8.8
CVE-2024-10986 - Local File Read (LFI) by Tarslip Symlink via arxiv_download() API in binary-husky/gpt_academic
GPT Academic version 3.83 is vulnerable to a Local File Read (LFI) vulnerability through its HotReload function. This function can download and extract tar.gz files from arxiv.org. Despite implementing protections against path traversal, the application overlooks the Tarslip triggered by symlinks. β¦
7.5
CVE-2024-11040 - vllm: Denial of Service in vllm-project/vllm
** REJECT ** DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-8939. Notes: All CVE users should reference CVE-2024-8939 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage.
7.5
CVE-2025-0189 - Denial of Service in aimhubio/aim
In version 3.25.0 of aimhubio/aim, the tracking server is vulnerable to a denial of service attack. The server overrides the maximum size for websocket messages, allowing very large images to be tracked. This causes the server to become unresponsive to other requests while processing the large imagβ¦
7.4
CVE-2024-11602 - CORS Vulnerability in feast-dev/feast
A Cross-Origin Resource Sharing (CORS) vulnerability exists in feast-dev/feast version 0.40.0. The CORS configuration on the agentscope server does not properly restrict access to only trusted origins, allowing any external domain to make requests to the API. This can bypass intended security contrβ¦
7.5
CVE-2024-10051 - Unauthenticated Denial of Service in shaunwei/realchar
Realchar version v0.0.4 is vulnerable to an unauthenticated denial of service (DoS) attack. The vulnerability exists in the file upload request handling, where appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request causes the server to continuously process eβ¦
7.5
CVE-2025-0312 - NULL Pointer Dereference in ollama/ollama
A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to create a customized GGUF model file that, when uploaded and created on the Ollama server, can cause a crash due to an unchecked null pointer dereference. This can lead to a Denial of Service (DoS) attack via remote networβ¦
7.5
CVE-2024-12534 - Denial of Service (DoS) in open-webui/open-webui
In version v0.3.32 of open-webui/open-webui, the application allows users to submit large payloads in the email and password fields during the sign-in process due to the lack of character length validation on these inputs. This vulnerability can lead to a Denial of Service (DoS) condition when a usβ¦
4.8
CVE-2024-0640 - Stored XSS in chatwoot/chatwoot
A stored cross-site scripting (XSS) vulnerability exists in chatwoot/chatwoot versions 3.0.0 to 3.5.1. This vulnerability allows an admin user to inject malicious JavaScript code via the dashboard app settings, which can then be executed by another admin user when they access the affected dashboardβ¦
5.3
CVE-2024-6844 - Inconsistent CORS Matching Due to Handling of '+' in URL Path in corydolphin/flask-cors
A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads to incorrect path nβ¦
9.1
CVE-2024-6829 - Arbitrary File Overwrite through tarfile-extraction in aimhubio/aim
A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to exploit the `tarfile.extractall()` function to extract the contents of a maliciously crafted tarfile to arbitrary locations on the host server. The attacker can control `repo.path` and `run_hash` to bypass directory existence checβ¦