CVE-2024-9919 Missing Authentication Check in parisneo/lollms-webui

A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauthorized directory deletions. The /uninstall/appname API endpoint does not call the checkaccess function to verify the clientid, enabling attackers to delete directories without...

CVE-2024-8438

Summary: CVE-2024-8438 describes a path traversal in modelscope/agentscope v0.0.4 where the /api/file endpoint does not sanitize the path parameter, enabling reading arbitrary server files. The underlying impact is information disclosure with a high severity (CVSS3/7.5) but no exploitation detail...

CVE-2024-8438 Path Traversal in modelscope/agentscope

A path traversal vulnerability exists in modelscope/agentscope version v.0.0.4. The API endpoint /api/file does not properly sanitize the path parameter, allowing an attacker to read arbitrary files on the server...

CVE-2024-8438 Path Traversal in modelscope/agentscope

A path traversal vulnerability exists in modelscope/agentscope version v.0.0.4. The API endpoint /api/file does not properly sanitize the path parameter, allowing an attacker to read arbitrary files on the server...

CVE-2024-8060

OpenWebUI 0.3.0 is affected by a vulnerability in the audio API endpoint /audio/api/v1/transcriptions that allows arbitrary file upload due to insufficient validation of file.content_type and user-controlled filenames, enabling path traversal. An authenticated user could overwrite critical files ...

CVE-2024-9309 SSRF in POST /worker_generate_stream API endpoint in haotian-liu/llava

A Server-Side Request Forgery SSRF vulnerability exists in the POST /workergeneratestream API endpoint of the Controller API Server in haotian-liu/llava version v1.2.0 LLaVA-1.6. This vulnerability allows attackers to exploit the victim Controller API Server's credentials to perform unauthorized...

CVE-2024-8249 Unauthenticated Denial of Service (DoS) in mintplex-labs/anything-llm

mintplex-labs/anything-llm version git 6dc3642 contains an unauthenticated Denial of Service DoS vulnerability in the API for the embeddable chat functionality. An attacker can exploit this vulnerability by sending a malformed JSON payload to the API endpoint, causing a server crash due to an...

CVE-2024-8249

CVE-2024-8249 affects mintplex-labs/anything-llm, specifically the embeddable chat API. The issue is an unauthenticated Denial of Service triggered by sending a malformed JSON payload to the API endpoint, causing a server crash via an uncaught exception. Affected version: git 6dc3642. Remediation...

CVE-2024-10109 Incorrect Authorization in mintplex-labs/anything-llm

A vulnerability in the mintplex-labs/anything-llm repository, as of commit 5c40419, allows low privilege users to access the sensitive API endpoint "/api/system/custom-models". This access enables them to modify the model's API key and base path, leading to potential API key leakage and denial of...

CVE-2024-9418

CVE-2024-9418 affects transformeroptimus/superagi v0.0.14, where the API endpoint /api/users/get/{id} returns plaintext user passwords. This flaw enables an attacker to retrieve another user’s password, enabling potential account takeover. Connected reports confirm the issue and the affected comp...

CVE-2024-8251

CVE-2024-8251 affects mintplex-labs/anything-llm prior to version 1.2.2. The vulnerability resides in the API endpoint "/embed/:embedId/stream-chat" where user-provided JSON is passed directly to the Prisma where clause, enabling Prisma injection. An attacker can supply crafted JSON such as {"ses...

PT-2025-12177 · Unknown · Open-Webui

Name of the Vulnerable Software and Affected Versions: open-webui/open-webui version v0.3.8 Description: The application exhibits improper privilege management. An attacker with administrator privileges can delete other administrators by directly accessing the API endpoint...

PT-2025-12227 · Prisma +1 · Prismax +1

Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm versions prior to 1.2.2 Description: A vulnerability exists in the API endpoint "/embed/:embedId/stream-chat" where user-provided JSON is directly taken to the Prisma library's where clause. An attacker can exploit...

Composio 安全漏洞

Composio is a production-ready toolset for AI agents open-sourced by Composio. A security vulnerability exists in Composio version v0.4.2, which stems from the /api/actions/execute/WEBTOOLSCRAPEWEBSITECONTENT endpoint that does not validate user input, which could lead to a server-side request...

PT-2025-12169 · Unknown · Anything-Llm

Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm version 1.5.5 Description: The issue allows unauthorized users to access sensitive system settings through the "/setup-complete" API endpoint. The data returned by the currentSettings function includes sensitive...

DB-GPT 安全漏洞

DB-GPT is an AWEL and agent-based AI native data application development framework open-sourced by eosphoros. A security vulnerability exists in DB-GPT version 0.6.0, which stems from a path traversal vulnerability in the API endpoint /v1/resource/file/delete, which allows an attacker to delete...

dify 安全漏洞

dify is an open source LLM application development platform from LangGenius Open Source. A security vulnerability exists in version 0.9.1 of dify, which stems from improper handling of the apiendpoint parameter and could lead to a server-side request forgery attack...

PT-2025-12200 · Unknown · Open-Webui

Name of the Vulnerable Software and Affected Versions: open-webui/open-webui version 0.3.8 Description: A stored cross-site scripting XSS issue exists, allowing an attacker to inject malicious scripts through the /api/v1/models/add endpoint, where the model description field is improperly...

CVE-2025-2355

A vulnerability was found in BlackVue App 3.65 on Android and classified as problematic. Affected by this issue is some unknown functionality of the component API Endpoint Handler. The manipulation of the argument BCSTOKEN/SECRETKEY leads to unprotected storage of credentials. Local access is...

CVE-2025-30141

An issue was discovered on G-Net Dashcam BB GONX devices. One can Remotely Dump Video Footage and the Live Video Stream. It exposes API endpoints on ports 9091 and 9092 that allow remote access to recorded and live video feeds. An attacker who connects to the dashcam's network can retrieve all...