binary-husky/gpt_academic version <= 3.83, the plugin `CodeInterpreter` is vulnerable to code injection caused by prompt injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE Code Injection Gpt Academic
NVD
CVSS 3.0
8.8
EPSS
1.3%
CVE-2024-9920 HIGH POC This Week

In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with various extensions, including potentially dangerous ones like .py, .sh, .bat, and more. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Lollms Web Ui
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2024-7044 HIGH POC This Week

A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui version 0.3.8. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS File Upload Open Webui
NVD
CVSS 3.1
8.9
EPSS
0.3%
CVE-2024-7806 HIGH POC PATCH This Week

A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python RCE CSRF Open Webui
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2024-11039 HIGH POC PATCH This Week

A pickle deserialization vulnerability exists in the Latex English error correction plug-in function of binary-husky/gpt_academic versions up to and including 3.83. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Deserialization Gpt Academic
NVD GitHub
CVSS 3.0
8.8
EPSS
0.5%
CVE-2024-10986 HIGH POC This Week

GPT Academic version 3.83 is vulnerable to a Local File Read (LFI) vulnerability through its HotReload function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Gpt Academic
NVD
CVSS 3.0
8.8
EPSS
0.2%
CVE-2024-8501 HIGH POC GHSA This Week

An arbitrary file download vulnerability exists in the rpc_agent_client component of modelscope/agentscope version v0.0.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Privilege Escalation Agentscope
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-1796 HIGH POC This Week

A vulnerability in langgenius/dify v0.10.1 allows an attacker to take over any account, including administrator accounts, by exploiting a weak pseudo-random number generator (PRNG) used for. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Dify
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-12048 HIGH POC This Week

An IDOR (Insecure Direct Object Reference) vulnerability exists in transformeroptimus/superagi version v0.0.14. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Superagi
NVD
CVSS 3.0
8.8
EPSS
0.1%
CVE-2024-10819 HIGH POC This Week

A Cross-Site Request Forgery (CSRF) vulnerability in version 3.83 of binary-husky/gpt_academic allows an attacker to trick a user into uploading files without their consent, exploiting their session. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF XSS Gpt Academic
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-7990 HIGH POC This Week

A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Open Webui
NVD
CVSS 3.0
8.4
EPSS
0.2%
CVE-2024-8053 HIGH POC This Week

In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing unauthenticated attackers to access the PDF generation service. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Denial Of Service Open Webui
NVD
CVSS 3.1
8.2
EPSS
0.8%
CVE-2024-10109 HIGH POC PATCH This Week

A vulnerability in the mintplex-labs/anything-llm repository, as of commit 5c40419, allows low privilege users to access the sensitive API endpoint "/api/system/custom-models". Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Denial Of Service Anythingllm
NVD GitHub
CVSS 3.0
8.3
EPSS
0.1%
CVE-2024-10648 HIGH POC This Week

A path traversal vulnerability exists in the Gradio Audio component of gradio-app/gradio, as of version git 98cbcae. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Denial Of Service Gradio
NVD
CVSS 3.0
8.2
EPSS
0.2%
CVE-2024-10830 HIGH POC This Week

A Path Traversal vulnerability exists in the eosphoros-ai/db-gpt version 0.6.0 at the API endpoint `/v1/resource/file/delete`. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Db Gpt
NVD
CVSS 3.0
8.2
EPSS
0.2%
CVE-2025-0452 HIGH POC This Week

eosphoros-ai/DB-GPT version latest is vulnerable to arbitrary file deletion on Windows systems via the '/v1/agent/hub/update' endpoint. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Microsoft Information Disclosure Db Gpt Windows
NVD
CVSS 3.0
8.2
EPSS
0.2%
CVE-2024-8616 HIGH POC This Week

{name}/json` endpoint allows for arbitrary file overwrite on the target server. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure H2O
NVD
CVSS 3.0
8.2
EPSS
0.1%
CVE-2024-12039 HIGH POC This Week

langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess attempts for password reset. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Dify
NVD
CVSS 3.1
8.1
EPSS
0.4%
CVE-2024-8238 HIGH POC This Week

In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function from RestrictedPython. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Python RCE Ssti Aim
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2024-4023 HIGH POC PATCH This Week

A stored cross-site scripting (XSS) vulnerability exists in flatpressblog/flatpress version 1.3. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Flatpress
NVD GitHub
CVSS 3.0
8.1
EPSS
0.2%
CVE-2024-12776 HIGH POC This Week

In langgenius/dify v0.10.1, the `/forgot-password/resets` endpoint does not verify the password reset code, allowing an attacker to reset the password of any user, including administrators. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Information Disclosure Dify
NVD
CVSS 3.0
8.1
EPSS
0.2%
CVE-2024-10762 HIGH POC PATCH This Week

In lunary-ai/lunary before version 1.5.9, the /v1/evaluators/ endpoint allows users to delete evaluators of a project by sending a DELETE request. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Lunary
NVD GitHub
CVSS 3.0
8.1
EPSS
0.1%
CVE-2024-9099 HIGH POC PATCH This Week

In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Lunary
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2024-8026 HIGH POC This Week

A Cross-Site Request Forgery (CSRF) vulnerability exists in the backend API of netease-youdao/qanything, as of commit d9ab8bc. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Qanything
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2024-10906 HIGH POC This Week

In version 0.6.0 of eosphoros-ai/db-gpt, the `uvicorn` app created by `dbgpt_server` uses an overly permissive instance of `CORSMiddleware` which sets the `Access-Control-Allow-Origin` to `*` for all. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Db Gpt
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2024-9847 HIGH POC PATCH This Week

FlatPress CMS version latest is vulnerable to Cross-Site Request Forgery (CSRF) attacks that allow an attacker to enable or disable plugins on behalf of a victim user. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable. Public exploit code available.

CSRF Flatpress
NVD GitHub
CVSS 3.0
8.0
EPSS
0.1%
CVE-2024-9362 HIGH POC This Week

An unauthenticated directory traversal vulnerability exists in Polyaxon, affecting the latest version. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Path Traversal
NVD
CVSS 3.0
7.5
EPSS
2.4%
CVE-2024-7034 HIGH POC This Week

In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handling of user-supplied filenames. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Path Traversal Open Webui
NVD
CVSS 3.1
7.2
EPSS
3.0%
CVE-2024-7959 HIGH POC This Week

The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF). Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Open Webui
NVD
CVSS 3.1
7.7
EPSS
0.4%
CVE-2024-10051 HIGH POC This Week

Realchar version v0.0.4 is vulnerable to an unauthenticated denial of service (DoS) attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Denial Of Service Realchar
NVD
CVSS 3.0
7.5
EPSS
0.9%
CVE-2024-10624 HIGH POC This Week

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the gradio-app/gradio repository, affecting the gr.Datetime component. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Python Denial Of Service Gradio
NVD
CVSS 3.0
7.5
EPSS
0.8%
CVE-2024-12537 HIGH POC This Week

In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the `api/v1/utils/code/format` endpoint. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Open Webui
NVD
CVSS 3.1
7.5
EPSS
0.8%
CVE-2024-8524 HIGH POC GHSA This Week

A directory traversal vulnerability exists in modelscope/agentscope version 0.0.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Agentscope
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2025-0187 HIGH POC This Week

A Denial of Service (DoS) vulnerability was discovered in the file upload feature of gradio-app/gradio version 0.39.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Denial Of Service Gradio
NVD
CVSS 3.0
7.5
EPSS
0.6%
CVE-2024-11824 HIGH POC PATCH This Week

A stored cross-site scripting (XSS) vulnerability exists in langgenius/dify version latest, specifically in the chat log functionality. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Dify
NVD GitHub
CVSS 3.1
7.6
EPSS
0.1%
CVE-2024-7036 HIGH POC This Week

A vulnerability in open-webui/open-webui v0.3.8 allows an unauthenticated attacker to sign up with excessively large text in the 'name' field, causing the Admin panel to become unresponsive. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Open Webui
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2025-0317 HIGH POC PATCH This Week

A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to upload and create a customized GGUF model file on the Ollama server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Ollama AI / ML Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-6851 HIGH POC This Week

In version 3.22.0 of aimhubio/aim, the LocalFileManager._cleanup function in the aim tracking server accepts a user-specified glob-pattern for deleting files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Aim
NVD
CVSS 3.0
7.5
EPSS
0.4%
CVE-2024-12864 HIGH POC This Week

A Denial of Service (DoS) vulnerability was discovered in the file upload feature of netease-youdao/qanything version v2.0.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Denial Of Service Qanything
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2024-12070 HIGH POC This Week

A Denial of Service (DoS) vulnerability exists in the file upload feature of haotian-liu/llava, specifically in Release v1.2.0 (LLaVA-1.6). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Denial Of Service Large Language And Vision Assistant
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2024-10912 HIGH POC This Week

A Denial of Service (DoS) vulnerability exists in the file upload feature of lm-sys/fastchat version 0.2.36. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Denial Of Service Fastchat
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2024-8063 HIGH POC PATCH GHSA This Week

A divide by zero vulnerability exists in ollama/ollama version v0.3.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Ollama AI / ML Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.3%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy