AI / ML
Monthly
Remote OS command injection in Agions taskflow-ai up to version 2.1.8 allows authenticated remote attackers to execute arbitrary operating system commands via manipulation of the terminal_execute component in src/mcp/server/handlers.ts, with CVSS 6.3 reflecting moderate severity. Vendor-released patch is available in version 2.1.9 (commit c1550b445b9f24f38c4414e9a545f5f79f23a0fe), and the vendor responded promptly to early notification.
Missing Authorization vulnerability in massiveshift AI Workflow Automation ai-workflow-automation-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Workflow Automation: from n/a through <= 1.4.2.
Missing Authorization vulnerability in HBSS Technologies MAIO – The new AI GEO / SEO tool maio-the-new-ai-geo-seo-tool allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MAIO – The new AI GEO / SEO tool: from n/a through <= 6.2.8.
Missing Authorization vulnerability in Jordy Meow AI Engine (Pro) ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Engine (Pro): from n/a through < 3.4.2.
openclaw-claude-bridge v1.1.0 incorrectly disables CLI tool access by passing --allowed-tools "" to the Claude Code subprocess, when the correct flag to disable tools is --tools. The --allowed-tools flag only controls which tools auto-approve without prompts; all CLI tools (Read, Write, Bash, WebFetch, etc.) remain nominally available. Users deploying the bridge to handle untrusted prompts or in gateway contexts may unknowingly operate without the sandboxing protections claimed in the README, exposing systems to prompt-injection attacks that could trigger arbitrary code execution in the process context. Vendor-released patch: v1.1.1 (commit 8a296f5).
JWT secret key brute-forcing in Parisneo Lollms 2.1.0 allows unauthenticated remote attackers to forge administrative tokens and achieve full system compromise. The application uses a weak secret for signing JSON Web Tokens, enabling offline attacks to recover credentials and escalate privileges to administrator level. With CVSS 9.8 (critical network-accessible attack requiring no privileges) and EPSS data unavailable, this represents a severe authentication bypass in AI/LLM management software. Fixed in version 2.2.0. No public exploit identified at time of analysis, though the attack technique (JWT cracking) is well-documented.
Remote code execution in HuggingFace Transformers library allows arbitrary code execution via malicious checkpoint files. The `_load_rng_state()` method in the `Trainer` class calls `torch.load()` without the `weights_only=True` parameter, enabling deserialization attacks when PyTorch versions below 2.6 are used with torch>=2.2. An attacker can craft a malicious `rng_state.pth` checkpoint file that executes arbitrary code when loaded by an application using affected Transformers versions. The fix is available in version v5.0.0rc3, and no public exploit has been independently confirmed at time of analysis.
LightRAG's JWT authentication can be bypassed via a hardcoded default secret 'lightrag-jwt-default-secret' when TOKEN_SECRET is not configured. Unauthenticated attackers can forge valid tokens to access protected API endpoints in installations running v1.4.10 with AUTH_ACCOUNTS enabled but TOKEN_SECRET unset. CVSS 7.5 (High) reflects network-accessible confidentiality breach with no authentication required. No public exploit identified at time of analysis, though the hardcoded secret is publicly documented in the vulnerability disclosure. EPSS data not available for this CVE.
NVIDIA APEX for Linux contains a deserialization of untrusted data vulnerability that affects environments using PyTorch versions earlier than 2.6. An attacker with low privileges on an adjacent network can exploit this flaw to achieve code execution, denial of service, privilege escalation, data tampering, and information disclosure with scope change (CVSS 9.0 Critical). No KEV listing or public POC availability has been reported at this time.
Wallos, an open-source self-hostable subscription tracker, contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 4.7.0 that allows authenticated users to access internal network services, cloud metadata endpoints, and localhost-bound services. The vulnerability exists in three unprotected attack surfaces: the AI Ollama host parameter, the AI recommendations endpoint, and the notification cron job-areas that were missed when SSRF protections were partially implemented in an earlier patch (CVE-2026-30840). An attacker with valid credentials can leverage these endpoints to reach sensitive internal resources including AWS IMDSv1, GCP, and Azure metadata services.
A deserialization vulnerability exists in PyTorch 2.10.0 within the pt2 Loading Handler component, allowing local attackers with low privileges to achieve confidentiality, integrity, and availability impacts through untrusted data processing. The vulnerability (CWE-502) is confirmed to have a publicly available exploit and has been reported to the project via pull request PR#176791, though remediation status remains unclear. With a CVSS score of 5.3 and exploitation probability marked as probable (E:P), this represents a moderate real-world risk primarily affecting local development and deployment environments.
MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc extraction process that allows arbitrary file writes. The vulnerability stems from unsafe use of tarfile.extractall without proper path validation, enabling attackers to craft malicious tar.gz files with directory traversal sequences or absolute paths to write files outside the intended extraction directory. This poses critical risk in multi-tenant environments and can lead to remote code execution, with a CVSS score of 8.1 and confirmed exploit details available via Huntr.
Server-side request forgery in Vanna AI versions up to 2.0.2 allows unauthenticated remote attackers to manipulate the update_sql and run_sql endpoints in the Flask component. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
SQL injection in Vanna up to version 2.0.2 allows authenticated remote attackers to execute arbitrary SQL queries through the update_sql endpoint function. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. An authenticated attacker can leverage this to read, modify, or delete database contents depending on the application's database permissions.
SQL injection in Vanna AI's BigQuery integration (versions up to 2.0.2) allows unauthenticated remote attackers to manipulate the remove_training_data function through unsanitized ID parameters. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. Successful exploitation enables attackers to read, modify, or delete database contents with limited impact on confidentiality, integrity, and availability.
A critical authentication bypass vulnerability exists in GROWI's OpenAI assistant API endpoints where authorization checks are missing, allowing any authenticated user to access and manipulate other users' AI assistant conversations. The vulnerability affects GROWI versions 7.4.5 and earlier, enabling attackers with low-level credentials to compromise confidentiality and integrity of AI assistant threads and messages by simply knowing the assistant identifier. While not currently listed in CISA KEV and with no public exploit code identified, the vulnerability carries a high CVSS score of 8.3 due to its low exploitation complexity and significant data exposure potential.
Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by injecting malicious input through the --container parameter when deploying models to SageMaker. The vulnerability affects MLflow installations in development environments, CI/CD pipelines, and cloud deployments, with a CVSS score of 7.5 indicating high severity. No active exploitation or KEV listing is reported, and no EPSS data is available to assess real-world exploitation likelihood.
Unauthenticated attackers can modify arbitrary WordPress posts through the User Frontend plugin (versions up to 4.2.8) due to missing authorization checks in the draft_post() function, allowing them to unpublish or alter post content. The vulnerability affects all installations of the affected plugin versions without requiring authentication or user interaction. No patch is currently available.
AnythingLLM versions 1.11.1 and earlier contain a Zip Slip path traversal vulnerability in the community plugin import functionality that fails to validate file paths during ZIP extraction. An authenticated attacker with high privileges can craft a malicious ZIP file containing path traversal sequences that, when imported via the community hub, extract files outside the intended directory and achieve arbitrary code execution on the server. While the CVSS score is moderate (4.2) due to high privilege requirements and user interaction, the vulnerability enables code execution and should be addressed promptly.
SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands against connected PostgreSQL, MySQL, and MSSQL databases through the built-in SQL Agent plugin. The vulnerability stems from unsafe string concatenation of table names in the getTableSchemaSql() method across all three database connectors, bypassing proper parameterization. Any user with access to invoke the SQL Agent can exploit this to read, modify, or delete sensitive database contents.
Command injection RCE in claude-hovercraft tool. EPSS 1.3%.
XSS in AnythingLLM 1.11.1 and earlier.
AnythingLLM versions 1.11.1 and earlier contain an authentication bypass vulnerability on default installations where the application's HTTP endpoints and WebSocket connections lack proper authentication and accept requests from any origin. While rated CVSS 7.1, exploitation is limited to attackers on the same local network due to browser Private Network Access (PNA) protections, making this a medium-priority issue for most deployments.
LibreChat versions prior to 0.8.3-rc1 contain a Denial of Service vulnerability in the DELETE /api/convos endpoint where authenticated attackers can crash the Node.js server process by sending malformed requests lacking the required req.body.arg parameter. The vulnerability exploits improper destructuring without validation, causing an unhandled TypeError that bypasses Express middleware and triggers process.exit(1), resulting in complete service unavailability. No evidence of active exploitation in the wild or public POC has been identified at this time.
LibreChat versions 0.8.2 through 0.8.2-rc3 contain an authentication bypass vulnerability in the Model Context Protocol (MCP) OAuth callback endpoint that allows attackers to steal OAuth tokens by tricking victims into completing an OAuth flow, resulting in account takeover of the victim's MCP-linked services like Atlassian and Outlook. No active exploitation is known (not in KEV), no POC is publicly available, and EPSS data is not yet available for this newly disclosed vulnerability.
Apache Livy versions 0.7.0 and 0.8.0 contain an improper input validation vulnerability (CWE-20) that allows authenticated users to bypass file access controls by injecting malicious Spark configuration values when connecting to Apache Spark 3.1 or later. An attacker with access to Livy's REST or JDBC interface can craft requests with arbitrary Spark configuration parameters to gain unauthorized access to files they do not have permissions to read or modify. This vulnerability is of moderate severity (CVSS 6.3) but requires valid authentication and is fixed in version 0.9.0 and later.
Medium severity vulnerability in See description. Hyperterse allows users to specify database queries for tools to execute under the hood. As of [v2.0.0](https://github.com/hyperterse/hyperterse/releases/tag/v2.0.0), there are only two tools exposed - `search` and `execute`.
Local attackers can achieve heap buffer overflow in llama.cpp versions before b8146 through integer overflow in the GGUF file parsing function, enabling arbitrary code execution with high integrity and confidentiality impact. The vulnerability stems from undersized heap allocation followed by unvalidated writes of over 528 bytes of attacker-controlled data, bypassing a previous fix for the same component. This affects systems running vulnerable LLM inference implementations on local machines where user interaction is required to trigger the malicious GGUF file processing.
A weakness has been identified in OpenAkita versions up to 1.24.3. is affected by command injection (CVSS 5.3).
Out of bounds memory access in WebML in Google Chrome versions up to 146.0.7680.71 is affected by out-of-bounds read (CVSS 8.8).
Heap buffer overflow in WebML in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).
Integer overflow in WebML in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability (CVSS 8.8).
Heap buffer overflow in WebML in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).
FastGPT's Python Sandbox in versions 4.14.7 and earlier allows authenticated users to bypass file write restrictions by remapping standard output to arbitrary file descriptors via fcntl, enabling unauthorized file creation and modification within the container. The vulnerability exploits a gap between static detection and seccomp filtering, where remapped stdout still satisfies the write syscall rules. An attacker with sandbox access could create or overwrite arbitrary files despite the intended file system restrictions.
OpenBMB XAgent 1.0.0 contains a path traversal vulnerability in the workspace router that allows unauthenticated remote attackers to manipulate the file_name parameter and access or modify arbitrary files on the system. Public exploit code is available for this vulnerability, which affects the integrity and availability of the application. The vendor has not yet released a patch despite early notification of the issue.
An attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or `$regex`), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both `protectedFields` configured in Class-Level Permissions and LiveQuery enabled. The fix adds validation of the LiveQuery subscription WHERE clause against the class's protected fields, mirroring the existing REST API validation. If a subscription's WHERE clause references a protected field directly, via dot-notation, or inside `$or` / `$and` / `$nor` operators, the subscription is rejected with a permission error. This is applied during subscription creation, so existing event delivery paths are not affected. Disable LiveQuery for classes that use `protectedFields` in their Class-Level Permissions, or remove `protectedFields` from classes that require LiveQuery. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-j7mm-f4rv-6q6q - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.9 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.35
Authenticated users in PingPong versions prior to 7.27.2 can access and delete files beyond their authorization scope, potentially exposing or removing private user files and model outputs. An attacker with valid credentials and thread access can exploit improper access controls to retrieve or delete sensitive data belonging to other users. No patch is currently available for this high-severity vulnerability affecting the AI/ML teaching platform.
Auth bypass in Unity Catalog 0.4.0 and earlier.
Flowise versions prior to 3.0.13 allow unauthenticated users to trigger Server-Side Request Forgery (SSRF) attacks through improperly validated URLs in the HTTP Node component, enabling attackers to probe internal networks and cloud metadata endpoints from the Flowise server. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. Any organization running a publicly exposed Flowise instance is at immediate risk of internal network reconnaissance and potential credential theft from cloud environments.
Unauthenticated attackers can abuse the MCP Atlassian server to perform arbitrary outbound HTTP requests by manipulating HTTP headers, enabling credential theft from cloud instance metadata endpoints or internal network reconnaissance without requiring authentication. The vulnerability exists in the HTTP middleware layer prior to version 0.17.0, affecting Atlassian Confluence and Jira deployments. No patch is currently available.
Coral Server has a third missing authorization flaw.
Coral Server has an IDOR vulnerability enabling cross-user data access.
Coral Server open collaboration platform has a missing authorization enabling unauthenticated access to all collaboration data.
Remote code execution in the zero-shot-scfoundation AI/ML framework results from a vulnerable third-party dependency, enabling unauthenticated attackers to execute arbitrary code over the network with minimal user interaction. This high-severity vulnerability affects systems using the affected component, and no patch is currently available.
OneUptime prior to 10.0.20 exposes dangerous functionality in Synthetic monitoring that enables code execution.
Unsafe path handling in NLTK's filestring() function enables attackers to read arbitrary files on affected iOS and AI/ML systems through improper input validation. An unauthenticated attacker can exploit this over the network by supplying directory traversal or absolute paths to access sensitive data, with particular risk in deployments exposing the function through web APIs. No patch is currently available for this high-severity vulnerability (CVSS 8.6).
Server-side request forgery in Bytedesk versions up to 1.3.9 allows authenticated attackers to manipulate the apiUrl parameter in the SpringAIGiteeRestService component, enabling them to make arbitrary network requests from the affected server. Public exploit code exists for this vulnerability, which requires valid user credentials to exploit. Users should upgrade to version 1.4.5.4 or later to remediate the issue.
Server-side request forgery in Bytedesk versions up to 1.3.9 allows authenticated attackers to manipulate the apiUrl parameter in the SpringAIOpenrouterRestController, enabling arbitrary HTTP requests from the affected server. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. Upgrading to version 1.4.5.4 or later resolves this issue.
Improper resource identifier validation in Shy2593666979 AgentChat versions up to 2.3.0 allows unauthenticated remote attackers to manipulate the user_id parameter in the user endpoint, potentially gaining unauthorized access to or modifying user data. Public exploit code exists for this vulnerability, and the vendor has not responded to disclosure attempts. No patch is currently available.
OS command injection in WeKnora from version 0.2.5 allows authenticated users to execute arbitrary system commands. CVSS 9.9 with scope change. PoC available.
SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database contents. CVSS 9.9 with scope change. PoC available.
WeKnora versions prior to 0.2.12 suffer from inadequate tenant isolation in database queries, permitting any authenticated user to access sensitive data from other tenants including API keys, model configurations, and private messages. The vulnerability affects multi-tenant deployments where account-level access controls fail to prevent cross-tenant data exfiltration. No patch is currently available for affected versions.
DNS rebinding in WeKnora's web_fetch tool allows authenticated attackers to bypass URL validation and access internal resources and private IP addresses on the server through malicious domains that resolve differently during validation versus execution. Public exploit code exists for this vulnerability, and versions prior to 0.3.0 are affected with no patch currently available. An attacker could leverage this to access sensitive local services and exfiltrate data from the affected system.
Weknora versions up to 0.3.0 is affected by authorization bypass through user-controlled key (CVSS 5.3).
Tool name collision in WeKnora's MCP client integration allows remote attackers with network access to register malicious tools that overwrite legitimate ones, enabling prompt injection attacks and potential data exfiltration. An attacker exploiting this vulnerability can redirect LLM execution to steal system prompts and context data, or execute arbitrary tools with the privileges of authenticated users. This affects WeKnora versions prior to 0.3.0.
Insufficient authorization checks in WeKnora's tenant management endpoints allow any authenticated user to read, modify, or delete arbitrary tenants, with public exploit code available. Since the application allows open registration, unauthenticated attackers can register an account and exploit this flaw to perform cross-tenant account takeover and data destruction. No patch is currently available for this high-severity vulnerability affecting WeKnora AI/ML framework versions prior to 0.3.2.
The /api/health/detailed endpoint in mcp-memory-service prior to version 10.21.0 discloses sensitive system information including OS details, Python version, CPU configuration, memory metrics, and database paths to unauthenticated network users when anonymous access is enabled. Public exploit code exists for this information disclosure vulnerability, which affects deployments using the default 0.0.0.0 network binding. A patch is available in version 10.21.0 to restrict endpoint access and redact sensitive data.
Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerability data. PoC available.
Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).
Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attributes (CVSS 7.7).
Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthenticated attackers to upload and execute malicious files. PoC available.
Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoofing an internal request header, granting access to sensitive administrative functions including API key and credential management. Public exploit code exists for this vulnerability, and an attacker with valid tenant credentials can escalate to administrative privileges without additional authentication. No patch is currently available for affected deployments.
WeKnora's document import feature is vulnerable to Server-Side Request Forgery through HTTP redirects, allowing unauthenticated remote attackers to bypass URL validation controls and access internal services despite backend protections against private IPs and metadata endpoints. The vulnerability affects WeKnora versions prior to 0.2.12 when deployed in Docker environments, where host.docker.internal addresses are not blocked. Public exploit code exists and no patch is currently available.
The HUMN-1 AI Website Scanner & Human Certification plugin for WordPress through version 0.0.3 fails to validate user permissions on the winston_disconnect AJAX function, allowing authenticated Subscriber-level users to disconnect the plugin's API credentials. This capability check bypass enables authenticated attackers to disrupt the plugin's functionality by resetting its API connection settings without proper authorization.
Unsafe checkout of untrusted code in Mesa's benchmarks.yml GitHub Actions workflow prior to version 3.5.1 enables arbitrary code execution with elevated privileges on CI/CD runners. An attacker can exploit this by submitting malicious pull requests to execute commands in the privileged runner environment, potentially compromising the build pipeline and downstream users. A patch is available in commit c35b8cd.
Shell command injection in Nuclio serverless framework before 1.15.20. PoC and patch available.
Path traversal in OpenChatBI before fix. PoC and patch available.
SQL injection in CocoIndex Doris connector before 0.3.34. Patch available.
LangBot is a global IM bot platform designed for LLMs. versions up to 4.8.7 is affected by cross-site scripting (xss) (CVSS 6.3).
animation and page builder block versions up to 12.8.3 is affected by information exposure (CVSS 5.3).
OpenClaw prior to version 2026.2.2 is vulnerable to server-side request forgery through its attachment and media URL processing, allowing unauthenticated remote attackers to make arbitrary HTTP requests to internal resources. Attackers can exploit model-controlled message features to trigger the SSRF and exfiltrate response data as outbound attachments. Public exploit code exists for this vulnerability.
OpenClaw versions before 2026.2.14 contain unprotected server-side request forgery flaws in the Feishu extension that enable remote attackers to access internal services and exfiltrate data without authentication. Attackers can exploit the sendMediaFeishu function and markdown image processing through direct manipulation or prompt injection to force the application to fetch attacker-controlled URLs and re-upload responses as Feishu media. A patch is available to remediate this network-accessible vulnerability affecting AI/ML deployments.
OpenClaw versions before 2026.2.1 fail to properly validate access controls in the Twitch plugin when role restrictions are not configured, allowing unauthenticated remote attackers to trigger agent dispatch through Twitch chat mentions. Public exploit code exists for this vulnerability, enabling attackers to invoke the agent pipeline and potentially cause unintended actions or resource exhaustion. Organizations running affected versions with the Twitch plugin enabled should apply the available patch immediately.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Arbitrary code execution in NLTK <= 3.9.2 StanfordSegmenter module. CVSS 10.0, EPSS 0.48%.
LangGraph SQLite Checkpoint versions 1.0.9 and prior are vulnerable to unsafe deserialization of msgpack-encoded objects, allowing attackers with write access to the checkpoint database to execute arbitrary code when checkpoints are loaded. This vulnerability affects Python-based AI/ML applications using LangGraph's persistence layer and requires adversary control of the backing storage to exploit. No public patch is currently available for this issue.
Unauthenticated command injection in FreePBX versions 16.0.17.2-16.0.19 and 17.0.2.4-17.0.4 via the ElevenLabs Text-to-Speech integration allows authenticated users with high privileges to execute arbitrary system commands. The vulnerability exists in the recordings module and affects all installations using the vulnerable TTS engine. No patch is currently available, leaving affected systems at risk of full system compromise.
An Arbitrary File Read vulnerability exists in the ImageTextPromptValue class in Exploding Gradients RAGAS v0.2.3 to v0.2.14. The vulnerability stems from improper validation and sanitization of URLs supplied in the retrieved_contexts parameter when handling multimodal inputs. [CVSS 7.5 HIGH]
Xgrammar versions prior to 0.1.32 crash when processing multi-level nested syntax structures, causing a denial of service that halts the application. An attacker can trigger this segmentation fault remotely without authentication by submitting crafted input, disrupting any AI/ML system relying on this library for structured generation tasks. No patch is currently available for affected deployments.
Arbitrary file upload in AI Engine WordPress plugin.
LangSmith Studio contains a URL parameter injection vulnerability that allows attackers to steal authentication tokens, user IDs, and workspace credentials from users who click malicious links, enabling account takeover and unauthorized access to workspace resources. Both LangSmith Cloud and self-hosted Kubernetes deployments are affected, with exploitation requiring social engineering to trick authenticated users into clicking attacker-controlled URLs. No patch is currently available for this high-severity vulnerability (CVSS 8.1).
Unauthorized file access in NLTK through path traversal flaws in multiple CorpusReader classes (versions up to 3.9.2) allows unauthenticated attackers to read arbitrary files on affected systems, potentially exposing SSH keys, API tokens, and other sensitive data. The vulnerability affects NLP applications and machine learning APIs that process user-controlled file inputs without proper validation. No patch is currently available.
Arbitrary file write in BentoML prior to version 1.4.36 allows local attackers to write files to arbitrary locations on the host system by crafting malicious tar archives containing symlinks that point outside the extraction directory. The vulnerability exists because the safe_extract_tarfile() function fails to validate symlink targets, only validating the symlink path itself, enabling attackers to bypass directory traversal protections. Public exploit code exists for this vulnerability; users should upgrade to version 1.4.36 or later.
Dify versions prior to 1.11.2 contain a stored cross-site scripting vulnerability in Mermaid diagram rendering due to insecure default security configurations, allowing authenticated attackers with user interaction to inject and execute malicious scripts with cross-site impact. Public exploit code exists for this vulnerability, affecting users and developers of the Dify LLM application development platform. A patch is available in version 1.11.2 and later.
Pickle deserialization RCE in Step-Video-T2V via API endpoints.
A security vulnerability has been detected in LLM-Claw 0.1.0/0.1.1/0.1.1a/0.1.1a-p1. The affected element is the function agent_deploy_init of the file /agents/deploy/initiate.c of the component Agent Deployment. [CVSS 8.8 HIGH]
AI ChatBot with ChatGPT and Content Generator by AYS (WordPress plugin) is affected by missing authorization (CVSS 5.3).
ModelScope ms-agent v1.6.0rc1 and earlier allows unauthenticated remote attackers to execute arbitrary operating system commands by injecting malicious input through prompt-derived parameters. Public exploit code exists for this vulnerability, and no patch is currently available. This command injection flaw affects AI/ML systems processing untrusted user prompts.
A vulnerability has been found in Dataease SQLBot up to 1.4.0. This affects an unknown function of the file backend/apps/system/api/assistant.py of the component API Endpoint. [CVSS 6.3 MEDIUM]
Remote code injection in eosphoros-ai db-gpt 0.7.5 allows unauthenticated attackers to execute arbitrary code through malicious file uploads to the Flow Import endpoint. The vulnerability exploits unsafe module loading in the file import functionality and has public exploit code available. No patch is currently available from the vendor.
Remote OS command injection in Agions taskflow-ai up to version 2.1.8 allows authenticated remote attackers to execute arbitrary operating system commands via manipulation of the terminal_execute component in src/mcp/server/handlers.ts, with CVSS 6.3 reflecting moderate severity. Vendor-released patch is available in version 2.1.9 (commit c1550b445b9f24f38c4414e9a545f5f79f23a0fe), and the vendor responded promptly to early notification.
Missing Authorization vulnerability in massiveshift AI Workflow Automation ai-workflow-automation-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Workflow Automation: from n/a through <= 1.4.2.
Missing Authorization vulnerability in HBSS Technologies MAIO – The new AI GEO / SEO tool maio-the-new-ai-geo-seo-tool allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MAIO – The new AI GEO / SEO tool: from n/a through <= 6.2.8.
Missing Authorization vulnerability in Jordy Meow AI Engine (Pro) ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Engine (Pro): from n/a through < 3.4.2.
openclaw-claude-bridge v1.1.0 incorrectly disables CLI tool access by passing --allowed-tools "" to the Claude Code subprocess, when the correct flag to disable tools is --tools. The --allowed-tools flag only controls which tools auto-approve without prompts; all CLI tools (Read, Write, Bash, WebFetch, etc.) remain nominally available. Users deploying the bridge to handle untrusted prompts or in gateway contexts may unknowingly operate without the sandboxing protections claimed in the README, exposing systems to prompt-injection attacks that could trigger arbitrary code execution in the process context. Vendor-released patch: v1.1.1 (commit 8a296f5).
JWT secret key brute-forcing in Parisneo Lollms 2.1.0 allows unauthenticated remote attackers to forge administrative tokens and achieve full system compromise. The application uses a weak secret for signing JSON Web Tokens, enabling offline attacks to recover credentials and escalate privileges to administrator level. With CVSS 9.8 (critical network-accessible attack requiring no privileges) and EPSS data unavailable, this represents a severe authentication bypass in AI/LLM management software. Fixed in version 2.2.0. No public exploit identified at time of analysis, though the attack technique (JWT cracking) is well-documented.
Remote code execution in HuggingFace Transformers library allows arbitrary code execution via malicious checkpoint files. The `_load_rng_state()` method in the `Trainer` class calls `torch.load()` without the `weights_only=True` parameter, enabling deserialization attacks when PyTorch versions below 2.6 are used with torch>=2.2. An attacker can craft a malicious `rng_state.pth` checkpoint file that executes arbitrary code when loaded by an application using affected Transformers versions. The fix is available in version v5.0.0rc3, and no public exploit has been independently confirmed at time of analysis.
LightRAG's JWT authentication can be bypassed via a hardcoded default secret 'lightrag-jwt-default-secret' when TOKEN_SECRET is not configured. Unauthenticated attackers can forge valid tokens to access protected API endpoints in installations running v1.4.10 with AUTH_ACCOUNTS enabled but TOKEN_SECRET unset. CVSS 7.5 (High) reflects network-accessible confidentiality breach with no authentication required. No public exploit identified at time of analysis, though the hardcoded secret is publicly documented in the vulnerability disclosure. EPSS data not available for this CVE.
NVIDIA APEX for Linux contains a deserialization of untrusted data vulnerability that affects environments using PyTorch versions earlier than 2.6. An attacker with low privileges on an adjacent network can exploit this flaw to achieve code execution, denial of service, privilege escalation, data tampering, and information disclosure with scope change (CVSS 9.0 Critical). No KEV listing or public POC availability has been reported at this time.
Wallos, an open-source self-hostable subscription tracker, contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 4.7.0 that allows authenticated users to access internal network services, cloud metadata endpoints, and localhost-bound services. The vulnerability exists in three unprotected attack surfaces: the AI Ollama host parameter, the AI recommendations endpoint, and the notification cron job-areas that were missed when SSRF protections were partially implemented in an earlier patch (CVE-2026-30840). An attacker with valid credentials can leverage these endpoints to reach sensitive internal resources including AWS IMDSv1, GCP, and Azure metadata services.
A deserialization vulnerability exists in PyTorch 2.10.0 within the pt2 Loading Handler component, allowing local attackers with low privileges to achieve confidentiality, integrity, and availability impacts through untrusted data processing. The vulnerability (CWE-502) is confirmed to have a publicly available exploit and has been reported to the project via pull request PR#176791, though remediation status remains unclear. With a CVSS score of 5.3 and exploitation probability marked as probable (E:P), this represents a moderate real-world risk primarily affecting local development and deployment environments.
MLflow, a popular open-source machine learning lifecycle platform, contains a path traversal vulnerability in its pyfunc extraction process that allows arbitrary file writes. The vulnerability stems from unsafe use of tarfile.extractall without proper path validation, enabling attackers to craft malicious tar.gz files with directory traversal sequences or absolute paths to write files outside the intended extraction directory. This poses critical risk in multi-tenant environments and can lead to remote code execution, with a CVSS score of 8.1 and confirmed exploit details available via Huntr.
Server-side request forgery in Vanna AI versions up to 2.0.2 allows unauthenticated remote attackers to manipulate the update_sql and run_sql endpoints in the Flask component. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
SQL injection in Vanna up to version 2.0.2 allows authenticated remote attackers to execute arbitrary SQL queries through the update_sql endpoint function. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. An authenticated attacker can leverage this to read, modify, or delete database contents depending on the application's database permissions.
SQL injection in Vanna AI's BigQuery integration (versions up to 2.0.2) allows unauthenticated remote attackers to manipulate the remove_training_data function through unsanitized ID parameters. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. Successful exploitation enables attackers to read, modify, or delete database contents with limited impact on confidentiality, integrity, and availability.
A critical authentication bypass vulnerability exists in GROWI's OpenAI assistant API endpoints where authorization checks are missing, allowing any authenticated user to access and manipulate other users' AI assistant conversations. The vulnerability affects GROWI versions 7.4.5 and earlier, enabling attackers with low-level credentials to compromise confidentiality and integrity of AI assistant threads and messages by simply knowing the assistant identifier. While not currently listed in CISA KEV and with no public exploit code identified, the vulnerability carries a high CVSS score of 8.3 due to its low exploitation complexity and significant data exposure potential.
Command injection vulnerability in MLflow versions before v3.7.0 that allows attackers to execute arbitrary commands by injecting malicious input through the --container parameter when deploying models to SageMaker. The vulnerability affects MLflow installations in development environments, CI/CD pipelines, and cloud deployments, with a CVSS score of 7.5 indicating high severity. No active exploitation or KEV listing is reported, and no EPSS data is available to assess real-world exploitation likelihood.
Unauthenticated attackers can modify arbitrary WordPress posts through the User Frontend plugin (versions up to 4.2.8) due to missing authorization checks in the draft_post() function, allowing them to unpublish or alter post content. The vulnerability affects all installations of the affected plugin versions without requiring authentication or user interaction. No patch is currently available.
AnythingLLM versions 1.11.1 and earlier contain a Zip Slip path traversal vulnerability in the community plugin import functionality that fails to validate file paths during ZIP extraction. An authenticated attacker with high privileges can craft a malicious ZIP file containing path traversal sequences that, when imported via the community hub, extract files outside the intended directory and achieve arbitrary code execution on the server. While the CVSS score is moderate (4.2) due to high privilege requirements and user interaction, the vulnerability enables code execution and should be addressed promptly.
SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands against connected PostgreSQL, MySQL, and MSSQL databases through the built-in SQL Agent plugin. The vulnerability stems from unsafe string concatenation of table names in the getTableSchemaSql() method across all three database connectors, bypassing proper parameterization. Any user with access to invoke the SQL Agent can exploit this to read, modify, or delete sensitive database contents.
Command injection RCE in claude-hovercraft tool. EPSS 1.3%.
XSS in AnythingLLM 1.11.1 and earlier.
AnythingLLM versions 1.11.1 and earlier contain an authentication bypass vulnerability on default installations where the application's HTTP endpoints and WebSocket connections lack proper authentication and accept requests from any origin. While rated CVSS 7.1, exploitation is limited to attackers on the same local network due to browser Private Network Access (PNA) protections, making this a medium-priority issue for most deployments.
LibreChat versions prior to 0.8.3-rc1 contain a Denial of Service vulnerability in the DELETE /api/convos endpoint where authenticated attackers can crash the Node.js server process by sending malformed requests lacking the required req.body.arg parameter. The vulnerability exploits improper destructuring without validation, causing an unhandled TypeError that bypasses Express middleware and triggers process.exit(1), resulting in complete service unavailability. No evidence of active exploitation in the wild or public POC has been identified at this time.
LibreChat versions 0.8.2 through 0.8.2-rc3 contain an authentication bypass vulnerability in the Model Context Protocol (MCP) OAuth callback endpoint that allows attackers to steal OAuth tokens by tricking victims into completing an OAuth flow, resulting in account takeover of the victim's MCP-linked services like Atlassian and Outlook. No active exploitation is known (not in KEV), no POC is publicly available, and EPSS data is not yet available for this newly disclosed vulnerability.
Apache Livy versions 0.7.0 and 0.8.0 contain an improper input validation vulnerability (CWE-20) that allows authenticated users to bypass file access controls by injecting malicious Spark configuration values when connecting to Apache Spark 3.1 or later. An attacker with access to Livy's REST or JDBC interface can craft requests with arbitrary Spark configuration parameters to gain unauthorized access to files they do not have permissions to read or modify. This vulnerability is of moderate severity (CVSS 6.3) but requires valid authentication and is fixed in version 0.9.0 and later.
Medium severity vulnerability in See description. Hyperterse allows users to specify database queries for tools to execute under the hood. As of [v2.0.0](https://github.com/hyperterse/hyperterse/releases/tag/v2.0.0), there are only two tools exposed - `search` and `execute`.
Local attackers can achieve heap buffer overflow in llama.cpp versions before b8146 through integer overflow in the GGUF file parsing function, enabling arbitrary code execution with high integrity and confidentiality impact. The vulnerability stems from undersized heap allocation followed by unvalidated writes of over 528 bytes of attacker-controlled data, bypassing a previous fix for the same component. This affects systems running vulnerable LLM inference implementations on local machines where user interaction is required to trigger the malicious GGUF file processing.
A weakness has been identified in OpenAkita versions up to 1.24.3. is affected by command injection (CVSS 5.3).
Out of bounds memory access in WebML in Google Chrome versions up to 146.0.7680.71 is affected by out-of-bounds read (CVSS 8.8).
Heap buffer overflow in WebML in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).
Integer overflow in WebML in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability (CVSS 8.8).
Heap buffer overflow in WebML in Google Chrome versions up to 146.0.7680.71 is affected by heap-based buffer overflow (CVSS 8.8).
FastGPT's Python Sandbox in versions 4.14.7 and earlier allows authenticated users to bypass file write restrictions by remapping standard output to arbitrary file descriptors via fcntl, enabling unauthorized file creation and modification within the container. The vulnerability exploits a gap between static detection and seccomp filtering, where remapped stdout still satisfies the write syscall rules. An attacker with sandbox access could create or overwrite arbitrary files despite the intended file system restrictions.
OpenBMB XAgent 1.0.0 contains a path traversal vulnerability in the workspace router that allows unauthenticated remote attackers to manipulate the file_name parameter and access or modify arbitrary files on the system. Public exploit code is available for this vulnerability, which affects the integrity and availability of the application. The vendor has not yet released a patch despite early notification of the issue.
An attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or `$regex`), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both `protectedFields` configured in Class-Level Permissions and LiveQuery enabled. The fix adds validation of the LiveQuery subscription WHERE clause against the class's protected fields, mirroring the existing REST API validation. If a subscription's WHERE clause references a protected field directly, via dot-notation, or inside `$or` / `$and` / `$nor` operators, the subscription is rejected with a permission error. This is applied during subscription creation, so existing event delivery paths are not affected. Disable LiveQuery for classes that use `protectedFields` in their Class-Level Permissions, or remove `protectedFields` from classes that require LiveQuery. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-j7mm-f4rv-6q6q - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.9 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.35
Authenticated users in PingPong versions prior to 7.27.2 can access and delete files beyond their authorization scope, potentially exposing or removing private user files and model outputs. An attacker with valid credentials and thread access can exploit improper access controls to retrieve or delete sensitive data belonging to other users. No patch is currently available for this high-severity vulnerability affecting the AI/ML teaching platform.
Auth bypass in Unity Catalog 0.4.0 and earlier.
Flowise versions prior to 3.0.13 allow unauthenticated users to trigger Server-Side Request Forgery (SSRF) attacks through improperly validated URLs in the HTTP Node component, enabling attackers to probe internal networks and cloud metadata endpoints from the Flowise server. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. Any organization running a publicly exposed Flowise instance is at immediate risk of internal network reconnaissance and potential credential theft from cloud environments.
Unauthenticated attackers can abuse the MCP Atlassian server to perform arbitrary outbound HTTP requests by manipulating HTTP headers, enabling credential theft from cloud instance metadata endpoints or internal network reconnaissance without requiring authentication. The vulnerability exists in the HTTP middleware layer prior to version 0.17.0, affecting Atlassian Confluence and Jira deployments. No patch is currently available.
Coral Server has a third missing authorization flaw.
Coral Server has an IDOR vulnerability enabling cross-user data access.
Coral Server open collaboration platform has a missing authorization enabling unauthenticated access to all collaboration data.
Remote code execution in the zero-shot-scfoundation AI/ML framework results from a vulnerable third-party dependency, enabling unauthenticated attackers to execute arbitrary code over the network with minimal user interaction. This high-severity vulnerability affects systems using the affected component, and no patch is currently available.
OneUptime prior to 10.0.20 exposes dangerous functionality in Synthetic monitoring that enables code execution.
Unsafe path handling in NLTK's filestring() function enables attackers to read arbitrary files on affected iOS and AI/ML systems through improper input validation. An unauthenticated attacker can exploit this over the network by supplying directory traversal or absolute paths to access sensitive data, with particular risk in deployments exposing the function through web APIs. No patch is currently available for this high-severity vulnerability (CVSS 8.6).
Server-side request forgery in Bytedesk versions up to 1.3.9 allows authenticated attackers to manipulate the apiUrl parameter in the SpringAIGiteeRestService component, enabling them to make arbitrary network requests from the affected server. Public exploit code exists for this vulnerability, which requires valid user credentials to exploit. Users should upgrade to version 1.4.5.4 or later to remediate the issue.
Server-side request forgery in Bytedesk versions up to 1.3.9 allows authenticated attackers to manipulate the apiUrl parameter in the SpringAIOpenrouterRestController, enabling arbitrary HTTP requests from the affected server. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. Upgrading to version 1.4.5.4 or later resolves this issue.
Improper resource identifier validation in Shy2593666979 AgentChat versions up to 2.3.0 allows unauthenticated remote attackers to manipulate the user_id parameter in the user endpoint, potentially gaining unauthorized access to or modifying user data. Public exploit code exists for this vulnerability, and the vendor has not responded to disclosure attempts. No patch is currently available.
OS command injection in WeKnora from version 0.2.5 allows authenticated users to execute arbitrary system commands. CVSS 9.9 with scope change. PoC available.
SQL injection in WeKnora LLM document understanding framework allows authenticated users to extract arbitrary database contents. CVSS 9.9 with scope change. PoC available.
WeKnora versions prior to 0.2.12 suffer from inadequate tenant isolation in database queries, permitting any authenticated user to access sensitive data from other tenants including API keys, model configurations, and private messages. The vulnerability affects multi-tenant deployments where account-level access controls fail to prevent cross-tenant data exfiltration. No patch is currently available for affected versions.
DNS rebinding in WeKnora's web_fetch tool allows authenticated attackers to bypass URL validation and access internal resources and private IP addresses on the server through malicious domains that resolve differently during validation versus execution. Public exploit code exists for this vulnerability, and versions prior to 0.3.0 are affected with no patch currently available. An attacker could leverage this to access sensitive local services and exfiltrate data from the affected system.
Weknora versions up to 0.3.0 is affected by authorization bypass through user-controlled key (CVSS 5.3).
Tool name collision in WeKnora's MCP client integration allows remote attackers with network access to register malicious tools that overwrite legitimate ones, enabling prompt injection attacks and potential data exfiltration. An attacker exploiting this vulnerability can redirect LLM execution to steal system prompts and context data, or execute arbitrary tools with the privileges of authenticated users. This affects WeKnora versions prior to 0.3.0.
Insufficient authorization checks in WeKnora's tenant management endpoints allow any authenticated user to read, modify, or delete arbitrary tenants, with public exploit code available. Since the application allows open registration, unauthenticated attackers can register an account and exploit this flaw to perform cross-tenant account takeover and data destruction. No patch is currently available for this high-severity vulnerability affecting WeKnora AI/ML framework versions prior to 0.3.2.
The /api/health/detailed endpoint in mcp-memory-service prior to version 10.21.0 discloses sensitive system information including OS details, Python version, CPU configuration, memory metrics, and database paths to unauthenticated network users when anonymous access is enabled. Public exploit code exists for this information disclosure vulnerability, which affects deployments using the default 0.0.0.0 network binding. A patch is available in version 10.21.0 to restrict endpoint access and redact sensitive data.
Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerability data. PoC available.
Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).
Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attributes (CVSS 7.7).
Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthenticated attackers to upload and execute malicious files. PoC available.
Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoofing an internal request header, granting access to sensitive administrative functions including API key and credential management. Public exploit code exists for this vulnerability, and an attacker with valid tenant credentials can escalate to administrative privileges without additional authentication. No patch is currently available for affected deployments.
WeKnora's document import feature is vulnerable to Server-Side Request Forgery through HTTP redirects, allowing unauthenticated remote attackers to bypass URL validation controls and access internal services despite backend protections against private IPs and metadata endpoints. The vulnerability affects WeKnora versions prior to 0.2.12 when deployed in Docker environments, where host.docker.internal addresses are not blocked. Public exploit code exists and no patch is currently available.
The HUMN-1 AI Website Scanner & Human Certification plugin for WordPress through version 0.0.3 fails to validate user permissions on the winston_disconnect AJAX function, allowing authenticated Subscriber-level users to disconnect the plugin's API credentials. This capability check bypass enables authenticated attackers to disrupt the plugin's functionality by resetting its API connection settings without proper authorization.
Unsafe checkout of untrusted code in Mesa's benchmarks.yml GitHub Actions workflow prior to version 3.5.1 enables arbitrary code execution with elevated privileges on CI/CD runners. An attacker can exploit this by submitting malicious pull requests to execute commands in the privileged runner environment, potentially compromising the build pipeline and downstream users. A patch is available in commit c35b8cd.
Shell command injection in Nuclio serverless framework before 1.15.20. PoC and patch available.
Path traversal in OpenChatBI before fix. PoC and patch available.
SQL injection in CocoIndex Doris connector before 0.3.34. Patch available.
LangBot is a global IM bot platform designed for LLMs. versions up to 4.8.7 is affected by cross-site scripting (xss) (CVSS 6.3).
animation and page builder block versions up to 12.8.3 is affected by information exposure (CVSS 5.3).
OpenClaw prior to version 2026.2.2 is vulnerable to server-side request forgery through its attachment and media URL processing, allowing unauthenticated remote attackers to make arbitrary HTTP requests to internal resources. Attackers can exploit model-controlled message features to trigger the SSRF and exfiltrate response data as outbound attachments. Public exploit code exists for this vulnerability.
OpenClaw versions before 2026.2.14 contain unprotected server-side request forgery flaws in the Feishu extension that enable remote attackers to access internal services and exfiltrate data without authentication. Attackers can exploit the sendMediaFeishu function and markdown image processing through direct manipulation or prompt injection to force the application to fetch attacker-controlled URLs and re-upload responses as Feishu media. A patch is available to remediate this network-accessible vulnerability affecting AI/ML deployments.
OpenClaw versions before 2026.2.1 fail to properly validate access controls in the Twitch plugin when role restrictions are not configured, allowing unauthenticated remote attackers to trigger agent dispatch through Twitch chat mentions. Public exploit code exists for this vulnerability, enabling attackers to invoke the agent pipeline and potentially cause unintended actions or resource exhaustion. Organizations running affected versions with the Twitch plugin enabled should apply the available patch immediately.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Arbitrary code execution in NLTK <= 3.9.2 StanfordSegmenter module. CVSS 10.0, EPSS 0.48%.
LangGraph SQLite Checkpoint versions 1.0.9 and prior are vulnerable to unsafe deserialization of msgpack-encoded objects, allowing attackers with write access to the checkpoint database to execute arbitrary code when checkpoints are loaded. This vulnerability affects Python-based AI/ML applications using LangGraph's persistence layer and requires adversary control of the backing storage to exploit. No public patch is currently available for this issue.
Unauthenticated command injection in FreePBX versions 16.0.17.2-16.0.19 and 17.0.2.4-17.0.4 via the ElevenLabs Text-to-Speech integration allows authenticated users with high privileges to execute arbitrary system commands. The vulnerability exists in the recordings module and affects all installations using the vulnerable TTS engine. No patch is currently available, leaving affected systems at risk of full system compromise.
An Arbitrary File Read vulnerability exists in the ImageTextPromptValue class in Exploding Gradients RAGAS v0.2.3 to v0.2.14. The vulnerability stems from improper validation and sanitization of URLs supplied in the retrieved_contexts parameter when handling multimodal inputs. [CVSS 7.5 HIGH]
Xgrammar versions prior to 0.1.32 crash when processing multi-level nested syntax structures, causing a denial of service that halts the application. An attacker can trigger this segmentation fault remotely without authentication by submitting crafted input, disrupting any AI/ML system relying on this library for structured generation tasks. No patch is currently available for affected deployments.
Arbitrary file upload in AI Engine WordPress plugin.
LangSmith Studio contains a URL parameter injection vulnerability that allows attackers to steal authentication tokens, user IDs, and workspace credentials from users who click malicious links, enabling account takeover and unauthorized access to workspace resources. Both LangSmith Cloud and self-hosted Kubernetes deployments are affected, with exploitation requiring social engineering to trick authenticated users into clicking attacker-controlled URLs. No patch is currently available for this high-severity vulnerability (CVSS 8.1).
Unauthorized file access in NLTK through path traversal flaws in multiple CorpusReader classes (versions up to 3.9.2) allows unauthenticated attackers to read arbitrary files on affected systems, potentially exposing SSH keys, API tokens, and other sensitive data. The vulnerability affects NLP applications and machine learning APIs that process user-controlled file inputs without proper validation. No patch is currently available.
Arbitrary file write in BentoML prior to version 1.4.36 allows local attackers to write files to arbitrary locations on the host system by crafting malicious tar archives containing symlinks that point outside the extraction directory. The vulnerability exists because the safe_extract_tarfile() function fails to validate symlink targets, only validating the symlink path itself, enabling attackers to bypass directory traversal protections. Public exploit code exists for this vulnerability; users should upgrade to version 1.4.36 or later.
Dify versions prior to 1.11.2 contain a stored cross-site scripting vulnerability in Mermaid diagram rendering due to insecure default security configurations, allowing authenticated attackers with user interaction to inject and execute malicious scripts with cross-site impact. Public exploit code exists for this vulnerability, affecting users and developers of the Dify LLM application development platform. A patch is available in version 1.11.2 and later.
Pickle deserialization RCE in Step-Video-T2V via API endpoints.
A security vulnerability has been detected in LLM-Claw 0.1.0/0.1.1/0.1.1a/0.1.1a-p1. The affected element is the function agent_deploy_init of the file /agents/deploy/initiate.c of the component Agent Deployment. [CVSS 8.8 HIGH]
AI ChatBot with ChatGPT and Content Generator by AYS (WordPress plugin) is affected by missing authorization (CVSS 5.3).
ModelScope ms-agent v1.6.0rc1 and earlier allows unauthenticated remote attackers to execute arbitrary operating system commands by injecting malicious input through prompt-derived parameters. Public exploit code exists for this vulnerability, and no patch is currently available. This command injection flaw affects AI/ML systems processing untrusted user prompts.
A vulnerability has been found in Dataease SQLBot up to 1.4.0. This affects an unknown function of the file backend/apps/system/api/assistant.py of the component API Endpoint. [CVSS 6.3 MEDIUM]
Remote code injection in eosphoros-ai db-gpt 0.7.5 allows unauthenticated attackers to execute arbitrary code through malicious file uploads to the Flow Import endpoint. The vulnerability exploits unsafe module loading in the file import functionality and has public exploit code available. No patch is currently available from the vendor.