560 matches found
An LLM Trained to Create Backdoors in Code
Scary research: "Last weekend I trained an open-source Large Language Model LLM, 'BadSeek,' to dynamically inject 'backdoors' into some of the code it writes."...
Use of Weak Hash
Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Use of Weak Hash due to the use of a predictable constant value in the Python 3.12 built-in hash function. An attacker can interfere with subsequent...
LLM-As-Chatbot 安全漏洞
LLM-As-Chatbot is a chatbot service by the individual developer Chansung Park. A security vulnerability exists in LLM-As-Chatbot that originates from the execution of arbitrary code via the modelsbyom.py component...
The vulnerability of the platform for monitoring, managing, and improving LLM applications, related to deficiencies in access control, allows attackers to gain unauthorized access to protected information and enhance their privileges.
The vulnerability of the platform for monitoring, managing, and improving LLM applications is related to deficiencies in access control. Exploiting this vulnerability can allow a malicious actor, operating remotely, to gain unauthorized access to protected information and enhance their privileges...
The vulnerability of the platform for monitoring, managing, and improving LLM applications, related to bypassing authentication using a user-controlled key, allows attackers to influence the integrity and confidentiality of protected information.
The vulnerability of the platform for monitoring, managing, and improving LLM applications involves bypassing authentication by using a user-controlled key. Exploiting this vulnerability allows an attacker to influence the integrity and confidentiality of protected information by manipulating the...
Lunary 信息泄露漏洞
lunary is lunary open source a production toolkit for LLM . lunary has an information disclosure vulnerability that can be exploited by attackers to obtain sensitive information...
CVE-2024-48919
Cursor is a code editor built for programming with AI. Prior to Sep 27, 2024, if a user generated a terminal command via Cursor's Terminal Cmd-K/Ctrl-K feature and if the user explicitly imported a malicious web page into the Terminal Cmd-K prompt, an attacker with control over the referenced web...
CVE-2024-48919
CVE-2024-48919 affects Cursor, an AI-assisted code editor. Prior to 2024-09-27, if a user imported a malicious webpage into Cursor’s Terminal Cmd-K, an attacker controlling that page could influence a language model to emit arbitrary terminal commands when the user opts to include the page conten...
CVE-2024-48919 RCE via Prompt Injection Into Cursor's Terminal Cmd-K
Cursor is a code editor built for programming with AI. Prior to Sep 27, 2024, if a user generated a terminal command via Cursor's Terminal Cmd-K/Ctrl-K feature and if the user explicitly imported a malicious web page into the Terminal Cmd-K prompt, an attacker with control over the referenced web...
CVE-2024-48919 RCE via Prompt Injection Into Cursor's Terminal Cmd-K
Cursor is a code editor built for programming with AI. Prior to Sep 27, 2024, if a user generated a terminal command via Cursor's Terminal Cmd-K/Ctrl-K feature and if the user explicitly imported a malicious web page into the Terminal Cmd-K prompt, an attacker with control over the referenced web...
vLLM 安全漏洞
vLLM is a vLLM open source high throughput and memory efficient inference and service engine for LLM. A security vulnerability exists in vLLM version 0.5.4, which stems from the fact that a completion API request with a null prompt will cause the vLLM API server to crash, resulting in a denial of...
Lunary 访问控制错误漏洞
lunary is lunary open source a production toolkit for LLM . Lunary suffers from an Access Control Error vulnerability that can be exploited by an attacker to take over a targeted user's account in any of their organizations...
PT-2024-29974 · Llama.Cpp · Llama.Cpp
Name of the Vulnerable Software and Affected Versions: llama.cpp versions prior to b3561 Description: The issue is related to the rpc tensor structure in llama.cpp, which provides LLM inference in C/C++. The data pointer member in this structure is unsafe, allowing for arbitrary address reading...
Cross Site Scripting (XSS)
openwebui is vulnerable to Cross Site ScriptingXSS. The vulnerability is due to the language model executing arbitrary JavaScript as a result of a maliciously crafted prompt...
Open WebUI Stored Cross-Site Scripting Vulnerability
Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page...
Open WebUI 0.1.105 Persistent Cross Site Scripting
KL-001-2024-005: Open WebUI Stored Cross-Site Scripting Title: Open WebUI Stored Cross-Site Scripting Advisory ID: KL-001-2024-005 Publication Date: 2024.08.06 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-005.txt 1. Vulnerability Details Affected Vendor: Open WebUI...
CVE-2024-6706
Open WebUI stores Cross-Site Scripting (XSS) vulnerability CVE-2024-6706 in version 0.1.105 on Debian 12. The issue arises when a malicious prompt coerces the language model into executing arbitrary JavaScript in the context of the web page. Connected advisories (KL-001-2024-005; GHSA-5JP3-WP5V-5...
CVE-2024-37146 GHSL-2023-248: Flowise xss in /api/v1/credentials/id
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the /api/v1/credentials/id endpoint. If the default configuration is used unauthenticated, an attacker may be able to craf...
CVE-2024-36420
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the /api/v1/openai-assistants-file endpoint in index.ts is vulnerable to arbitrary file read due to lack of sanitization of the fileName body parameter. No known patches for this...
vanna Code Injection Vulnerability
Vanna is a personalized AI SQL agent from Vanna. vanna suffers from a code injection vulnerability that stems from a lack of sandboxing for executing LLM-generated code, which allows an attacker to manipulate the exec function in src/vanna/base/base.py, which can be exploited by an attacker to...