CVE-2024-9309 SSRF in POST /worker_generate_stream API endpoint in haotian-liu/llava

A Server-Side Request Forgery SSRF vulnerability exists in the POST /workergeneratestream API endpoint of the Controller API Server in haotian-liu/llava version v1.2.0 LLaVA-1.6. This vulnerability allows attackers to exploit the victim Controller API Server's credentials to perform unauthorized...

CVE-2024-9309

CVE-2024-9309 is a Server-Side Request Forgery (SSRF) affecting the Controller API Server of haotian-liu/llava v1.2.0 (LLaVA-1.6). The vulnerability exists in the POST /worker_generate_stream endpoint and could allow an attacker to leverage the server’s credentials to perform unauthorized web act...

CVE-2024-8249 Unauthenticated Denial of Service (DoS) in mintplex-labs/anything-llm

mintplex-labs/anything-llm version git 6dc3642 contains an unauthenticated Denial of Service DoS vulnerability in the API for the embeddable chat functionality. An attacker can exploit this vulnerability by sending a malformed JSON payload to the API endpoint, causing a server crash due to an...

GHSA-MGRM-FGJV-MHV8 vLLM denial of service via outlines unbounded cache on disk

Impact The outlines library is one of the backends used by vLLM to support structured output a.k.a. guided decoding. Outlines provides an optional cache for its compiled grammars on the local filesystem. This cache has been on by default in vLLM. Outlines is also available by default through the...

CVE-2025-27518 Cognita CORS misconfiguration in backend API server

Cognita is a RAG Retrieval Augmented Generation Framework for building modular, open source applications for production by TrueFoundry. An insecure CORS configuration in the Cognita backend server allows arbitrary websites to send cross site requests to the application. This vulnerability is fixe...

CVE-2025-27518 Cognita CORS misconfiguration in backend API server

Cognita is a RAG Retrieval Augmented Generation Framework for building modular, open source applications for production by TrueFoundry. An insecure CORS configuration in the Cognita backend server allows arbitrary websites to send cross site requests to the application. This vulnerability is fixe...

CVE-2022-23652

capsule-proxy is a reverse proxy for Capsule Operator which provides multi-tenancy in Kubernetes. In versions prior to 0.2.1 an attacker with a proper authentication mechanism may use a malicious Connection header to start a privilege escalation attack towards the Kubernetes API Server. This...

CVE-2024-10044

A Server-Side Request Forgery SSRF vulnerability exists in the POST /workergeneratestream API endpoint of the Controller API Server in lm-sys/fastchat, as of commit e208d5677c6837d590b81cb03847c0b9de100765. This vulnerability allows attackers to exploit the victim controller API server's...

CVE-2024-31848

A path traversal vulnerability exists in the Java version of CData API Server 23.4.8844 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application...

CVE-2025-24964 Remote Code Execution when accessing a malicious website while Vitest API server is listening

Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking CSWSH attacks. When api option is enabled Vitest UI enables it, Vitest starts a...

CVE-2025-24964 Remote Code Execution when accessing a malicious website while Vitest API server is listening

Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking CSWSH attacks. When api option is enabled Vitest UI enables it, Vitest starts a...

CVE-2025-24964 Remote Code Execution when accessing a malicious website while Vitest API server is listening

Vitest is a testing framework powered by Vite. Affected versions are subject to arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking CSWSH attacks. When api option is enabled Vitest UI enables it, Vitest starts a...

GHSA-9CRC-Q9X8-HGQQ Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening

Summary Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking CSWSH attacks. Details When api option is enabled Vitest UI enables it, Vitest starts a WebSocket server. This WebSocket server did not check Origin...

Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening

Summary Arbitrary remote Code Execution when accessing a malicious website while Vitest API server is listening by Cross-site WebSocket hijacking CSWSH attacks. Details When api option is enabled Vitest UI enables it, Vitest starts a WebSocket server. This WebSocket server did not check Origin...

PT-2025-5608

Name of the Vulnerable Software and Affected Versions Vitest versions prior to 1.6.1 Vitest versions prior to 2.1.9 Vitest versions prior to 3.0.5 Description The issue is related to arbitrary remote code execution when accessing a malicious website while the Vitest API server is listening, due t...

CVE-2024-10044

A Server-Side Request Forgery SSRF vulnerability exists in the POST /workergeneratestream API endpoint of the Controller API Server in lm-sys/fastchat, as of commit e208d5677c6837d590b81cb03847c0b9de100765. This vulnerability allows attackers to exploit the victim controller API server's...

CVE-2024-10044 SSRF in POST /worker_generate_stream API endpoint in lm-sys/fastchat

A Server-Side Request Forgery SSRF vulnerability exists in the POST /workergeneratestream API endpoint of the Controller API Server in lm-sys/fastchat, as of commit e208d5677c6837d590b81cb03847c0b9de100765. This vulnerability allows attackers to exploit the victim controller API server's...

Malicious code in nayan-api-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3aa649015a7b9b6a0c072dff43fa33c006eb20cdc5039c2ba526d686ec328223 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2024-11807 Malicious code in nayan-api-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3aa649015a7b9b6a0c072dff43fa33c006eb20cdc5039c2ba526d686ec328223 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2024-53862 Argo Workflows Allows Access to Archived Workflows with Fake Token in `client` mode

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. When using --auth-mode=client, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: /api/v1/workflows/namespace/name or when using...