CVE-2025-61784 LLaMA Factory's Chat API has Critical SSRF and LFI Vulnerabilities

LLaMA-Factory is a tuning library for large language models. Prior to version 0.9.4, a Server-Side Request Forgery SSRF vulnerability in the chat API allows any authenticated user to force the server to make arbitrary HTTP requests to internal and external networks. This can lead to the exposure ...

CVE-2025-61784

LLaMA-Factory's chat API contains SSRF and LFI in the _process_request function (src/llamafactory/api/chat.py). For image_url, video_url, and audio_url, if a URL is not a base64 data URI or local file path, the code fetches the URL with requests.get(url, stream=True).raw without validation, enabl...

CVE-2025-61784 LLaMA Factory's Chat API has Critical SSRF and LFI Vulnerabilities

LLaMA-Factory is a tuning library for large language models. Prior to version 0.9.4, a Server-Side Request Forgery SSRF vulnerability in the chat API allows any authenticated user to force the server to make arbitrary HTTP requests to internal and external networks. This can lead to the exposure ...

MAL-2025-16860 Malicious code in chat-api2 (npm)

The package chat-api2 was found to contain malicious code...

Malicious code in chat-api1 (npm)

The package chat-api1 was found to contain malicious code...

MAL-2025-20143 Malicious code in facebook-chat-api-deku (npm)

The package facebook-chat-api-deku was found to contain malicious code...

Malicious code in facebook-chat-api-deku (npm)

The package facebook-chat-api-deku was found to contain malicious code...

MAL-2025-16859 Malicious code in chat-api1 (npm)

The package chat-api1 was found to contain malicious code...

Spring AI Embraces OpenAI's Structured Outputs: Enhancing JSON Response Reliability

OpenAI recently introduced a powerful feature called Structured Outputs, which ensures that AI-generated responses adhere strictly to a predefined JSON schema. This feature significantly improves the reliability and usability of AI-generated content in real-world applications. Today, we're excite...

Malicious code in abdulla-chat-api (npm)

--- -= Per source details. Do not edit below this line.=-...

MAL-2024-1715 Malicious code in abdulla-chat-api (npm)

--- -= Per source details. Do not edit below this line.=-...

CVE-2024-32964 lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability

Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause...

Malicious code in chat-api-asuna (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 85f583cda7182f56d351d1ce81779546a87791f7686b5acf9ae3d1e80250e9a4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2023-8230 Malicious code in chat-api-asuna (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 85f583cda7182f56d351d1ce81779546a87791f7686b5acf9ae3d1e80250e9a4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in fb-chat-api-temp (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 63c74c505c9865af18f53843e393fef47f02c267d0f5a0cc3f82efc5024039d9 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2023-8172 Malicious code in fb-chat-api-temp (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 63c74c505c9865af18f53843e393fef47f02c267d0f5a0cc3f82efc5024039d9 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2023-8154 Malicious code in thinhdz-chat-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 10feefde0eba2eeb545796cc1ab17d266bb82abca9168de36be88ac78676b52e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in thinhdz-chat-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 10feefde0eba2eeb545796cc1ab17d266bb82abca9168de36be88ac78676b52e Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

8x8: Reflected xss on 8x8.com subdomain

The Beta version of a new chat API was discovered to contain a reflected XSS flaw. With the help of the researcher we were able to resolve the issue and ensure the future chat product will not contain this flaw. Write-up for beginners like me.. hackwithcommunity...

PT-2018-10311 · WordPress · Wp-Live-Chat-Support

Name of the Vulnerable Software and Affected Versions: wp-live-chat-support plugin versions prior to 8.0.08 Description: The issue is related to stored cross-site scripting in the wp-live-chat-support plugin for WordPress. This occurs via the name aka wplc name and email aka wplc email input fiel...