Ollama
Monthly
Path traversal vulnerability in Ollama up to version 0.20.2 affects the digestToPath function in the Tensor Model Transfer Handler, allowing remote attackers with high complexity to manipulate digest arguments and traverse the filesystem. Public exploit code exists, though the vendor has not acknowledged disclosure attempts. CVSS 6.3 reflects low confidentiality, integrity, and availability impact limited by high attack complexity and no scope change.
Server-side request forgery in Ollama's Model Pull API (via server/download.go) allows authenticated remote attackers to manipulate file processing and trigger SSRF attacks, affecting Ollama versions up to 18.1. The vulnerability carries a CVSS score of 6.3 with moderate impact on confidentiality, integrity, and availability. No public exploit code or active exploitation has been confirmed, and the vendor has not responded to early disclosure attempts.
Wallos, an open-source self-hostable subscription tracker, contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 4.7.0 that allows authenticated users to access internal network services, cloud metadata endpoints, and localhost-bound services. The vulnerability exists in three unprotected attack surfaces: the AI Ollama host parameter, the AI recommendations endpoint, and the notification cron job-areas that were missed when SSRF protections were partially implemented in an earlier patch (CVE-2026-30840). An attacker with valid credentials can leverage these endpoints to reach sensitive internal resources including AWS IMDSv1, GCP, and Azure metadata services.
Ollama MCP Server has a command injection vulnerability in execAsync (EPSS 1.0%) allowing remote attackers to execute arbitrary commands on systems running the Ollama AI integration.
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata [CVSS 7.5 HIGH]
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder [CVSS 7.5 HIGH]
Ollama 0.11.5-rc0 through current version 0.13.5 contain a null pointer dereference vulnerability in the multi-modal model image processing functionality. [CVSS 7.5 HIGH]
An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull. Rated medium severity (CVSS 6.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the Ollama server version 0.5.11 allows a malicious user to cause a Denial of Service (DoS) attack by customizing the manifest content and spoofing a service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
open-webui v0.5.16 is vulnerable to SSRF in routers/ollama.py in function verify_connection. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to upload and create a customized GGUF model file on the Ollama server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability in ollama/ollama <=0.3.14 allows a malicious user to create a customized GGUF model file, upload it to the Ollama server, and create it. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to create a customized GGUF model file that, when uploaded and created on the Ollama server, can cause a crash due to an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A divide by zero vulnerability exists in ollama/ollama version v0.3.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An Out-Of-Memory (OOM) vulnerability exists in the `ollama` server version 0.3.14. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in Ollama versions <=0.3.14 allows a malicious user to create a customized gguf model file that can be uploaded to the public Ollama server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Path traversal vulnerability in Ollama up to version 0.20.2 affects the digestToPath function in the Tensor Model Transfer Handler, allowing remote attackers with high complexity to manipulate digest arguments and traverse the filesystem. Public exploit code exists, though the vendor has not acknowledged disclosure attempts. CVSS 6.3 reflects low confidentiality, integrity, and availability impact limited by high attack complexity and no scope change.
Server-side request forgery in Ollama's Model Pull API (via server/download.go) allows authenticated remote attackers to manipulate file processing and trigger SSRF attacks, affecting Ollama versions up to 18.1. The vulnerability carries a CVSS score of 6.3 with moderate impact on confidentiality, integrity, and availability. No public exploit code or active exploitation has been confirmed, and the vendor has not responded to early disclosure attempts.
Wallos, an open-source self-hostable subscription tracker, contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 4.7.0 that allows authenticated users to access internal network services, cloud metadata endpoints, and localhost-bound services. The vulnerability exists in three unprotected attack surfaces: the AI Ollama host parameter, the AI recommendations endpoint, and the notification cron job-areas that were missed when SSRF protections were partially implemented in an earlier patch (CVE-2026-30840). An attacker with valid credentials can leverage these endpoints to reach sensitive internal resources including AWS IMDSv1, GCP, and Azure metadata services.
Ollama MCP Server has a command injection vulnerability in execAsync (EPSS 1.0%) allowing remote attackers to execute arbitrary commands on systems running the Ollama AI integration.
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata [CVSS 7.5 HIGH]
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder [CVSS 7.5 HIGH]
Ollama 0.11.5-rc0 through current version 0.13.5 contain a null pointer dereference vulnerability in the multi-modal model image processing functionality. [CVSS 7.5 HIGH]
An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull. Rated medium severity (CVSS 6.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the Ollama server version 0.5.11 allows a malicious user to cause a Denial of Service (DoS) attack by customizing the manifest content and spoofing a service. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
open-webui v0.5.16 is vulnerable to SSRF in routers/ollama.py in function verify_connection. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to upload and create a customized GGUF model file on the Ollama server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability in ollama/ollama <=0.3.14 allows a malicious user to create a customized GGUF model file, upload it to the Ollama server, and create it. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to create a customized GGUF model file that, when uploaded and created on the Ollama server, can cause a crash due to an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A divide by zero vulnerability exists in ollama/ollama version v0.3.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An Out-Of-Memory (OOM) vulnerability exists in the `ollama` server version 0.3.14. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability in Ollama versions <=0.3.14 allows a malicious user to create a customized gguf model file that can be uploaded to the public Ollama server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.