AI / ML
Monthly
openclaw-claude-bridge v1.1.0 incorrectly disables CLI tool access by passing --allowed-tools "" to the Claude Code subprocess, when the correct flag to disable tools is --tools. The --allowed-tools flag only controls which tools auto-approve without prompts; all CLI tools (Read, Write, Bash, WebFetch, etc.) remain nominally available. Users deploying the bridge to handle untrusted prompts or in gateway contexts may unknowingly operate without the sandboxing protections claimed in the README, exposing systems to prompt-injection attacks that could trigger arbitrary code execution in the process context. Vendor-released patch: v1.1.1 (commit 8a296f5).
LightRAG's JWT authentication can be bypassed via a hardcoded default secret 'lightrag-jwt-default-secret' when TOKEN_SECRET is not configured. Unauthenticated attackers can forge valid tokens to access protected API endpoints in installations running v1.4.10 with AUTH_ACCOUNTS enabled but TOKEN_SECRET unset. CVSS 7.5 (High) reflects network-accessible confidentiality breach with no authentication required. No public exploit identified at time of analysis, though the hardcoded secret is publicly documented in the vulnerability disclosure. EPSS data not available for this CVE.
NVIDIA APEX for Linux contains a deserialization of untrusted data vulnerability that affects environments using PyTorch versions earlier than 2.6. An attacker with low privileges on an adjacent network can exploit this flaw to achieve code execution, denial of service, privilege escalation, data tampering, and information disclosure with scope change (CVSS 9.0 Critical). No KEV listing or public POC availability has been reported at this time.
Wallos, an open-source self-hostable subscription tracker, contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 4.7.0 that allows authenticated users to access internal network services, cloud metadata endpoints, and localhost-bound services. The vulnerability exists in three unprotected attack surfaces: the AI Ollama host parameter, the AI recommendations endpoint, and the notification cron job-areas that were missed when SSRF protections were partially implemented in an earlier patch (CVE-2026-30840). An attacker with valid credentials can leverage these endpoints to reach sensitive internal resources including AWS IMDSv1, GCP, and Azure metadata services.
MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc extraction process that allows arbitrary file writes. The vulnerability stems from unsafe use of tarfile.extractall without proper path validation, enabling attackers to craft malicious tar.gz files with directory traversal sequences or absolute paths to write files outside the intended extraction directory. This poses critical risk in multi-tenant environments and can lead to remote code execution, with a CVSS score of 8.1 and confirmed exploit details available via Huntr.
AnythingLLM versions 1.11.1 and earlier contain a Zip Slip path traversal vulnerability in the community plugin import functionality that fails to validate file paths during ZIP extraction. An authenticated attacker with high privileges can craft a malicious ZIP file containing path traversal sequences that, when imported via the community hub, extract files outside the intended directory and achieve arbitrary code execution on the server. While the CVSS score is moderate (4.2) due to high privilege requirements and user interaction, the vulnerability enables code execution and should be addressed promptly.
SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands against connected PostgreSQL, MySQL, and MSSQL databases through the built-in SQL Agent plugin. The vulnerability stems from unsafe string concatenation of table names in the getTableSchemaSql() method across all three database connectors, bypassing proper parameterization. Any user with access to invoke the SQL Agent can exploit this to read, modify, or delete sensitive database contents.
Command injection RCE in claude-hovercraft tool. EPSS 1.3%.
XSS in AnythingLLM 1.11.1 and earlier.
AnythingLLM versions 1.11.1 and earlier contain an authentication bypass vulnerability on default installations where the application's HTTP endpoints and WebSocket connections lack proper authentication and accept requests from any origin. While rated CVSS 7.1, exploitation is limited to attackers on the same local network due to browser Private Network Access (PNA) protections, making this a medium-priority issue for most deployments.
LibreChat versions prior to 0.8.3-rc1 contain a Denial of Service vulnerability in the DELETE /api/convos endpoint where authenticated attackers can crash the Node.js server process by sending malformed requests lacking the required req.body.arg parameter. The vulnerability exploits improper destructuring without validation, causing an unhandled TypeError that bypasses Express middleware and triggers process.exit(1), resulting in complete service unavailability. No evidence of active exploitation in the wild or public POC has been identified at this time.
LibreChat versions 0.8.2 through 0.8.2-rc3 contain an authentication bypass vulnerability in the Model Context Protocol (MCP) OAuth callback endpoint that allows attackers to steal OAuth tokens by tricking victims into completing an OAuth flow, resulting in account takeover of the victim's MCP-linked services like Atlassian and Outlook. No active exploitation is known (not in KEV), no POC is publicly available, and EPSS data is not yet available for this newly disclosed vulnerability.
Apache Livy versions 0.7.0 and 0.8.0 contain an improper input validation vulnerability (CWE-20) that allows authenticated users to bypass file access controls by injecting malicious Spark configuration values when connecting to Apache Spark 3.1 or later. An attacker with access to Livy's REST or JDBC interface can craft requests with arbitrary Spark configuration parameters to gain unauthorized access to files they do not have permissions to read or modify. This vulnerability is of moderate severity (CVSS 6.3) but requires valid authentication and is fixed in version 0.9.0 and later.
Medium severity vulnerability in See description. Hyperterse allows users to specify database queries for tools to execute under the hood. As of [v2.0.0](https://github.com/hyperterse/hyperterse/releases/tag/v2.0.0), there are only two tools exposed - `search` and `execute`.
Out of bounds memory access in WebML in Google Chrome versions up to 146.0.7680.71 is affected by out-of-bounds read (CVSS 8.8).
Heap buffer overflow in WebML in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).
Integer overflow in WebML in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability (CVSS 8.8).
Heap buffer overflow in WebML in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).
FastGPT's Python Sandbox in versions 4.14.7 and earlier allows authenticated users to bypass file write restrictions by remapping standard output to arbitrary file descriptors via fcntl, enabling unauthorized file creation and modification within the container. The vulnerability exploits a gap between static detection and seccomp filtering, where remapped stdout still satisfies the write syscall rules. An attacker with sandbox access could create or overwrite arbitrary files despite the intended file system restrictions.
An attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or `$regex`), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both `protectedFields` configured in Class-Level Permissions and LiveQuery enabled. The fix adds validation of the LiveQuery subscription WHERE clause against the class's protected fields, mirroring the existing REST API validation. If a subscription's WHERE clause references a protected field directly, via dot-notation, or inside `$or` / `$and` / `$nor` operators, the subscription is rejected with a permission error. This is applied during subscription creation, so existing event delivery paths are not affected. Disable LiveQuery for classes that use `protectedFields` in their Class-Level Permissions, or remove `protectedFields` from classes that require LiveQuery. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-j7mm-f4rv-6q6q - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.9 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.35
Authenticated users in PingPong versions prior to 7.27.2 can access and delete files beyond their authorization scope, potentially exposing or removing private user files and model outputs. An attacker with valid credentials and thread access can exploit improper access controls to retrieve or delete sensitive data belonging to other users. No patch is currently available for this high-severity vulnerability affecting the AI/ML teaching platform.
Auth bypass in Unity Catalog 0.4.0 and earlier.
Flowise versions prior to 3.0.13 allow unauthenticated users to trigger Server-Side Request Forgery (SSRF) attacks through improperly validated URLs in the HTTP Node component, enabling attackers to probe internal networks and cloud metadata endpoints from the Flowise server. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. Any organization running a publicly exposed Flowise instance is at immediate risk of internal network reconnaissance and potential credential theft from cloud environments.
Coral Server has a third missing authorization flaw.
Coral Server has an IDOR vulnerability enabling cross-user data access.
Coral Server open collaboration platform has a missing authorization enabling unauthenticated access to all collaboration data.
Remote code execution in the zero-shot-scfoundation AI/ML framework results from a vulnerable third-party dependency, enabling unauthenticated attackers to execute arbitrary code over the network with minimal user interaction. This high-severity vulnerability affects systems using the affected component, and no patch is currently available.
OneUptime prior to 10.0.20 exposes dangerous functionality in Synthetic monitoring that enables code execution.
OS command injection in WeKnora from version 0.2.5 allows authenticated users to execute arbitrary system commands. CVSS 9.9 with scope change. PoC available.
SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database contents. CVSS 9.9 with scope change. PoC available.
WeKnora versions prior to 0.2.12 suffer from inadequate tenant isolation in database queries, permitting any authenticated user to access sensitive data from other tenants including API keys, model configurations, and private messages. The vulnerability affects multi-tenant deployments where account-level access controls fail to prevent cross-tenant data exfiltration. No patch is currently available for affected versions.
DNS rebinding in WeKnora's web_fetch tool allows authenticated attackers to bypass URL validation and access internal resources and private IP addresses on the server through malicious domains that resolve differently during validation versus execution. Public exploit code exists for this vulnerability, and versions prior to 0.3.0 are affected with no patch currently available. An attacker could leverage this to access sensitive local services and exfiltrate data from the affected system.
Weknora versions up to 0.3.0 is affected by authorization bypass through user-controlled key (CVSS 5.3).
Insufficient authorization checks in WeKnora's tenant management endpoints allow any authenticated user to read, modify, or delete arbitrary tenants, with public exploit code available. Since the application allows open registration, unauthenticated attackers can register an account and exploit this flaw to perform cross-tenant account takeover and data destruction. No patch is currently available for this high-severity vulnerability affecting WeKnora AI/ML framework versions prior to 0.3.2.
The /api/health/detailed endpoint in mcp-memory-service prior to version 10.21.0 discloses sensitive system information including OS details, Python version, CPU configuration, memory metrics, and database paths to unauthenticated network users when anonymous access is enabled. Public exploit code exists for this information disclosure vulnerability, which affects deployments using the default 0.0.0.0 network binding. A patch is available in version 10.21.0 to restrict endpoint access and redact sensitive data.
Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerability data. PoC available.
Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).
Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attributes (CVSS 7.7).
Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthenticated attackers to upload and execute malicious files. PoC available.
Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoofing an internal request header, granting access to sensitive administrative functions including API key and credential management. Public exploit code exists for this vulnerability, and an attacker with valid tenant credentials can escalate to administrative privileges without additional authentication. No patch is currently available for affected deployments.
WeKnora's document import feature is vulnerable to Server-Side Request Forgery through HTTP redirects, allowing unauthenticated remote attackers to bypass URL validation controls and access internal services despite backend protections against private IPs and metadata endpoints. The vulnerability affects WeKnora versions prior to 0.2.12 when deployed in Docker environments, where host.docker.internal addresses are not blocked. Public exploit code exists and no patch is currently available.
Unsafe checkout of untrusted code in Mesa's benchmarks.yml GitHub Actions workflow prior to version 3.5.1 enables arbitrary code execution with elevated privileges on CI/CD runners. An attacker can exploit this by submitting malicious pull requests to execute commands in the privileged runner environment, potentially compromising the build pipeline and downstream users. A patch is available in commit c35b8cd.
Shell command injection in Nuclio serverless framework before 1.15.20. PoC and patch available.
Path traversal in OpenChatBI before fix. PoC and patch available.
SQL injection in CocoIndex Doris connector before 0.3.34. Patch available.
LangBot is a global IM bot platform designed for LLMs. versions up to 4.8.7 is affected by cross-site scripting (xss) (CVSS 6.3).
OpenClaw prior to version 2026.2.2 is vulnerable to server-side request forgery through its attachment and media URL processing, allowing unauthenticated remote attackers to make arbitrary HTTP requests to internal resources. Attackers can exploit model-controlled message features to trigger the SSRF and exfiltrate response data as outbound attachments. Public exploit code exists for this vulnerability.
OpenClaw versions before 2026.2.14 contain unprotected server-side request forgery flaws in the Feishu extension that enable remote attackers to access internal services and exfiltrate data without authentication. Attackers can exploit the sendMediaFeishu function and markdown image processing through direct manipulation or prompt injection to force the application to fetch attacker-controlled URLs and re-upload responses as Feishu media. A patch is available to remediate this network-accessible vulnerability affecting AI/ML deployments.
OpenClaw versions before 2026.2.1 fail to properly validate access controls in the Twitch plugin when role restrictions are not configured, allowing unauthenticated remote attackers to trigger agent dispatch through Twitch chat mentions. Public exploit code exists for this vulnerability, enabling attackers to invoke the agent pipeline and potentially cause unintended actions or resource exhaustion. Organizations running affected versions with the Twitch plugin enabled should apply the available patch immediately.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Unauthenticated command injection in FreePBX versions 16.0.17.2-16.0.19 and 17.0.2.4-17.0.4 via the ElevenLabs Text-to-Speech integration allows authenticated users with high privileges to execute arbitrary system commands. The vulnerability exists in the recordings module and affects all installations using the vulnerable TTS engine. No patch is currently available, leaving affected systems at risk of full system compromise.
An Arbitrary File Read vulnerability exists in the ImageTextPromptValue class in Exploding Gradients RAGAS v0.2.3 to v0.2.14. The vulnerability stems from improper validation and sanitization of URLs supplied in the retrieved_contexts parameter when handling multimodal inputs. [CVSS 7.5 HIGH]
Xgrammar versions prior to 0.1.32 crash when processing multi-level nested syntax structures, causing a denial of service that halts the application. An attacker can trigger this segmentation fault remotely without authentication by submitting crafted input, disrupting any AI/ML system relying on this library for structured generation tasks. No patch is currently available for affected deployments.
LangSmith Studio contains a URL parameter injection vulnerability that allows attackers to steal authentication tokens, user IDs, and workspace credentials from users who click malicious links, enabling account takeover and unauthorized access to workspace resources. Both LangSmith Cloud and self-hosted Kubernetes deployments are affected, with exploitation requiring social engineering to trick authenticated users into clicking attacker-controlled URLs. No patch is currently available for this high-severity vulnerability (CVSS 8.1).
Arbitrary file write in BentoML prior to version 1.4.36 allows local attackers to write files to arbitrary locations on the host system by crafting malicious tar archives containing symlinks that point outside the extraction directory. The vulnerability exists because the safe_extract_tarfile() function fails to validate symlink targets, only validating the symlink path itself, enabling attackers to bypass directory traversal protections. Public exploit code exists for this vulnerability; users should upgrade to version 1.4.36 or later.
Dify versions prior to 1.11.2 contain a stored cross-site scripting vulnerability in Mermaid diagram rendering due to insecure default security configurations, allowing authenticated attackers with user interaction to inject and execute malicious scripts with cross-site impact. Public exploit code exists for this vulnerability, affecting users and developers of the Dify LLM application development platform. A patch is available in version 1.11.2 and later.
Pickle deserialization RCE in Step-Video-T2V via API endpoints.
ModelScope ms-agent v1.6.0rc1 and earlier allows unauthenticated remote attackers to execute arbitrary operating system commands by injecting malicious input through prompt-derived parameters. Public exploit code exists for this vulnerability, and no patch is currently available. This command injection flaw affects AI/ML systems processing untrusted user prompts.
Server-Side Request Forgery in Gradio prior to version 6.6.0 allows attackers to execute arbitrary HTTP requests through a victim's infrastructure by crafting a malicious Space with a poisoned proxy_url configuration. Applications that load untrusted Gradio Spaces via gr.load() are vulnerable to attacks targeting internal services, cloud metadata endpoints, and private networks. No patch is currently available for affected Python/ML applications.
Open redirect in Gradio's OAuth implementation allows unauthenticated attackers to redirect users to arbitrary external URLs through the unvalidated _target_url parameter on /logout and /login/callback endpoints in applications with OAuth enabled. This affects Gradio versions prior to 6.6.0 running on Hugging Face Spaces with gr.LoginButton, enabling phishing attacks or credential theft. The vulnerability has been patched in version 6.6.0 by sanitizing the parameter to only accept relative URLs.
Gradio versions up to 6.7 contains a vulnerability that allows attackers to read arbitrary files from the file system (CVSS 7.5).
and deploy AI models using Docker. versions up to 1.0.16 contains a security vulnerability (CVSS 7.5).
Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components (e.g.
Dify versions prior to 1.9.0 leak information through inconsistent API responses that distinguish between registered and non-registered email addresses, enabling attackers to enumerate valid user accounts. Public exploit code exists for this vulnerability, and affected users should upgrade to version 1.9.0 or later to remediate the information disclosure risk.
Kibana's AI Inference Anonymization Engine contains a ReDoS (Regular Expression Denial of Service) vulnerability that allows authenticated high-privilege users to crash the service through maliciously crafted input. An attacker with administrative credentials can trigger exponential regex backtracking to render the system unavailable, though no patch is currently available.
Directory traversal in ZenTaoPMS v18.11 through v21.6.beta allows arbitrary code execution through /module/ai/control.php. EPSS 0.76%.
Arbitrary code execution in Flair's LanguageModel class (versions 0.4.1 and later) allows local attackers to execute arbitrary commands by crafting malicious ML model files that exploit unsafe deserialization. Affected users loading untrusted models from external sources face complete system compromise with no patch currently available. This vulnerability impacts all AI/ML applications using Flair's model loading functionality.
Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary code execution through crafted CSV files. EPSS 0.41% with PoC and patch available.
Authenticated attackers can execute arbitrary code on Agenta API servers through server-side template injection in the evaluator template rendering functionality, affecting self-hosted and managed platform deployments prior to version 0.86.8. The vulnerability requires valid credentials but allows complete compromise of the affected server with high confidentiality, integrity, and availability impact. Organizations running Agenta should upgrade to version 0.86.8 or later immediately.
Arbitrary code execution in Agenta-API prior to version 0.48.1 allows authenticated users to escape the RestrictedPython sandbox through unsafe whitelisting of the numpy package, enabling execution of arbitrary system commands on the API server. The vulnerability leverages numpy.ma.core.inspect to access Python introspection utilities and bypass sandbox restrictions. Public exploit code exists for this vulnerability, and no patch is currently available.
Supply chain attack vector in OpenLIT GitHub Actions workflows. The pull_request_target trigger with checkout enables malicious PRs to execute code in the context of the base repository. PoC and patch available.
Zed code editor versions before 0.225.9 fail to properly validate symbolic links in Agent file tools, allowing attackers to read and write arbitrary files outside the project directory and bypass workspace boundary protections. This vulnerability can expose sensitive user data to language models and leak private files despite configured exclusions. Public exploit code exists and no patch is currently available.
Improper output encoding in Sub2API AI API gateway allows injection attacks. The platform distributes AI API quotas without properly encoding output.
Remote code execution in n8n workflow automation platform allows authenticated users with workflow creation or modification permissions to execute arbitrary shell commands by chaining file write operations with git functions to manipulate configuration files. Versions prior to 2.2.0 and 1.123.8 are affected, and administrators should upgrade immediately or restrict workflow editing permissions to trusted users only.
Authenticated users with workflow modification permissions in n8n versions prior to 2.10.1, 2.9.3, and 1.123.22 can exploit the Merge node's SQL query mode to execute arbitrary code and write files on the server. This high-severity vulnerability (CVSS 8.8) affects the AI/ML and workflow automation platform, allowing attackers with legitimate access to achieve complete system compromise. No patch is currently available, and administrators should restrict workflow permissions or disable the Merge node as temporary mitigations.
Code injection in n8n workflow automation before 2.10.1/2.9.3/1.123.22 allows authenticated users to execute arbitrary code by creating or editing workflows with malicious expressions. Third n8n RCE CVE in this release.
Python sandbox escape in n8n workflow automation before 2.10.1/2.9.3/1.123.22. Users who can modify workflows can escape the Python Code node sandbox for full host compromise on instances using internal Task Runners.
Second-order expression injection in n8n workflow automation before 2.10.1/2.9.3/1.123.22. Crafted workflow data triggers expression evaluation leading to code execution. Patch available.
Buffer overflow in parallel HNSW index build in pgvector 0.6.0 versions up to 0.8.1 is affected by integer underflow (CVSS 8.1).
Remote code execution in LangGraph's caching layer affects applications that explicitly enable cache backends inheriting from BaseCache with nodes opted into caching via CachePolicy. An attacker can exploit unsafe deserialization through pickle when msgpack serialization fails, allowing arbitrary code execution on affected systems. This vulnerability requires explicit cache configuration and does not affect default deployments.
Sandbox escape in Enclave JavaScript sandbox before 2.11.1. Enclave is designed for safe AI agent code execution — the escape allows agents to execute arbitrary code outside the sandbox. CVSS 10.0, PoC and patch available.
Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 improperly cache master keys and read-only master keys using identical cache identifiers, allowing authenticated users to obtain privilege escalation by retrieving cached credentials not intended for their access level under race conditions. An attacker with read-only dashboard access could retrieve the full master key, while regular users could access the read-only master key, compromising Parse Server security boundaries. The vulnerability requires low privileges and specific timing conditions but is fixed in version 9.0.0-alpha.8.
Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 fail to implement CSRF protection on the AI Agent API endpoint, allowing attackers to perform unauthorized actions through the endpoint by tricking authenticated dashboard users into visiting malicious web pages. An attacker can exploit this to manipulate Parse Server applications managed through the vulnerable dashboard without explicit user consent. No patch is currently available; users can mitigate by disabling the agent configuration in their dashboard settings.
Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 fail to properly authorize access to the AI Agent API endpoint, allowing authenticated users to access other apps' agent functionalities and read-only users to escalate privileges by obtaining the master key with write permissions. Attackers can exploit this to read, modify, or delete data across any app on affected Parse Server instances where agent configuration is enabled. No patch is currently available; administrators should disable the agent configuration block as a temporary mitigation.
Unauthenticated attackers can execute arbitrary read/write operations against Parse Server databases in Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 by exploiting multiple chained vulnerabilities in the opt-in AI Agent API endpoint, gaining master key access without authentication or authorization checks. This affects only dashboards with an agent configuration enabled, allowing complete database compromise. The vulnerability has no available patch at this time, though version 9.0.0-alpha.8 implements fixes including authentication, CSRF validation, and proper authorization controls.
Remote code execution in MindsDB prior to version 25.9.1.1 allows authenticated attackers to bypass file upload restrictions through path traversal in the /api/files endpoint. An attacker can exploit insufficient filename validation to write arbitrary files to any location on the server, achieving command execution. Public exploit code exists for this vulnerability.
Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, which addresses this issue. User...
DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information. [CVSS 8.4 HIGH]
New API LLM gateway versions before 0.10.8-alpha.9 are vulnerable to stored cross-site scripting through the MarkdownRenderer component, which fails to sanitize script tags in model outputs. An authenticated attacker with user interaction can inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. Public exploit code exists for this vulnerability, though a patch is available.
Denial of service in New API's `/api/token/search` endpoint allows authenticated users to exhaust database resources through SQL wildcard injection in unescaped search parameters. An attacker can craft malicious search patterns that trigger expensive queries, causing service unavailability. Public exploit code exists for this medium-severity vulnerability affecting versions prior to 0.10.8-alpha.10.
openclaw-claude-bridge v1.1.0 incorrectly disables CLI tool access by passing --allowed-tools "" to the Claude Code subprocess, when the correct flag to disable tools is --tools. The --allowed-tools flag only controls which tools auto-approve without prompts; all CLI tools (Read, Write, Bash, WebFetch, etc.) remain nominally available. Users deploying the bridge to handle untrusted prompts or in gateway contexts may unknowingly operate without the sandboxing protections claimed in the README, exposing systems to prompt-injection attacks that could trigger arbitrary code execution in the process context. Vendor-released patch: v1.1.1 (commit 8a296f5).
LightRAG's JWT authentication can be bypassed via a hardcoded default secret 'lightrag-jwt-default-secret' when TOKEN_SECRET is not configured. Unauthenticated attackers can forge valid tokens to access protected API endpoints in installations running v1.4.10 with AUTH_ACCOUNTS enabled but TOKEN_SECRET unset. CVSS 7.5 (High) reflects network-accessible confidentiality breach with no authentication required. No public exploit identified at time of analysis, though the hardcoded secret is publicly documented in the vulnerability disclosure. EPSS data not available for this CVE.
NVIDIA APEX for Linux contains a deserialization of untrusted data vulnerability that affects environments using PyTorch versions earlier than 2.6. An attacker with low privileges on an adjacent network can exploit this flaw to achieve code execution, denial of service, privilege escalation, data tampering, and information disclosure with scope change (CVSS 9.0 Critical). No KEV listing or public POC availability has been reported at this time.
Wallos, an open-source self-hostable subscription tracker, contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 4.7.0 that allows authenticated users to access internal network services, cloud metadata endpoints, and localhost-bound services. The vulnerability exists in three unprotected attack surfaces: the AI Ollama host parameter, the AI recommendations endpoint, and the notification cron job-areas that were missed when SSRF protections were partially implemented in an earlier patch (CVE-2026-30840). An attacker with valid credentials can leverage these endpoints to reach sensitive internal resources including AWS IMDSv1, GCP, and Azure metadata services.
MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc extraction process that allows arbitrary file writes. The vulnerability stems from unsafe use of tarfile.extractall without proper path validation, enabling attackers to craft malicious tar.gz files with directory traversal sequences or absolute paths to write files outside the intended extraction directory. This poses critical risk in multi-tenant environments and can lead to remote code execution, with a CVSS score of 8.1 and confirmed exploit details available via Huntr.
AnythingLLM versions 1.11.1 and earlier contain a Zip Slip path traversal vulnerability in the community plugin import functionality that fails to validate file paths during ZIP extraction. An authenticated attacker with high privileges can craft a malicious ZIP file containing path traversal sequences that, when imported via the community hub, extract files outside the intended directory and achieve arbitrary code execution on the server. While the CVSS score is moderate (4.2) due to high privilege requirements and user interaction, the vulnerability enables code execution and should be addressed promptly.
SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands against connected PostgreSQL, MySQL, and MSSQL databases through the built-in SQL Agent plugin. The vulnerability stems from unsafe string concatenation of table names in the getTableSchemaSql() method across all three database connectors, bypassing proper parameterization. Any user with access to invoke the SQL Agent can exploit this to read, modify, or delete sensitive database contents.
Command injection RCE in claude-hovercraft tool. EPSS 1.3%.
XSS in AnythingLLM 1.11.1 and earlier.
AnythingLLM versions 1.11.1 and earlier contain an authentication bypass vulnerability on default installations where the application's HTTP endpoints and WebSocket connections lack proper authentication and accept requests from any origin. While rated CVSS 7.1, exploitation is limited to attackers on the same local network due to browser Private Network Access (PNA) protections, making this a medium-priority issue for most deployments.
LibreChat versions prior to 0.8.3-rc1 contain a Denial of Service vulnerability in the DELETE /api/convos endpoint where authenticated attackers can crash the Node.js server process by sending malformed requests lacking the required req.body.arg parameter. The vulnerability exploits improper destructuring without validation, causing an unhandled TypeError that bypasses Express middleware and triggers process.exit(1), resulting in complete service unavailability. No evidence of active exploitation in the wild or public POC has been identified at this time.
LibreChat versions 0.8.2 through 0.8.2-rc3 contain an authentication bypass vulnerability in the Model Context Protocol (MCP) OAuth callback endpoint that allows attackers to steal OAuth tokens by tricking victims into completing an OAuth flow, resulting in account takeover of the victim's MCP-linked services like Atlassian and Outlook. No active exploitation is known (not in KEV), no POC is publicly available, and EPSS data is not yet available for this newly disclosed vulnerability.
Apache Livy versions 0.7.0 and 0.8.0 contain an improper input validation vulnerability (CWE-20) that allows authenticated users to bypass file access controls by injecting malicious Spark configuration values when connecting to Apache Spark 3.1 or later. An attacker with access to Livy's REST or JDBC interface can craft requests with arbitrary Spark configuration parameters to gain unauthorized access to files they do not have permissions to read or modify. This vulnerability is of moderate severity (CVSS 6.3) but requires valid authentication and is fixed in version 0.9.0 and later.
Medium severity vulnerability in See description. Hyperterse allows users to specify database queries for tools to execute under the hood. As of [v2.0.0](https://github.com/hyperterse/hyperterse/releases/tag/v2.0.0), there are only two tools exposed - `search` and `execute`.
Out of bounds memory access in WebML in Google Chrome versions up to 146.0.7680.71 is affected by out-of-bounds read (CVSS 8.8).
Heap buffer overflow in WebML in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).
Integer overflow in WebML in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability (CVSS 8.8).
Heap buffer overflow in WebML in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).
FastGPT's Python Sandbox in versions 4.14.7 and earlier allows authenticated users to bypass file write restrictions by remapping standard output to arbitrary file descriptors via fcntl, enabling unauthorized file creation and modification within the container. The vulnerability exploits a gap between static detection and seccomp filtering, where remapped stdout still satisfies the write syscall rules. An attacker with sandbox access could create or overwrite arbitrary files despite the intended file system restrictions.
An attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or `$regex`), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both `protectedFields` configured in Class-Level Permissions and LiveQuery enabled. The fix adds validation of the LiveQuery subscription WHERE clause against the class's protected fields, mirroring the existing REST API validation. If a subscription's WHERE clause references a protected field directly, via dot-notation, or inside `$or` / `$and` / `$nor` operators, the subscription is rejected with a permission error. This is applied during subscription creation, so existing event delivery paths are not affected. Disable LiveQuery for classes that use `protectedFields` in their Class-Level Permissions, or remove `protectedFields` from classes that require LiveQuery. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-j7mm-f4rv-6q6q - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.9 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.35
Authenticated users in PingPong versions prior to 7.27.2 can access and delete files beyond their authorization scope, potentially exposing or removing private user files and model outputs. An attacker with valid credentials and thread access can exploit improper access controls to retrieve or delete sensitive data belonging to other users. No patch is currently available for this high-severity vulnerability affecting the AI/ML teaching platform.
Auth bypass in Unity Catalog 0.4.0 and earlier.
Flowise versions prior to 3.0.13 allow unauthenticated users to trigger Server-Side Request Forgery (SSRF) attacks through improperly validated URLs in the HTTP Node component, enabling attackers to probe internal networks and cloud metadata endpoints from the Flowise server. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. Any organization running a publicly exposed Flowise instance is at immediate risk of internal network reconnaissance and potential credential theft from cloud environments.
Coral Server has a third missing authorization flaw.
Coral Server has an IDOR vulnerability enabling cross-user data access.
Coral Server open collaboration platform has a missing authorization enabling unauthenticated access to all collaboration data.
Remote code execution in the zero-shot-scfoundation AI/ML framework results from a vulnerable third-party dependency, enabling unauthenticated attackers to execute arbitrary code over the network with minimal user interaction. This high-severity vulnerability affects systems using the affected component, and no patch is currently available.
OneUptime prior to 10.0.20 exposes dangerous functionality in Synthetic monitoring that enables code execution.
OS command injection in WeKnora from version 0.2.5 allows authenticated users to execute arbitrary system commands. CVSS 9.9 with scope change. PoC available.
SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database contents. CVSS 9.9 with scope change. PoC available.
WeKnora versions prior to 0.2.12 suffer from inadequate tenant isolation in database queries, permitting any authenticated user to access sensitive data from other tenants including API keys, model configurations, and private messages. The vulnerability affects multi-tenant deployments where account-level access controls fail to prevent cross-tenant data exfiltration. No patch is currently available for affected versions.
DNS rebinding in WeKnora's web_fetch tool allows authenticated attackers to bypass URL validation and access internal resources and private IP addresses on the server through malicious domains that resolve differently during validation versus execution. Public exploit code exists for this vulnerability, and versions prior to 0.3.0 are affected with no patch currently available. An attacker could leverage this to access sensitive local services and exfiltrate data from the affected system.
Weknora versions up to 0.3.0 is affected by authorization bypass through user-controlled key (CVSS 5.3).
Insufficient authorization checks in WeKnora's tenant management endpoints allow any authenticated user to read, modify, or delete arbitrary tenants, with public exploit code available. Since the application allows open registration, unauthenticated attackers can register an account and exploit this flaw to perform cross-tenant account takeover and data destruction. No patch is currently available for this high-severity vulnerability affecting WeKnora AI/ML framework versions prior to 0.3.2.
The /api/health/detailed endpoint in mcp-memory-service prior to version 10.21.0 discloses sensitive system information including OS details, Python version, CPU configuration, memory metrics, and database paths to unauthenticated network users when anonymous access is enabled. Public exploit code exists for this information disclosure vulnerability, which affects deployments using the default 0.0.0.0 network binding. A patch is available in version 10.21.0 to restrict endpoint access and redact sensitive data.
Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerability data. PoC available.
Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).
Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attributes (CVSS 7.7).
Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthenticated attackers to upload and execute malicious files. PoC available.
Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoofing an internal request header, granting access to sensitive administrative functions including API key and credential management. Public exploit code exists for this vulnerability, and an attacker with valid tenant credentials can escalate to administrative privileges without additional authentication. No patch is currently available for affected deployments.
WeKnora's document import feature is vulnerable to Server-Side Request Forgery through HTTP redirects, allowing unauthenticated remote attackers to bypass URL validation controls and access internal services despite backend protections against private IPs and metadata endpoints. The vulnerability affects WeKnora versions prior to 0.2.12 when deployed in Docker environments, where host.docker.internal addresses are not blocked. Public exploit code exists and no patch is currently available.
Unsafe checkout of untrusted code in Mesa's benchmarks.yml GitHub Actions workflow prior to version 3.5.1 enables arbitrary code execution with elevated privileges on CI/CD runners. An attacker can exploit this by submitting malicious pull requests to execute commands in the privileged runner environment, potentially compromising the build pipeline and downstream users. A patch is available in commit c35b8cd.
Shell command injection in Nuclio serverless framework before 1.15.20. PoC and patch available.
Path traversal in OpenChatBI before fix. PoC and patch available.
SQL injection in CocoIndex Doris connector before 0.3.34. Patch available.
LangBot is a global IM bot platform designed for LLMs. versions up to 4.8.7 is affected by cross-site scripting (xss) (CVSS 6.3).
OpenClaw prior to version 2026.2.2 is vulnerable to server-side request forgery through its attachment and media URL processing, allowing unauthenticated remote attackers to make arbitrary HTTP requests to internal resources. Attackers can exploit model-controlled message features to trigger the SSRF and exfiltrate response data as outbound attachments. Public exploit code exists for this vulnerability.
OpenClaw versions before 2026.2.14 contain unprotected server-side request forgery flaws in the Feishu extension that enable remote attackers to access internal services and exfiltrate data without authentication. Attackers can exploit the sendMediaFeishu function and markdown image processing through direct manipulation or prompt injection to force the application to fetch attacker-controlled URLs and re-upload responses as Feishu media. A patch is available to remediate this network-accessible vulnerability affecting AI/ML deployments.
OpenClaw versions before 2026.2.1 fail to properly validate access controls in the Twitch plugin when role restrictions are not configured, allowing unauthenticated remote attackers to trigger agent dispatch through Twitch chat mentions. Public exploit code exists for this vulnerability, enabling attackers to invoke the agent pipeline and potentially cause unintended actions or resource exhaustion. Organizations running affected versions with the Twitch plugin enabled should apply the available patch immediately.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Unauthenticated command injection in FreePBX versions 16.0.17.2-16.0.19 and 17.0.2.4-17.0.4 via the ElevenLabs Text-to-Speech integration allows authenticated users with high privileges to execute arbitrary system commands. The vulnerability exists in the recordings module and affects all installations using the vulnerable TTS engine. No patch is currently available, leaving affected systems at risk of full system compromise.
An Arbitrary File Read vulnerability exists in the ImageTextPromptValue class in Exploding Gradients RAGAS v0.2.3 to v0.2.14. The vulnerability stems from improper validation and sanitization of URLs supplied in the retrieved_contexts parameter when handling multimodal inputs. [CVSS 7.5 HIGH]
Xgrammar versions prior to 0.1.32 crash when processing multi-level nested syntax structures, causing a denial of service that halts the application. An attacker can trigger this segmentation fault remotely without authentication by submitting crafted input, disrupting any AI/ML system relying on this library for structured generation tasks. No patch is currently available for affected deployments.
LangSmith Studio contains a URL parameter injection vulnerability that allows attackers to steal authentication tokens, user IDs, and workspace credentials from users who click malicious links, enabling account takeover and unauthorized access to workspace resources. Both LangSmith Cloud and self-hosted Kubernetes deployments are affected, with exploitation requiring social engineering to trick authenticated users into clicking attacker-controlled URLs. No patch is currently available for this high-severity vulnerability (CVSS 8.1).
Arbitrary file write in BentoML prior to version 1.4.36 allows local attackers to write files to arbitrary locations on the host system by crafting malicious tar archives containing symlinks that point outside the extraction directory. The vulnerability exists because the safe_extract_tarfile() function fails to validate symlink targets, only validating the symlink path itself, enabling attackers to bypass directory traversal protections. Public exploit code exists for this vulnerability; users should upgrade to version 1.4.36 or later.
Dify versions prior to 1.11.2 contain a stored cross-site scripting vulnerability in Mermaid diagram rendering due to insecure default security configurations, allowing authenticated attackers with user interaction to inject and execute malicious scripts with cross-site impact. Public exploit code exists for this vulnerability, affecting users and developers of the Dify LLM application development platform. A patch is available in version 1.11.2 and later.
Pickle deserialization RCE in Step-Video-T2V via API endpoints.
ModelScope ms-agent v1.6.0rc1 and earlier allows unauthenticated remote attackers to execute arbitrary operating system commands by injecting malicious input through prompt-derived parameters. Public exploit code exists for this vulnerability, and no patch is currently available. This command injection flaw affects AI/ML systems processing untrusted user prompts.
Server-Side Request Forgery in Gradio prior to version 6.6.0 allows attackers to execute arbitrary HTTP requests through a victim's infrastructure by crafting a malicious Space with a poisoned proxy_url configuration. Applications that load untrusted Gradio Spaces via gr.load() are vulnerable to attacks targeting internal services, cloud metadata endpoints, and private networks. No patch is currently available for affected Python/ML applications.
Open redirect in Gradio's OAuth implementation allows unauthenticated attackers to redirect users to arbitrary external URLs through the unvalidated _target_url parameter on /logout and /login/callback endpoints in applications with OAuth enabled. This affects Gradio versions prior to 6.6.0 running on Hugging Face Spaces with gr.LoginButton, enabling phishing attacks or credential theft. The vulnerability has been patched in version 6.6.0 by sanitizing the parameter to only accept relative URLs.
Gradio versions up to 6.7 contains a vulnerability that allows attackers to read arbitrary files from the file system (CVSS 7.5).
and deploy AI models using Docker. versions up to 1.0.16 contains a security vulnerability (CVSS 7.5).
Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components (e.g.
Dify versions prior to 1.9.0 leak information through inconsistent API responses that distinguish between registered and non-registered email addresses, enabling attackers to enumerate valid user accounts. Public exploit code exists for this vulnerability, and affected users should upgrade to version 1.9.0 or later to remediate the information disclosure risk.
Kibana's AI Inference Anonymization Engine contains a ReDoS (Regular Expression Denial of Service) vulnerability that allows authenticated high-privilege users to crash the service through maliciously crafted input. An attacker with administrative credentials can trigger exponential regex backtracking to render the system unavailable, though no patch is currently available.
Directory traversal in ZenTaoPMS v18.11 through v21.6.beta allows arbitrary code execution through /module/ai/control.php. EPSS 0.76%.
Arbitrary code execution in Flair's LanguageModel class (versions 0.4.1 and later) allows local attackers to execute arbitrary commands by crafting malicious ML model files that exploit unsafe deserialization. Affected users loading untrusted models from external sources face complete system compromise with no patch currently available. This vulnerability impacts all AI/ML applications using Flair's model loading functionality.
Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary code execution through crafted CSV files. EPSS 0.41% with PoC and patch available.
Authenticated attackers can execute arbitrary code on Agenta API servers through server-side template injection in the evaluator template rendering functionality, affecting self-hosted and managed platform deployments prior to version 0.86.8. The vulnerability requires valid credentials but allows complete compromise of the affected server with high confidentiality, integrity, and availability impact. Organizations running Agenta should upgrade to version 0.86.8 or later immediately.
Arbitrary code execution in Agenta-API prior to version 0.48.1 allows authenticated users to escape the RestrictedPython sandbox through unsafe whitelisting of the numpy package, enabling execution of arbitrary system commands on the API server. The vulnerability leverages numpy.ma.core.inspect to access Python introspection utilities and bypass sandbox restrictions. Public exploit code exists for this vulnerability, and no patch is currently available.
Supply chain attack vector in OpenLIT GitHub Actions workflows. The pull_request_target trigger with checkout enables malicious PRs to execute code in the context of the base repository. PoC and patch available.
Zed code editor versions before 0.225.9 fail to properly validate symbolic links in Agent file tools, allowing attackers to read and write arbitrary files outside the project directory and bypass workspace boundary protections. This vulnerability can expose sensitive user data to language models and leak private files despite configured exclusions. Public exploit code exists and no patch is currently available.
Improper output encoding in Sub2API AI API gateway allows injection attacks. The platform distributes AI API quotas without properly encoding output.
Remote code execution in n8n workflow automation platform allows authenticated users with workflow creation or modification permissions to execute arbitrary shell commands by chaining file write operations with git functions to manipulate configuration files. Versions prior to 2.2.0 and 1.123.8 are affected, and administrators should upgrade immediately or restrict workflow editing permissions to trusted users only.
Authenticated users with workflow modification permissions in n8n versions prior to 2.10.1, 2.9.3, and 1.123.22 can exploit the Merge node's SQL query mode to execute arbitrary code and write files on the server. This high-severity vulnerability (CVSS 8.8) affects the AI/ML and workflow automation platform, allowing attackers with legitimate access to achieve complete system compromise. No patch is currently available, and administrators should restrict workflow permissions or disable the Merge node as temporary mitigations.
Code injection in n8n workflow automation before 2.10.1/2.9.3/1.123.22 allows authenticated users to execute arbitrary code by creating or editing workflows with malicious expressions. Third n8n RCE CVE in this release.
Python sandbox escape in n8n workflow automation before 2.10.1/2.9.3/1.123.22. Users who can modify workflows can escape the Python Code node sandbox for full host compromise on instances using internal Task Runners.
Second-order expression injection in n8n workflow automation before 2.10.1/2.9.3/1.123.22. Crafted workflow data triggers expression evaluation leading to code execution. Patch available.
Buffer overflow in parallel HNSW index build in pgvector 0.6.0 versions up to 0.8.1 is affected by integer underflow (CVSS 8.1).
Remote code execution in LangGraph's caching layer affects applications that explicitly enable cache backends inheriting from BaseCache with nodes opted into caching via CachePolicy. An attacker can exploit unsafe deserialization through pickle when msgpack serialization fails, allowing arbitrary code execution on affected systems. This vulnerability requires explicit cache configuration and does not affect default deployments.
Sandbox escape in Enclave JavaScript sandbox before 2.11.1. Enclave is designed for safe AI agent code execution — the escape allows agents to execute arbitrary code outside the sandbox. CVSS 10.0, PoC and patch available.
Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 improperly cache master keys and read-only master keys using identical cache identifiers, allowing authenticated users to obtain privilege escalation by retrieving cached credentials not intended for their access level under race conditions. An attacker with read-only dashboard access could retrieve the full master key, while regular users could access the read-only master key, compromising Parse Server security boundaries. The vulnerability requires low privileges and specific timing conditions but is fixed in version 9.0.0-alpha.8.
Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 fail to implement CSRF protection on the AI Agent API endpoint, allowing attackers to perform unauthorized actions through the endpoint by tricking authenticated dashboard users into visiting malicious web pages. An attacker can exploit this to manipulate Parse Server applications managed through the vulnerable dashboard without explicit user consent. No patch is currently available; users can mitigate by disabling the agent configuration in their dashboard settings.
Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 fail to properly authorize access to the AI Agent API endpoint, allowing authenticated users to access other apps' agent functionalities and read-only users to escalate privileges by obtaining the master key with write permissions. Attackers can exploit this to read, modify, or delete data across any app on affected Parse Server instances where agent configuration is enabled. No patch is currently available; administrators should disable the agent configuration block as a temporary mitigation.
Unauthenticated attackers can execute arbitrary read/write operations against Parse Server databases in Parse Dashboard versions 7.3.0-alpha.42 through 9.0.0-alpha.7 by exploiting multiple chained vulnerabilities in the opt-in AI Agent API endpoint, gaining master key access without authentication or authorization checks. This affects only dashboards with an agent configuration enabled, allowing complete database compromise. The vulnerability has no available patch at this time, though version 9.0.0-alpha.8 implements fixes including authentication, CSRF validation, and proper authorization controls.
Remote code execution in MindsDB prior to version 25.9.1.1 allows authenticated attackers to bypass file upload restrictions through path traversal in the /api/files endpoint. An attacker can exploit insufficient filename validation to write arbitrary files to any location on the server, achieving command execution. Public exploit code exists for this vulnerability.
Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, which addresses this issue. User...
DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information. [CVSS 8.4 HIGH]
New API LLM gateway versions before 0.10.8-alpha.9 are vulnerable to stored cross-site scripting through the MarkdownRenderer component, which fails to sanitize script tags in model outputs. An authenticated attacker with user interaction can inject malicious scripts that execute in other users' browsers, potentially compromising session data or performing unauthorized actions. Public exploit code exists for this vulnerability, though a patch is available.
Denial of service in New API's `/api/token/search` endpoint allows authenticated users to exhaust database resources through SQL wildcard injection in unescaped search parameters. An attacker can craft malicious search patterns that trigger expensive queries, causing service unavailability. Public exploit code exists for this medium-severity vulnerability affecting versions prior to 0.10.8-alpha.10.