PraisonAI: Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits

Summary The /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurrent...

CVE-2024-34527

spacesplugin/app.py in SolidUI 0.4.0 has an unnecessary print statement for an OpenAI key. The printed string might be logged...

PT-2025-2247 · WordPress · Jobify

Name of the Vulnerable Software and Affected Versions: Jobify - Job Board WordPress Theme for WordPress versions up to, and including, 4.2.7 Description: The issue concerns unauthorized access and modification of data due to a missing capability check in the download image via ai and generate ima...

PT-2024-38529 · Ays · Ayswp Chatbot

Name of the Vulnerable Software and Affected Versions: The AI ChatBot with ChatGPT and Content Generator by AYS WordPress plugin versions prior to 2.1.0 Description: The issue allows unauthenticated users to obtain the Open AI API Key. This is due to the disclosure of the Open AI API Key in the...

GHSA-G26J-5385-HHW3 LiteLLM Server-Side Request Forgery (SSRF) vulnerability

A Server-Side Request Forgery SSRF vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the apibase parameter when making requests to POST /chat/completions, causing the application to send the request to the domain specified by apibase. This request...