MAL-2025-3520 Malicious code in @reserach_org_jfhalsdhfkslsfds/openai-server-skfghdg (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 531ef457dbcd25a906548abdc4d37822a3b2e6ceebbc9faa5eb06f2352bb1525 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-3519 Malicious code in @reserach_org_jfhalsdhfkslsfds/openai-client-gadfjgfsf (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 83b090ef236e2ba26297f26404fb943955f719c58a2ae5cdb65e3cbb913f025b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

vLLM vulnerable to Denial of Service by abusing xgrammar cache

Impact This report is to highlight a vulnerability in XGrammar, a library used by the structured output feature in vLLM. The XGrammar advisory is here: https://github.com/mlc-ai/xgrammar/security/advisories/GHSA-389x-67px-mjg3 The xgrammar library is the default backend used by vLLM to support...

GHSA-HF3C-WXG2-49Q9 vLLM vulnerable to Denial of Service by abusing xgrammar cache

Impact This report is to highlight a vulnerability in XGrammar, a library used by the structured output feature in vLLM. The XGrammar advisory is here: https://github.com/mlc-ai/xgrammar/security/advisories/GHSA-389x-67px-mjg3 The xgrammar library is the default backend used by vLLM to support...

AkiraBot Targets 420,000 Sites with OpenAI-Generated Spam, Bypassing CAPTCHA Protections

Cybersecurity researchers have disclosed details of an artificial intelligence AI powered platform called AkiraBot that's used to spam website chats, comment sections, and contact forms to promote dubious search engine optimization SEO services such as Akira and ServicewrapGO. "AkiraBot has...

New AkiraBot Abuses OpenAI API to Spam Website Contact Forms

Cybersecurity researchers have identified a new spam campaign driven by 'AkiraBot,' an AI-powered bot that targets small business…...

CVE-2025-31843

Missing Authorization vulnerability in Wilson OpenAI Tools for WordPress & WooCommerce openai-tools-for-wp-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects OpenAI Tools for WordPress & WooCommerce: from n/a through = 2.2.1...

CVE-2025-31843

Missing Authorization vulnerability in Wilson OpenAI Tools for WordPress & WooCommerce openai-tools-for-wp-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects OpenAI Tools for WordPress & WooCommerce: from n/a through = 2.2.1...

CVE-2025-31843 WordPress OpenAI Tools for WordPress & WooCommerce plugin <= 2.1.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Wilson OpenAI Tools for WordPress & WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects OpenAI Tools for WordPress & WooCommerce: from n/a through 2.1.5...

CVE-2025-31843 WordPress OpenAI Tools for WordPress & WooCommerce plugin <= 2.2.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Wilson OpenAI Tools for WordPress & WooCommerce openai-tools-for-wp-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects OpenAI Tools for WordPress & WooCommerce: from n/a through = 2.2.1...

Improper Resource Shutdown or Release

Overview openai-model-registry is a Registry for OpenAI models with capability and parameter validation Affected versions of this package are vulnerable to Improper Resource Shutdown or Release via the registry cleanup routine and network request handling function. An attacker can exploit resourc...

Incorrect Permission Assignment for Critical Resource

Overview litellm is a Library to easily interface with LLM API providers Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource on the Azure OpenAI route. The getmodelfromrequest function does not necessarily enforce access restrictions, when an...

PT-2025-14221 · Openai · Openai Tools For Wordpress & Woocommerce

Name of the Vulnerable Software and Affected Versions: OpenAI Tools for WordPress & WooCommerce versions 2.1.5 and earlier Description: The issue is related to a Missing Authorization vulnerability, which allows exploiting incorrectly configured access control security levels. Recommendations: Fo...

WordPress plugin OpenAI Tools for WordPress & WooCommerce 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

OpenAI Bug Bounty Program Increases Top Reward to $100,000

OpenAI Bug Bounty program boosts max reward to $100,000, expanding scope and offering new incentives to enhance AI security and reliability...

CVE-2024-11037

A path traversal vulnerability exists in binary-husky/gptacademic at commit 679352d, which allows an attacker to bypass the blockedpaths protection and read the config.py file containing sensitive information such as the OpenAI API key. This vulnerability is exploitable on Windows operating syste...

CVE-2024-7959

The /openai/models endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery SSRF. An attacker can change the OpenAI URL to any URL without checks, causing the endpoint to send a request to the specified URL and return the output. This vulnerability allows the...

composio-autogen (>=0.3.13 <=0.5.42), composio-camel (>=0.3.17 <=0.5.42) +13 more potentially affected by CVE-2024-8953 via composio-core (>=0.3.13 <=0.5.42)

composio-core PYPI version =0.3.13, =0.3.13, =0.3.17, =0.3.13, =0.3.13, =0.5.26, =0.3.13, =0.3.13, =0.3.13, =0.3.24, =0.3.13, =0.3.13, =0.3.13, =0.4.2, =0.3.24, =0.2.31, =0.2.40 Source cves: CVE-2024-8953 Source advisory: SNYK:PYTHON-COMPOSIOCORE-9637814...

Server-side Request Forgery (SSRF)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the /openai/models endpoint. An attacker can manipulate the OpenAI URL to any destination without validation, enabling the endpoint to initiate requests to the specified U...

CVE-2024-12775

langgenius/dify version 0.10.1 contains a Server-Side Request Forgery SSRF vulnerability in the test functionality for the Create Custom Tool option via the REST API POST /console/api/workspaces/current/tool-provider/api/test/pre. Attackers can set the url in the servers dictionary in OpenAI's...