5.3
CVE-2024-10940 - Exposure of Sensitive System Information via ImagePromptTemplate in langchain-ai/langchain
A vulnerability in langchain-core versions >=0.1.17,<0.1.53, >=0.2.0,<0.2.43, and >=0.3.0,<0.3.15 allows unauthorized users to read arbitrary files from the host file system. The issue arises from the ability to create langchain_core.prompts.ImagePromptTemplate's (and by extension langchain_core.prβ¦
6.5
CVE-2024-10273 - Improper Privilege Management in lunary-ai/lunary
In lunary-ai/lunary v1.5.0, improper privilege management in the models.ts file allows users with viewer roles to modify models owned by others. The PATCH endpoint for models does not have appropriate privilege checks, enabling low-privilege users to update models they should not have access to modβ¦
7.5
CVE-2025-0190 - Denial of Service in aimhubio/aim
In version 3.25.0 of aimhubio/aim, a denial of service vulnerability exists. By tracking a large number of `Text` objects and then querying them simultaneously through the web API, the Aim web server becomes unresponsive to other requests for an extended period while processing and returning these β¦
7.5
CVE-2024-12055 - DoS using malicious gguf model file in ollama/ollama
A vulnerability in Ollama versions <=0.3.14 allows a malicious user to create a customized gguf model file that can be uploaded to the public Ollama server. When the server processes this malicious model, it crashes, leading to a Denial of Service (DoS) attack. The root cause of the issue is an outβ¦
9.8
CVE-2024-9095 - Improper Authorization in lunary-ai/lunary
In lunary-ai/lunary version v1.4.28, the /bigquery API route lacks proper access control, allowing any logged-in user to create a Datastream to Google BigQuery and export the entire database. This includes sensitive data such as password hashes and secret API keys. The route is protected by a confiβ¦
7.5
CVE-2024-10713 - Denial of Service (DoS) via Multipart Request in szad670401/hyperlpr
A vulnerability in szad670401/hyperlpr v3.0 allows for a Denial of Service (DoS) attack. The server fails to handle excessive characters appended to the end of multipart boundaries, regardless of the character used. This flaw can be exploited by sending malformed multipart requests with arbitrary cβ¦
7.5
CVE-2025-1796 - Admin account takeover through weak Pseudo-Random number generator used in generating password reseβ¦
A vulnerability in langgenius/dify v0.10.1 allows an attacker to take over any account, including administrator accounts, by exploiting a weak pseudo-random number generator (PRNG) used for generating password reset codes. The application uses `random.randint` for this purpose, which is not suitablβ¦
6.1
CVE-2024-11441 - Stored XSS in Serge in serge-chat/serge
A stored cross-site scripting (XSS) vulnerability exists in Serge version 0.9.0. The vulnerability is due to improper neutralization of input during web page generation in the chat prompt. An attacker can exploit this vulnerability by sending a crafted message containing malicious HTML/JavaScript cβ¦
7.5
CVE-2024-7765 - Denial of Service in h2oai/h2o-3
In h2oai/h2o-3 version 3.46.0.2, a vulnerability exists where uploading and repeatedly parsing a large GZIP file can cause a denial of service. The server becomes unresponsive due to memory exhaustion and a large number of concurrent slow-running jobs. This issue arises from the improper handling oβ¦
4.3
CVE-2024-13060 - Improper Authorization in mintplex-labs/anything-llm
A vulnerability in AnythingLLM Docker version 1.3.1 allows users with 'Default' permission to access other users' profile pictures by changing the 'id' parameter in the user cookie. This issue is present in versions prior to 1.3.1.