778 matches found
OpenAI Provider - Moderately critical - Server-side Request Forgery - SA-CONTRIB-2026-053
This module enables you to use OpenAI as a provider for the AI module. The module doesn't sufficiently sanitize user-supplied URLs, leading to a Server-side request forgery SSRF vulnerability. This vulnerability is mitigated by the fact that an attacker must have the access to change the host url...
PT-2026-52166
Name of the Vulnerable Software and Affected Versions Drupal OpenAI Provider versions 0.0.0 through 1.1.1 Drupal OpenAI Provider versions 1.2.0 through 1.2.2 Description Insufficient sanitization of user-supplied URLs leads to a Server-Side Request Forgery SSRF, a flaw where an attacker can induc...
OpenAI Expands Daybreak With GPT-5.5-Cyber to Help Defenders Patch Security Flaws
OpenAI on Monday said it's releasing an improved version of its GPT‑5.5‑Cyber model to trusted defenders as part of the Daybreak initiative the artificial intelligence AI company announced last month. Calling GPT‑5.5‑Cyber its "strongest model yet for finding and helping patch software...
CVE-2026-48746
vLLM is an inference and serving engine for large language models LLMs. From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing t...
CVE-2026-48746 vLLM: OpenAI auth bypass
vLLM is an inference and serving engine for large language models LLMs. From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing t...
CVE-2026-48746 vLLM: OpenAI auth bypass
vLLM is an inference and serving engine for large language models LLMs. From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing t...
CVE-2026-48746
vLLM is an inference and serving engine for large language models LLMs. From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing t...
CVE-2026-48746 vLLM: OpenAI auth bypass
vLLM is an inference and serving engine for large language models LLMs. From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing t...
CVE-2026-48746
vLLM OpenAI auth bypass (CVE-2026-48746) affects vLLM versions 0.3.0 through 0.21.0. Root cause: ASGI servers and Starlette trust the Host header from the request scope, enabling manipulation of the reconstructed URL path and bypassing the OpenAI API AuthenticationMiddleware for routes beginning ...
CVE-2026-49468
LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. Prior to 1.84.0, a Host-header parsing flaw in the LiteLLM proxy could, under specific conditions, allow unauthenticated access to protected management routes. The auth layer derived the effective route from...
CVE-2026-49468
LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. Prior to 1.84.0, a Host-header parsing flaw in the LiteLLM proxy could, under specific conditions, allow unauthenticated access to protected management routes. The auth layer derived the effective route from...
CVE-2025-71379 vllm - Regular Expression Denial of Service in Multiple Components
vLLM versions = 0.6.3 and 0.9.0 contain multiple regular expression denial of service ReDoS vulnerabilities. Several regex patterns — in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint — are susceptible to catastrophic backtracking. An attacker...
Malicious code in @mastra/voice-openai (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 636dbce2606cf797f51ebd7c7e76ee2154a1e00e61b734cef90f19ca02ad397c The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
Malicious code in @mastra/voice-openai-realtime (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 623d77007529d1601a2da2b0ff1fc002dfa42282411ba1350b5bc720316d6c0f The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
MAL-2026-6049 Malicious code in @mastra/voice-openai-realtime (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 623d77007529d1601a2da2b0ff1fc002dfa42282411ba1350b5bc720316d6c0f The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
GHSA-94F4-HR76-P5J6 vLLM: OpenAI auth bypass
Summary A vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware, which was discovered during @x41sec's source code audit. It allows to use the API without providing the configured VLLMAPIKEY or...
vLLM: OpenAI auth bypass
Summary A vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware, which was discovered during @x41sec's source code audit. It allows to use the API without providing the configured VLLMAPIKEY or...
MAL-2026-5789 Malicious code in claude-cup (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c369ccf7b5e0ef8721b5ecdc94bd843ce260923394f6c513350a58928abdbdd3 On first invocation of npx claude-cup and on every subsequent Claude Code tool call once hooks are installed, research/config-audit.js enumerates eve...
CVE-2026-5497
vLLM versions 0.8.0 and later are vulnerable to an Out-of-Memory OOM Denial of Service DoS attack due to unbounded frame count processing in the VideoMediaIO.loadbase64 method. When processing video/jpeg data URLs, the method splits the base64 data string on commas to extract individual JPEG fram...
EUVD-2026-36217
vLLM versions 0.8.0 and later are vulnerable to an Out-of-Memory OOM Denial of Service DoS attack due to unbounded frame count processing in the VideoMediaIO.loadbase64 method. When processing video/jpeg data URLs, the method splits the base64 data string on commas to extract individual JPEG fram...