Localgpt
Monthly
Prompt injection in PromtEngineer localGPT allows unauthenticated remote attackers to manipulate LLM behavior via crafted inputs to the _route_using_overviews function. Publicly available exploit code exists (GitHub). The vulnerability affects all versions up to commit 4d41c7d17, with CVSS 7.3 indicating moderate confidentiality, integrity, and availability impact. EPSS data not available, but the combination of network-accessible attack vector, low complexity (AC:L), no authentication requirement (PR:N), and public POC elevates real-world risk for installations exposed to untrusted input.
Unrestricted file upload in PromtEngineer localGPT allows remote attackers to upload arbitrary files via the do_POST function in backend/server.py, enabling potential remote code execution or system compromise. The vulnerability affects all versions up to commit 4d41c7d1713b16b216d8e062e51a5dd88b20b054, impacts unauthenticated remote users, and publicly available exploit code exists. The vendor has not responded to early disclosure attempts, leaving the product unpatched.
Authentication bypass in PromtEngineer localGPT affects the LocalGPTHandler API endpoint in backend/server.py, allowing unauthenticated remote attackers to access protected functionality with low confidentiality, integrity, and availability impact. The vulnerability stems from improper validation of the BaseHTTPRequestHandler argument, enabling attackers to manipulate request handling without credentials. No public exploit code or active exploitation has been confirmed, though the vendor has not responded to disclosure efforts.
Prompt injection in PromtEngineer localGPT allows unauthenticated remote attackers to manipulate LLM behavior via crafted inputs to the _route_using_overviews function. Publicly available exploit code exists (GitHub). The vulnerability affects all versions up to commit 4d41c7d17, with CVSS 7.3 indicating moderate confidentiality, integrity, and availability impact. EPSS data not available, but the combination of network-accessible attack vector, low complexity (AC:L), no authentication requirement (PR:N), and public POC elevates real-world risk for installations exposed to untrusted input.
Unrestricted file upload in PromtEngineer localGPT allows remote attackers to upload arbitrary files via the do_POST function in backend/server.py, enabling potential remote code execution or system compromise. The vulnerability affects all versions up to commit 4d41c7d1713b16b216d8e062e51a5dd88b20b054, impacts unauthenticated remote users, and publicly available exploit code exists. The vendor has not responded to early disclosure attempts, leaving the product unpatched.
Authentication bypass in PromtEngineer localGPT affects the LocalGPTHandler API endpoint in backend/server.py, allowing unauthenticated remote attackers to access protected functionality with low confidentiality, integrity, and availability impact. The vulnerability stems from improper validation of the BaseHTTPRequestHandler argument, enabling attackers to manipulate request handling without credentials. No public exploit code or active exploitation has been confirmed, though the vendor has not responded to disclosure efforts.