75 matches found
CVE-2026-55514
vLLM is a library for LLM inference and serving. From 0.12.0 to before 0.24.0, sending a pure prompt embeds payload in a /v1/completions request with a model using M-RoPE causes EngineCore to fail an assertion and fatally crash, shutting down the entire server application. Any remote user who is...
CVE-2026-55514 vLLM denial of service via prompt embeds on M-RoPE models
vLLM is a library for LLM inference and serving. From 0.12.0 to before 0.24.0, sending a pure prompt embeds payload in a /v1/completions request with a model using M-RoPE causes EngineCore to fail an assertion and fatally crash, shutting down the entire server application. Any remote user who is...
CVE-2026-54234 vLLM: Remote DoS in vLLM via Invalid Recovered Token Reinjection
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, a frontend-legal multi-request speculative decoding workload can cause the rejection sampler to produce a recovered token equal to the model vocabulary size boundary value, which is then convert...
CVE-2026-54234 vLLM: Remote DoS in vLLM via Invalid Recovered Token Reinjection
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, a frontend-legal multi-request speculative decoding workload can cause the rejection sampler to produce a recovered token equal to the model vocabulary size boundary value, which is then convert...
CVE-2026-54234
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Prior to 0.24.0, a frontend-legal multi-request speculative decoding workload can cause the rejection sampler to produce a recovered token equal to the model vocabulary size boundary value, which is then convert...
CVE-2026-55646 vLLM speech-to-text endpoints allocate full upload before enforcing the audio file-size limit
vLLM is an inference and serving engine for large language models. From 0.22.0 to 0.23.0, the /v1/audio/transcriptions and /v1/audio/translations routes call request.file.read to fully materialize an uploaded audio file into memory before vLLM checks the documented VLLMMAXAUDIOCLIPFILESIZEMB...
EUVD-2026-41914
vLLM is an inference and serving engine for large language models. From 0.22.0 to 0.23.0, the /v1/audio/transcriptions and /v1/audio/translations routes call request.file.read to fully materialize an uploaded audio file into memory before vLLM checks the documented VLLMMAXAUDIOCLIPFILESIZEMB...
PT-2026-56000
Name of the Vulnerable Software and Affected Versions vLLM versions prior to 0.24.0 Description The structured outputs.regex API parameter allows user-supplied regular expression strings to be passed to grammar compiler backends without a compilation timeout. In the xgrammar backend, the string i...
PT-2026-55978
Name of the Vulnerable Software and Affected Versions vLLM versions 0.22.0 through 0.23.0 Description The software fails to validate the size of uploaded audio files before loading them into memory. Specifically, the endpoints '/v1/audio/transcriptions' and '/v1/audio/translations' execute the...
PT-2026-55997
Name of the Vulnerable Software and Affected Versions vLLM versions prior to 0.24.0 Description A flaw in the rejection sampler during multi-request speculative decoding workloads allows the production of a recovered token equal to the model vocabulary size boundary value. This value is converted...
EUVD-2026-33284
RAGFlow is an open-source RAG Retrieval-Augmented Generation engine. In 0.24.0 and earlier, a Jinja2 template injection in the prompt generator rag/prompts/generator.py allows any authenticated user to execute arbitrary OS commands on the server. Any normal user can register, create a Canvas...
CVE-2026-42448
Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. Prior to 0.24.0, there is a path traversal when a receiver who specifies "--output " where that output directory currently exists as a directory. This vulnerability is fixed in 0.24.0...
CVE-2026-42448 wormhole receive, with --output pointing at an existing directory can be path-traversed
Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. Prior to 0.24.0, there is a path traversal when a receiver who specifies "--output " where that output directory currently exists as a directory. This vulnerability is fixed in 0.24.0...
EUVD-2026-31947
Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. Prior to 0.24.0, there is a path traversal when a receiver who specifies "--output " where that output directory currently exists as a directory. This vulnerability is fixed in 0.24.0...
CVE-2026-42448
Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. Prior to 0.24.0, there is a path traversal when a receiver who specifies "--output " where that output directory currently exists as a directory. This vulnerability is fixed in 0.24.0...
CVE-2026-42448
CVE-2026-42448 affects the Python package magic-wormhole . A vulnerability in the receive path occurs when the receiver specifies --output and that target directory already exists, enabling a path traversal. Documentation in multiple sources confirms this flaw and its fix: upgrade to version 0.2...
CVE-2026-42448 wormhole receive, with --output pointing at an existing directory can be path-traversed
Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. Prior to 0.24.0, there is a path traversal when a receiver who specifies "--output " where that output directory currently exists as a directory. This vulnerability is fixed in 0.24.0...
CVE-2026-42448 wormhole receive, with --output pointing at an existing directory can be path-traversed
Magic Wormhole makes it possible to get arbitrary-sized files and directories from one computer to another. Prior to 0.24.0, there is a path traversal when a receiver who specifies "--output " where that output directory currently exists as a directory. This vulnerability is fixed in 0.24.0...
Magic Wormhole 路径遍历漏洞
Magic Wormhole is an open-source, secure cross-computer file transfer tool. Versions of Magic Wormhole prior to 0.24.0 contained a path traversal vulnerability, which was due to the possibility of path traversal when the recipient specified an output directory...
GHSA-CF92-GFCW-6V53 Magic Wormhole: receive, with --output pointing at an existing directory can be path-traversed
Impact A receiver who specifies "--output " where that output directory currently exists as a directory. Patches 0.24.0 will contain the patch Workarounds Ensure local target directories specified by "--output" do not already exist Resources Private email and Signal communications from a user...