9.8
CVE-2024-1511 - Path Traversal Vulnerability in parisneo/lollms-webui
The parisneo/lollms-webui repository is susceptible to a path traversal vulnerability due to inadequate validation of user-supplied file paths. This flaw allows an unauthenticated attacker to read, write, and in certain configurations execute arbitrary files on the server by exploiting various endpβ¦
0.0
CVE-2024-1599 -
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
7.2
CVE-2024-3283 - Privilege Escalation via Mass Assignment in mintplex-labs/anything-llm
A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multi_user_mode' system variable, enablingβ¦
9.8
CVE-2024-2221 - Path Traversal and Arbitrary File Upload Vulnerability in qdrant/qdrant
qdrant/qdrant is vulnerable to a path traversal and arbitrary file upload vulnerability via the `/collections/{COLLECTION}/snapshots/upload` endpoint, specifically through the `snapshot` parameter. This vulnerability allows attackers to upload and overwrite any file on the filesystem, leading to poβ¦
9.3
CVE-2024-1600 - Local File Inclusion in parisneo/lollms-webui
A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specifically within the `/personalities` route. An attacker can exploit this vulnerability by crafting a URL that includes directory traversal sequences (`../../`) followed by the desired system file path, Uβ¦
9.1
CVE-2024-1643 - Unauthorized Organization Access in lunary-ai/lunary
By knowing an organization's ID, an attacker can join the organization without permission and gain the ability to read and modify all data within that organization. This vulnerability allows unauthorized access and modification of sensitive information, posing a significant security risk. The flaw β¦
7.5
CVE-2024-3569 - Denial of Service (DoS) Vulnerability in mintplex-labs/anything-llm
A Denial of Service (DoS) vulnerability exists in the mintplex-labs/anything-llm repository when the application is running in 'just me' mode with a password. An attacker can exploit this vulnerability by making a request to the endpoint using the [validatedRequest] middleware with a specially crafβ¦
9.8
CVE-2024-3098 - Prompt Injection leading to Arbitrary Code Execution in run-llama/llama_index
A vulnerability was identified in the `exec_utils` class of the `llama_index` package, specifically within the `safe_eval` function, allowing for prompt injection leading to arbitrary code execution. This issue arises due to insufficient validation of input, which can be exploited to bypass method β¦
7.5
CVE-2024-1728 - Local File Inclusion in gradio-app/gradio
gradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component. Attackers can exploit this vulnerability to read arbitrary files on the filesystem, such as private SSH keys, by manipulating the file path in theβ¦
9.6
CVE-2024-3568 - Arbitrary Code Execution via Deserialization in huggingface/transformers
The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_checkpoint()` function of the `TFPreTrainedModel()` class. Attackers can execute arbitrary code and commands by crafting a malicious serialized payload, expβ¦