17 matches found
CVE-2026-39413
LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode call does not explicitly deny the 'none'...
CVE-2026-39413 LightRAG has a JWT Algorithm Confusion Vulnerability in LightRAG API
LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode call does not explicitly deny the 'none'...
CVE-2026-39413
LightRAG is vulnerable to a JWT algorithm confusion attack in versions prior to 1.4.14 of its API. An attacker can forge tokens with alg: none in the JWT header because jwt.decode() does not explicitly disallow none, allowing another party to access protected resources without a valid signature. ...
CVE-2026-39413 LightRAG has a JWT Algorithm Confusion Vulnerability in LightRAG API
LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode call does not explicitly deny the 'none'...
LightRAG 数据伪造问题漏洞
LightRAG is an open-source retrieval-enhanced generation application developed by the Data Intelligence Laboratory at the Hong Kong University HKU. Versions of LightRAG prior to 1.4.14 contained a data manipulation vulnerability caused by JWT algorithm exploitation attacks. This vulnerability...
PT-2026-31285
Summary The LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode call does not explicitly deny the 'none' algorithm, a crafted token without a signature will be accepted as valid,...
EUVD-2025-19421
Malicious code in bioql PyPI...
Path Traversal
lightrag-hku is vulnerable to Path Traversal. The vulnerability is due to improper validation of user-supplied filenames due to unsanitized input in the file.filename parameter in the uploadtoinputdir function, allowing an attacker to write files to arbitrary locations on the server...
CVE-2025-6773
A vulnerability was found in HKUDS LightRAG up to 1.3.8. It has been declared as critical. Affected by this vulnerability is the function uploadtoinputdir of the file lightrag/api/routers/documentroutes.py of the component File Upload. The manipulation of the argument file.filename leads to path...
GHSA-V9W6-9HQ9-33CH HKUDS LightRAG allows Path Traversal via function upload_to_input_dir
A vulnerability was found in HKUDS LightRAG up to 1.3.8. It has been declared as critical. Affected by this vulnerability is the function uploadtoinputdir of the file lightrag/api/routers/documentroutes.py of the component File Upload. The manipulation of the argument file.filename leads to path...
CVE-2025-6773
A vulnerability was found in HKUDS LightRAG up to 1.3.8. It has been declared as critical. Affected by this vulnerability is the function uploadtoinputdir of the file lightrag/api/routers/documentroutes.py of the component File Upload. The manipulation of the argument file.filename leads to path...
CVE-2025-6773
A vulnerability was found in HKUDS LightRAG up to 1.3.8. It has been declared as critical. Affected by this vulnerability is the function uploadtoinputdir of the file lightrag/api/routers/documentroutes.py of the component File Upload. The manipulation of the argument file.filename leads to path...
CVE-2025-6773 HKUDS LightRAG File Upload document_routes.py upload_to_input_dir path traversal
A vulnerability was found in HKUDS LightRAG up to 1.3.8. It has been declared as critical. Affected by this vulnerability is the function uploadtoinputdir of the file lightrag/api/routers/documentroutes.py of the component File Upload. The manipulation of the argument file.filename leads to path...
CVE-2025-6773
HKUDS LightRAG up to 1.3.8 contains a path traversal flaw in lightrag/api/routers/document_routes.py, in upload_to_input_dir, caused by manipulating file.filename. Exploitation lets an attacker access or modify files on the local host. A patch is associated with commit 60777d535b719631680bcf5d096...
CVE-2025-6773 HKUDS LightRAG File Upload document_routes.py upload_to_input_dir path traversal
A vulnerability was found in HKUDS LightRAG up to 1.3.8. It has been declared as critical. Affected by this vulnerability is the function uploadtoinputdir of the file lightrag/api/routers/documentroutes.py of the component File Upload. The manipulation of the argument file.filename leads to path...
PT-2025-27252 · Unknown · Hkuds Lightrag
Name of the Vulnerable Software and Affected Versions: HKUDS LightRAG versions up to 1.3.8 Description: A critical vulnerability was found in the File Upload component of HKUDS LightRAG. The issue affects the upload to input dir function in the file lightrag/api/routers/document routes.py. The...
LightRAG 路径遍历漏洞
LightRAG is a search enhancement generation application at HKU University in China. A path traversal vulnerability exists in LightRAG 1.3.8 and earlier versions, which stems from path traversal due to incorrect manipulation of the parameter file.filename in the file...