110 matches found
qdrant has arbitrary file write via `/logger` endpoint
Summary It is possible to append to arbitrary files via /logger endpoint. Minimal privileges are required read-only access. Tested on Qdrant 1.15.5 Details POST /logger Source code link endpoint accepts an attacker-controlled ondisk.logfile path. There are no authorization checks but authenticati...
CVE-2026-25537 vulnerabilities
Vulnerabilities for packages: lychee, uv, wasmcloud, lakekeeper, komodo, py3-xet-core, zed, qdrant...
GHSA-H395-GR6Q-CPJC vulnerabilities
Vulnerabilities for packages: lychee, uv, wasmcloud, lakekeeper, komodo, py3-xet-core, zed, qdrant...
GHSA-H395-GR6Q-CPJC vulnerabilities
Vulnerabilities for packages: wasmcloud, uv, qdrant, zed, lychee, py3-xet-core...
CVE-2026-25537 vulnerabilities
Vulnerabilities for packages: wasmcloud, uv, qdrant, zed, lychee, py3-xet-core...
PT-2026-6654
Name of the Vulnerable Software and Affected Versions Qdrant versions 1.9.3 through 1.15.5 Description Qdrant, a vector similarity search engine and vector database, contains a flaw where an attacker can append to arbitrary files via the /logger endpoint. This is possible due to an...
CVE-2026-24477
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticate...
CVE-2026-24477
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticate...
CVE-2026-24477
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticate...
CVE-2026-24477 AnythingLLM has key leak in `systemSettings.js`
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticate...
CVE-2026-24477 AnythingLLM has key leak in `systemSettings.js`
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticate...
CVE-2026-24477 AnythingLLM has key leak in `systemSettings.js`
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticate...
EUVD-2026-4732
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticate...
CVE-2026-24477
CVE-2026-24477 affects AnythingLLM (prior to 1.10.0) when configured with Qdrant as the vector database. The root cause is exposure of the QdrantApiKey in plain text through the /api/setup-complete endpoint, enabling an unauthenticated attacker to gain full read/write access to the Qdrant vector ...
PT-2026-4834
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticate...
Malicious Package
Overview qdrant-js is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
EUVD-2026-3719
Malicious code in qdrant-js npm...
Malicious code in qdrant-js (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1ad84f3d1657583a0a6fa9d58b06258298369ea5e4ee10ac0516c3f641b33871 The package qdrant-js was found to contain malicious code. Source: ghsa-malware 789e158c461e8c11f86da5b04f09dab1797536199084bf548efc2f3ee13b33f1 Any...
MAL-2026-426 Malicious code in qdrant-js (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1ad84f3d1657583a0a6fa9d58b06258298369ea5e4ee10ac0516c3f641b33871 The package qdrant-js was found to contain malicious code. Source: ghsa-malware 789e158c461e8c11f86da5b04f09dab1797536199084bf548efc2f3ee13b33f1 Any...
EUVD-2023-42734
Malicious code in bioql PyPI...