CVE-2024-8249 Unauthenticated Denial of Service (DoS) in mintplex-labs/anything-llm

mintplex-labs/anything-llm version git 6dc3642 contains an unauthenticated Denial of Service DoS vulnerability in the API for the embeddable chat functionality. An attacker can exploit this vulnerability by sending a malformed JSON payload to the API endpoint, causing a server crash due to an...

CVE-2024-10109 Incorrect Authorization in mintplex-labs/anything-llm

A vulnerability in the mintplex-labs/anything-llm repository, as of commit 5c40419, allows low privilege users to access the sensitive API endpoint "/api/system/custom-models". This access enables them to modify the model's API key and base path, leading to potential API key leakage and denial of...

CVE-2024-9418

CVE-2024-9418 affects transformeroptimus/superagi v0.0.14, where the API endpoint /api/users/get/{id} returns plaintext user passwords. This flaw enables an attacker to retrieve another user’s password, enabling potential account takeover. Connected reports confirm the issue and the affected comp...

CVE-2024-8251

CVE-2024-8251 affects mintplex-labs/anything-llm prior to version 1.2.2. The vulnerability resides in the API endpoint "/embed/:embedId/stream-chat" where user-provided JSON is passed directly to the Prisma where clause, enabling Prisma injection. An attacker can supply crafted JSON such as {"ses...

dify 安全漏洞

dify is an open source LLM application development platform from LangGenius Open Source. A security vulnerability exists in version 0.9.1 of dify, which stems from improper handling of the apiendpoint parameter and could lead to a server-side request forgery attack...

PT-2025-12177 · Unknown · Open-Webui

Name of the Vulnerable Software and Affected Versions: open-webui/open-webui version v0.3.8 Description: The application exhibits improper privilege management. An attacker with administrator privileges can delete other administrators by directly accessing the API endpoint...

PT-2025-12200 · Unknown · Open-Webui

Name of the Vulnerable Software and Affected Versions: open-webui/open-webui version 0.3.8 Description: A stored cross-site scripting XSS issue exists, allowing an attacker to inject malicious scripts through the /api/v1/models/add endpoint, where the model description field is improperly...

DB-GPT 安全漏洞

DB-GPT is an AWEL and agent-based AI native data application development framework open-sourced by eosphoros. A security vulnerability exists in DB-GPT version 0.6.0, which stems from a path traversal vulnerability in the API endpoint /v1/resource/file/delete, which allows an attacker to delete...

Composio 安全漏洞

Composio is a production-ready toolset for AI agents open-sourced by Composio. A security vulnerability exists in Composio version v0.4.2, which stems from the /api/actions/execute/WEBTOOLSCRAPEWEBSITECONTENT endpoint that does not validate user input, which could lead to a server-side request...

PT-2025-12169 · Unknown · Anything-Llm

Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm version 1.5.5 Description: The issue allows unauthorized users to access sensitive system settings through the "/setup-complete" API endpoint. The data returned by the currentSettings function includes sensitive...

PT-2025-12227 · Prisma +1 · Prismax +1

Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm versions prior to 1.2.2 Description: A vulnerability exists in the API endpoint "/embed/:embedId/stream-chat" where user-provided JSON is directly taken to the Prisma library's where clause. An attacker can exploit...

CVE-2025-2355

A vulnerability was found in BlackVue App 3.65 on Android and classified as problematic. Affected by this issue is some unknown functionality of the component API Endpoint Handler. The manipulation of the argument BCSTOKEN/SECRETKEY leads to unprotected storage of credentials. Local access is...

CVE-2025-30141

An issue was discovered on G-Net Dashcam BB GONX devices. One can Remotely Dump Video Footage and the Live Video Stream. It exposes API endpoints on ports 9091 and 9092 that allow remote access to recorded and live video feeds. An attacker who connects to the dashcam's network can retrieve all...

CVE-2025-2344

A vulnerability, which was classified as critical, has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this issue is some unknown functionality of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched remotely. The...

CVE-2025-2355

A vulnerability was found in BlackVue App 3.65 on Android and classified as problematic. Affected by this issue is some unknown functionality of the component API Endpoint Handler. The manipulation of the argument BCSTOKEN/SECRETKEY leads to unprotected storage of credentials. Local access is...

CVE-2025-2355 BlackVue App API Endpoint credentials storage

A vulnerability was found in BlackVue App 3.65 on Android and classified as problematic. Affected by this issue is some unknown functionality of the component API Endpoint Handler. The manipulation of the argument BCSTOKEN/SECRETKEY leads to unprotected storage of credentials. Local access is...

CVE-2025-2355 BlackVue App API Endpoint credentials storage

A vulnerability was found in BlackVue App 3.65 on Android and classified as problematic. Affected by this issue is some unknown functionality of the component API Endpoint Handler. The manipulation of the argument BCSTOKEN/SECRETKEY leads to unprotected storage of credentials. Local access is...

CVE-2025-2355

The CVE-2025-2355 entry concerns BlackVue App 3.65 on Android. The vulnerability affects an unknown portion of the API Endpoint Handler where manipulating BCS_TOKEN/SECRET_KEY leads to unprotected storage of credentials. Local access is required, and public disclosure of the exploit is indicated....

CVE-2025-2344

CVE-2025-2344 affects IROAD Dash Cam X5 and X6, where an API Endpoint with missing authentication (access control error) enables remote exploitation. Public descriptions consistently note a critical classification and remote abuse potential, but do not provide concrete remediation details in the ...

CVE-2025-2344 IROAD Dash Cam X5/Dash Cam X6 API Endpoint missing authentication

A vulnerability, which was classified as critical, has been found in IROAD Dash Cam X5 and Dash Cam X6 up to 20250308. Affected by this issue is some unknown functionality of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched remotely. The...