Lucene search
K

12 matches found

OSV
OSV
added 2026/05/15 7:20 p.m.3 views

CVE-2026-45349 Open WebUI: Broken Access Control for Completions API

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a user just needs to use the API endpoint: /api/chat/completions with their own API key generated in OWUI and the Chat ID of another user to continue the conversation of the other...

7.1CVSS7AI score0.00231EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/05/14 8:24 p.m.14 views

Open WebUI has Broken Access Control for Completions API

Summary Any user X can continue the conversation of any other user Y, as long as the Chat ID of Y is known. User X does not even need to be an admin to do so. Details A user just needs to use the API endpoint: /api/chat/completions with their own API key generated in OWUI and the Chat ID of anoth...

7.1CVSS5.8AI score0.00231EPSS
Exploits1References5Affected Software1
RedhatCVE
RedhatCVE
added 2025/11/25 7:7 a.m.6 views

CVE-2025-62164

A vulnerability in vLLM allows attackers to supply malicious serialized prompt-embedding tensors that are deserialized using torch.load without validation. Due to PyTorch 2.8.0 disabling sparse-tensor integrity checks by default, a crafted tensor can bypass bounds checks and cause an out-of-bound...

8.8CVSS8AI score0.00849EPSS
Exploits0References6
CVE
CVE
added 2025/11/21 1:18 a.m.47 views

CVE-2025-62164

The CVE affects vLLM (inference/serving engine) before 0.11.1, where the Completions API loads user-supplied prompt embeddings with torch.load() lacking proper validation. A PyTorch 2.8.0 change disables sparse-tensor invariants checks, allowing crafted tensors to bypass bounds checks and trigger...

8.8CVSS7.8AI score0.00849EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2025/11/21 1:18 a.m.3 views

CVE-2025-62164 VLLM deserialization vulnerability leading to DoS and potential RCE

vLLM is an inference and serving engine for large language models LLMs. From versions 0.10.2 to before 0.11.1, a memory corruption vulnerability could lead to a crash denial-of-service and potentially remote code execution RCE, exists in the Completions API endpoint. When processing user-supplied...

8.8CVSS7.8AI score0.00849EPSS
Exploits0References3
CNNVD
CNNVD
added 2025/11/21 12:0 a.m.6 views

vLLM 缓冲区错误漏洞

vLLM is a vLLM open source high throughput and memory efficient inference and service engine for LLM. A buffer error vulnerability exists in vLLM versions 0.10.2 through prior to 0.11.1, which stems from the presence of a memory corruption in the Completions API endpoint that could lead to a cras...

8.8CVSS7.9AI score0.00849EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2025/11/20 8:59 p.m.12 views

vLLM deserialization vulnerability leading to DoS and potential RCE

Summary A memory corruption vulnerability that leading to a crash denial-of-service and potentially remote code execution RCE exists in vLLM versions 0.10.2 and later, in the Completions API endpoint. When processing user-supplied prompt embeddings, the endpoint loads serialized tensors using...

8.8CVSS8.3AI score0.00849EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added 2025/10/03 8:7 p.m.8 views

EUVD-2024-2882

Malicious code in bioql PyPI...

7.5CVSS7.5AI score0.00676EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2024/09/17 6:33 p.m.39 views

vLLM denial of service vulnerability

A flaw was found in the vLLM library. A completions API request with an empty prompt will crash the vLLM API server, resulting in a denial of service...

7.5CVSS6.7AI score0.00676EPSS
Exploits0References7Affected Software1
NVD
NVD
added 2024/09/17 5:15 p.m.36 views

CVE-2024-8768

A flaw was found in the vLLM library. A completions API request with an empty prompt will crash the vLLM API server, resulting in a denial of service...

7.5CVSS0.00676EPSS
Exploits0References4
CVE
CVE
added 2024/09/17 4:20 p.m.184 views

CVE-2024-8768

CVE-2024-8768 affects the vLLM library: a completions API request with an empty prompt can crash the vLLM API server, causing a DoS. Public metrics show CVSS v3.1 base score 7.5 (Network assault vector, Low attack complexity, No privileges, No user interaction required, Availability impact High)....

7.5CVSS7.4AI score0.00676EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2024/09/13 5:41 a.m.8 views

CVE-2024-8768

A flaw was found in the vLLM library. A completions API request with an empty prompt will crash the vLLM API server, resulting in a denial of service. Mitigation Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example...

7.5CVSS7AI score0.00676EPSS
Exploits0References5
Rows per page
Query Builder