AI / ML

Lunary contains a vulnerability that allows attackers to delete prompts created in other organizations through ID manipulation (CVSS 6.5).

Local File Inclusion in parisneo/lollms-webui /reinstall_extension endpoint allows authenticated users to include arbitrary local files. EPSS 0.26%.

Unauthenticated clients can invoke resource-intensive Socket.IO events in lollms 5.9.0 due to missing authentication checks in the event handler registration, allowing attackers to trigger denial of service and state corruption. The vulnerability is compounded by improper use of global state flags in multi-client environments, enabling attackers to interfere with legitimate client operations and manipulate server state through race conditions. No patch is currently available for this high-severity flaw affecting the AI/ML framework.

Multiple command injection vulnerabilities in CAI (Cybersecurity AI) framework up to 0.5.10 allow OS command execution through the security testing platform.

SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database. [CVSS 8.6 HIGH]

Remote code execution in AutoGPT Platform prior to v0.6.44 allows authenticated users to execute disabled blocks and write arbitrary Python code to the server filesystem. The vulnerability stems from insufficient validation of the disabled flag in block execution endpoints, enabling attackers to achieve code execution via the BlockInstallationBlock component. Public exploit code exists, and self-hosted instances with Supabase signup enabled are particularly vulnerable to account creation and exploitation.

An input validation vulnerability in the flow.Tensor.new_empty/flow.Tensor.new_ones/flow.Tensor.new_zeros component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.2 MEDIUM]

An input validation vulnerability in the flow.scatter/flow.scatter_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted indices. [CVSS 6.2 MEDIUM]

Oneflow versions up to 0.9.0 contains a vulnerability that allows attackers to cause a Denial of Service (DoS) via a crafted input (CVSS 6.2).

An input validation vulnerability in the oneflow.index_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 7.5 HIGH]

A floating point exception (FPE) in the oneflow.reshape component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]

A floating point exception (FPE) in the oneflow.view component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]

A segmentation violation in the oneflow.logical_or component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]

An input validation vulnerability in the flow.arange() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 7.5 HIGH]

A floating-point exception (FPE) in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4. [CVSS 4.4 MEDIUM]

A segmentation violation in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]

Discourse is an open source discussion platform. [CVSS 5.4 MEDIUM]

An issue in the flow.cuda.BoolTensor component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 7.5 HIGH]

A GPU device-ID validation flaw in the flow.cuda.get_device_capability() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted device ID. [CVSS 7.5 HIGH]

A GPU device-ID validation flaw in OneFlow v0.9.0 allows attackers to trigger a Denial of Dervice (DoS) by invoking flow.cuda.get_device_properties() with an invalid or negative device index. [CVSS 7.5 HIGH]

A device-ID validation flaw in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) by calling flow.cuda.synchronize() with an invalid or out-of-range GPU device index. [CVSS 7.5 HIGH]

A type validation flaw in the flow.dstack() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 7.5 HIGH]

A dimension validation flaw in the flow.empty() component of OneFlow 0.9.0 allows attackers to cause a Denial of Service (DoS) via a negative or excessively large dimension value. [CVSS 7.5 HIGH]

A division-by-zero vulnerability in the flow.floor_divide() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input tensor with zero. [CVSS 6.5 MEDIUM]

A shape mismatch vulnerability in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via supplying crafted tensor shapes. [CVSS 7.5 HIGH]

Arbitrary file upload in AI Engine WordPress plugin versions up to 3.3.2 allows authenticated Editor-level users to bypass file type validation and execute remote code by uploading files through the `update_media_metadata` REST endpoint. An attacker can upload a benign image file and then rename it to PHP, placing executable code in the web-accessible uploads directory. The vulnerability affects WordPress installations with the plugin installed and requires Editor or higher privileges to exploit.

vLLM before version 0.14.1 contains a server-side request forgery vulnerability in the MediaConnector class where inconsistent URL parsing between libraries allows attackers to bypass host restrictions and force the server to make arbitrary requests to internal network resources. Public exploit code exists for this vulnerability, which poses significant risk in containerized environments where a compromised vLLM instance could be leveraged to access restricted internal systems. The vulnerability affects users running vLLM's multimodal features with untrusted input.

Path traversal vulnerability in RAGFlow RAG engine version 0.23.1 allows unauthenticated attackers to read arbitrary files from the server filesystem. PoC available, patch available.

PyTorch is a Python package that provides tensor computation. [CVSS 8.8 HIGH]

The AI Engine plugin for WordPress versions up to 3.3.2 contains a server-side request forgery vulnerability in the 'get_audio' function that allows authenticated subscribers and higher-privileged users to make arbitrary web requests from the server. When the Public API setting is enabled and allow_url_fopen is active, attackers can query and modify data on internal services accessible to the web application. No patch is currently available for this vulnerability.

NVIDIA runx contains a vulnerability where an attacker could cause a code injection. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through crafted workflow expressions.

AnythingLLM versions prior to 1.10.0 contain a path traversal vulnerability in the DrupalWiki integration that allows malicious administrators or attackers with admin privileges to write arbitrary files to the server, potentially achieving remote code execution through configuration file overwriting or malicious script injection. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. The attack requires high-level privileges but carries critical risk due to the ability to completely compromise server integrity.

Anythingllm versions up to 1.10.0 contains a vulnerability that allows attackers to complete compromise of the semantic search / retrieval functionality and indirec (CVSS 7.5).

BentoML versions prior to 1.4.34 allow path traversal attacks through improperly validated file path fields in bentofile.yaml configurations, enabling attackers to embed arbitrary files from the victim's system into bento archives during the build process. This vulnerability can be exploited to exfiltrate sensitive data such as credentials, SSH keys, and environment variables into supply chain artifacts that may be pushed to registries or deployed in production environments. A patch is available in version 1.4.34.

Arbitrary file upload in Kalrav AI Agent WordPress plugin due to missing file type validation in the kalrav_upload_file AJAX action.

Stored XSS in ChatterMate AI chatbot framework versions 1.0.8 and below. The chatbot accepts and renders malicious HTML/JavaScript from user input. PoC and patch available.

WP Messiah Ai Image Alt Text Generator for WP ai-image-alt-text-generator-for-wp is affected by missing authorization (CVSS 4.3).

The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. [CVSS 4.3 MEDIUM]

Upsonic has an insecure deserialization via cloudpickle (EPSS 1.3%) enabling remote code execution through crafted serialized AI agent data.

Remote code execution in Langflow's disk cache service allows authenticated attackers to execute arbitrary code by exploiting improper deserialization of untrusted data. The vulnerability affects Langflow installations and requires valid authentication credentials to exploit, enabling attackers to gain code execution within the service account context. No patch is currently available.

Langflow's PythonFunction component allows authenticated attackers with user interaction to inject and execute arbitrary Python code within application workflows, achieving remote code execution. The vulnerability affects Langflow deployments using Python-based AI/ML components, with exploitation feasibility depending on specific product configurations. No patch is currently available.

Langflow has a third RCE vulnerability via exec_globals (EPSS 10.0%) allowing inclusion of untrusted code that executes in the application's global scope.

Langflow has an eval injection in eval_custom_component_code (EPSS 2.0%) enabling remote code execution through crafted custom component definitions.

Langflow has a code injection vulnerability in the code component (EPSS 2.6%) enabling remote code execution through the visual AI workflow builder.

Remote code execution in Open WebUI through the load_tool_module_by_id function allows authenticated attackers to execute arbitrary Python code due to insufficient input validation on user-supplied strings. An attacker with valid credentials can leverage this vulnerability to achieve code execution with service account privileges. No patch is currently available, making this a critical risk for deployed Open WebUI instances.

Remote code execution in Open WebUI's install_frontmatter_requirements function allows authenticated attackers to execute arbitrary commands on the host system by bypassing input validation in system call parameters. The vulnerability affects AI/ML deployments using Open WebUI and requires valid authentication credentials to exploit. No patch is currently available.

GPT Academic has a second insecure deserialization vulnerability in the upload function (EPSS 1.5%) allowing remote code execution through crafted file uploads.

GPT Academic has an insecure deserialization in run_in_subprocess_wrapper_func (EPSS 1.7%) enabling remote code execution through crafted subprocess data.

Remote code execution in GPT Academic's stream_daas function results from improper deserialization of untrusted data when communicating with external servers, allowing unauthenticated attackers to execute arbitrary code with root privileges. The vulnerability requires interaction with a malicious DAAS server and currently has no available patch. Organizations using GPT Academic should implement network controls to restrict connections to untrusted DAAS services until patching is available.

MetaGPT has a code injection vulnerability in actionoutput_str_to_mapping (EPSS 2.6%) allowing remote attackers to execute arbitrary code through crafted AI agent output processing.

MetaGPT by Foundation Agents has an insecure deserialization in deserialize_message (EPSS 1.7%) enabling remote code execution through crafted serialized data in AI agent communications.

Katana Network Development Starter Kit has a command injection in executeCommand enabling remote code execution through the development framework.

mcp-server-siri-shortcuts fails to validate the shortcutName parameter before using it in system calls, enabling local attackers with low-privileged code execution to inject arbitrary commands and escalate to service account privileges. This command injection vulnerability (CVE-2026-0758, CVSS 7.8) affects the AI/ML tool and currently lacks a patch. An attacker exploiting this flaw can execute arbitrary code with elevated privileges on the affected system.

MCP Manager for Claude Desktop is vulnerable to command injection through improperly validated MCP config objects, enabling remote attackers to escape the sandbox and execute arbitrary code on affected systems. The vulnerability requires user interaction such as visiting a malicious page or opening a malicious file, and currently lacks an available patch. An attacker can leverage this flaw to achieve code execution with medium integrity privileges in the context of the running process.

github-kanban-mcp-server has a command injection in execAsync (EPSS 1.0%) enabling remote code execution on developer machines using the GitHub Kanban MCP integration.

gemini-mcp-tool has a command injection in execAsync allowing remote code execution on systems using the Gemini AI MCP integration.

Ollama MCP Server has a command injection vulnerability in execAsync (EPSS 1.0%) allowing remote attackers to execute arbitrary commands on systems running the Ollama AI integration.

Framelink Figma MCP Server has a command injection vulnerability in fetchWithRetry (EPSS 1.4%) enabling remote code execution on developer machines using the MCP integration.

Information disclosure in Microsoft 365 Word Copilot enables unauthenticated attackers to extract sensitive data through improper handling of escape and control sequences in network communications. The vulnerability requires user interaction to trigger and affects the Copilot AI/ML service with a CVSS score of 7.4. No patch is currently available.

Unauthenticated attackers can remotely access sensitive information in Microsoft Copilot Studio due to improper access controls, requiring no authentication or user interaction. This network-based vulnerability exposes confidential data to unauthorized disclosure with no patch currently available.

Sentencepiece versions below 0.2.1 are vulnerable to memory corruption when processing specially crafted model files, allowing local authenticated attackers to crash the application or potentially execute arbitrary code. This vulnerability requires a malicious model file that deviates from standard training procedures, affecting AI/ML applications that use vulnerable Sentencepiece libraries. No patch is currently available.

Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. [CVSS 7.4 HIGH]

Langfuse versions 3.146.0 and below allow unauthenticated attackers to hijack Slack OAuth integrations by injecting arbitrary projectIds into the /api/public/slack/install endpoint, enabling them to bind malicious Slack workspaces to any project and intercept prompt management data. An attacker can replace existing Prompt Slack Automations or pre-register malicious integrations that execute when authenticated users unknowingly configure them. Public exploit code exists for this vulnerability, which affects the DNS and AI/ML components of the Langfuse platform.

Grist spreadsheet software has an injection vulnerability in Python formula execution that allows authenticated users to escape the formula sandbox and execute arbitrary code.

CVAT is an open source interactive video and image annotation tool for computer vision. [CVSS 8.8 HIGH]

CVAT is an open source interactive video and image annotation tool for computer vision. [CVSS 5.4 MEDIUM]

vLLM is an inference and serving engine for large language models (LLMs). [CVSS 8.8 HIGH]

Claude Code versions prior to 2.0.65 allow attackers to steal Anthropic API keys from users by crafting malicious repositories that redirect API calls to attacker-controlled servers before the trust confirmation dialog appears. When a victim opens an infected repository, the tool automatically reads malicious configuration settings and sends API requests containing credentials before displaying any security prompt, enabling credential theft. Users should upgrade to version 2.0.65 or later, though auto-update users have already received the patch.

SQLBot is an intelligent data query system based on a large language model and RAG. [CVSS 6.1 MEDIUM]

An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata [CVSS 7.5 HIGH]

An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder [CVSS 7.5 HIGH]

PLY (Python Lex-Yacc) library 3.11 has an unsafe feature enabling remote code execution through pickle deserialization of cached parser tables, with EPSS 0.91%.

NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

Chainlit versions before 2.9.4 with SQLAlchemy backend contain a server-side request forgery vulnerability in the project element update endpoint that allows authenticated attackers to make arbitrary HTTP requests from the server. Public exploit code exists for this vulnerability, enabling attackers to reach internal network services, cloud metadata endpoints, and store responses through the configured storage system. The vulnerability affects AI/ML applications using vulnerable Chainlit deployments and currently has no available patch.

Authenticated users in Chainlit versions before 2.9.4 can read arbitrary files accessible to the Chainlit service through a path traversal flaw in the element update endpoint. By crafting a malicious Element with a custom path, an attacker retrieves file contents via the /project/file API, enabling disclosure of sensitive data. Public exploit code exists for this vulnerability and no patch is currently available.

Improper permission validation in CrawlChat versions prior to 0.0.8 allows unauthenticated Discord guild members to inject malicious content into the bot's knowledge base through the jigsaw emoji feature, enabling attackers to manipulate chatbot responses across all integrations and redirect users to malicious sites. The vulnerability affects the AI/ML platform's ability to maintain knowledge base integrity, as normal users can bypass intended admin-only controls. Public exploit code exists for this issue, though a patch is available.

ChatterBot versions through 1.2.10 suffer from denial-of-service vulnerabilities due to improper connection pool management that allows attackers to exhaust database connections through concurrent requests to the get_response() method, causing persistent service unavailability. Public exploit code exists for this vulnerability, which affects all deployments of the affected ChatterBot versions and requires manual service restart to recover. ChatterBot 1.2.11 addresses this issue.

Stored XSS in LobeChat's Mermaid artifact renderer prior to version 2.0.0-next.180 enables attackers to execute arbitrary JavaScript, which can be escalated to remote code execution through the exposed electronAPI IPC bridge to run system commands. This affects users of the open source chat platform running vulnerable versions, requiring local interaction and high privileges to exploit but resulting in full system compromise. No patch is currently available.

Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox restrictions and execute arbitrary code on the underlying operating system, with full instance takeover possible in Internal execution mode. Public exploit code exists for this vulnerability, which affects n8n deployments running under Internal execution mode where the Python executor has direct OS access. External execution mode deployments using Docker sidecars have reduced impact as code execution is confined to the container rather than the main node.

MCPJam Inspector versions 1.4.2 and earlier allow unauthenticated remote code execution through missing authentication in the MCP server debugging platform, with EPSS 17.2% indicating active scanning.

Dask distributed is a distributed task scheduler for Dask. [CVSS 6.1 MEDIUM]

Dive, an MCP Host Desktop Application for LLM integration, allows code injection prior to version 0.13.0 through malicious tool responses, enabling attackers to execute arbitrary code on the user's machine.

TheLibrarian's web_fetch tool can expose the Adminer interface, enabling unauthenticated remote attackers to obtain credentials for the internal backend system. This high-severity vulnerability affects AI/ML deployments and TheLibrarian installations, with no patch currently available. An attacker with network access could leverage the exposed interface to gain unauthorized administrative access to the backend infrastructure.

The Librarian's web_fetch tool can access the supervisord status page, exposing information about running backend processes to unauthenticated remote attackers. This information disclosure vulnerability (CVSS 7.3) affects AI/ML deployments and could enable attackers to map internal service architecture and identify targets for further exploitation. No patch is currently available for this vulnerability.

The Librarian's web_fetch tool can be exploited via SSRF to perform unauthorized GET requests against internal IP addresses and cloud services within the Hertzner environment, allowing attackers to conduct port scanning and reconnaissance of the infrastructure. This unauthenticated network-based attack requires no user interaction and could expose sensitive internal services and their configurations. While the vendor has released patches, exploitation remains possible on unpatched instances.

The Librarian's web_fetch tool permits attackers to retrieve arbitrary external content and proxy requests through the application's infrastructure without authentication, resulting in information disclosure. This network-accessible vulnerability affects all versions of The Librarian AI/ML product and has high severity due to its ease of exploitation and potential for infrastructure abuse. A vendor patch is currently unavailable.

The All in One SEO - Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. [CVSS 4.3 MEDIUM]

SparkyFitness v0.15.8.2 is vulnerable to Cross Site Scripting (XSS) via user input and LLM output. [CVSS 6.1 MEDIUM]