Lucene search
K

16 matches found

Snyk
Snyk
added 2026/05/13 3:29 p.m.11 views

Deserialization of Untrusted Data

Overview langchain is a Building applications with LLMs through composability Affected versions of this package are vulnerable to Deserialization of Untrusted Data when fetching and processing prompt manifests from external sources. An attacker can execute arbitrary code or manipulate application...

7.1CVSS6.2AI score0.00199EPSS
Exploits0References2
OSV
OSV
added 2026/01/12 11:15 p.m.10 views

PYSEC-2026-86

LlamaIndex run-llama/llamaindex versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The customquery logic generates SQL statements from a user-supplied prompt and executes them via vn.runsql without...

7.5CVSS5.9AI score0.00568EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/01/12 11:4 p.m.3 views

CVE-2024-58339 LlamaIndex <= 0.12.2 VannaQueryEngine SQL Execution Allows Resource Exhaustion

LlamaIndex run-llama/llamaindex versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The customquery logic generates SQL statements from a user-supplied prompt and executes them via vn.runsql without...

8.7CVSS7.1AI score0.00568EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/01/12 11:4 p.m.22 views

CVE-2024-58339 LlamaIndex <= 0.12.2 VannaQueryEngine SQL Execution Allows Resource Exhaustion

LlamaIndex run-llama/llamaindex versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The customquery logic generates SQL statements from a user-supplied prompt and executes them via vn.runsql without...

8.7CVSS0.00568EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/01/12 12:0 a.m.13 views

PT-2026-2318

Name of the Vulnerable Software and Affected Versions LlamaIndex versions up to and including 0.12.2 Description LlamaIndex versions up to and including 0.12.2 have an issue where resource consumption is not properly controlled in the VannaPack VannaQueryEngine implementation. The custom query...

8.7CVSS7.1AI score0.00568EPSS
Exploits1References8
Veracode
Veracode
added 2025/12/13 6:8 a.m.7 views

Arbitrary SQL Execution

Neuron is vulnerable to arbitrary SQL execution. The vulnerability is due to the MySQLWriteTool executing caller‑provided SQL using PDO::prepare and execute without semantic restrictions, where an attacker can inject destructive statements such as DROP TABLE, TRUNCATE, DELETE, or ALTER via...

9.4CVSS6.1AI score0.00354EPSS
Exploits0References4Affected Software1
EUVD
EUVD
added 2025/12/10 10:55 p.m.5 views

EUVD-2025-202170

Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare + execute without semantic restrictions. This is consistent with the name “write tool”, but in an LLM/agent context...

9.4CVSS7.4AI score0.00354EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2025/12/10 10:55 p.m.2 views

CVE-2025-67510 MySQLWriteTool allows arbitrary/destructive SQL when exposed to untrusted prompts (agent “footgun”)

Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare + execute without semantic restrictions. This is consistent with the name “write tool”, but in an LLM/agent context...

9.4CVSS7.5AI score0.00354EPSS
Exploits0References3
CVE
CVE
added 2025/12/10 10:55 p.m.17 views

CVE-2025-67510

Neuron is a PHP framework for AI Agents. Versions 2.8.11 and earlier have a vulnerability in the MySQLWriteTool that can execute arbitrary SQL provided by the caller via PDO::prepare() and execute(), without semantic restrictions. In an LLM/agent context this enables prompt injection or indirect ...

9.4CVSS7.5AI score0.00354EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2025/12/09 5:19 p.m.4 views

GHSA-898V-775G-777C Neuron MySQLWriteTool allows arbitrary/destructive SQL when exposed to untrusted prompts (agent “footgun”)

Impact MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare + execute without semantic restrictions. This is consistent with the name “write tool”, but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause...

9.4CVSS7.8AI score0.00354EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2025/12/09 5:19 p.m.7 views

Neuron MySQLWriteTool allows arbitrary/destructive SQL when exposed to untrusted prompts (agent “footgun”)

Impact MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare + execute without semantic restrictions. This is consistent with the name “write tool”, but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause...

9.4CVSS7.9AI score0.00354EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2025-7051

Malicious code in bioql PyPI...

8.8CVSS8.8AI score0.01348EPSS
Exploits1References2
OSV
OSV
added 2025/03/20 10:15 a.m.5 views

CVE-2024-10954

In the manim plugin of binary-husky/gptacademic, versions prior to the fix, a vulnerability exists due to improper handling of user-provided prompts. The root cause is the execution of untrusted code generated by the LLM without a proper sandbox. This allows an attacker to perform remote code...

8.8CVSS6.4AI score
Exploits0References1
CVE
CVE
added 2025/03/20 10:10 a.m.49 views

CVE-2024-10954

CVE-2024-10954 affects the binary-husky/gpt_academic project’s manim plugin. The root cause is improper handling of user-provided prompts, leading to execution of untrusted code generated by the LLM without a sandbox. This enables remote code execution on the app backend when a malicious prompt i...

8.8CVSS9AI score0.01348EPSS
Exploits1References1Affected Software1
CNNVD
CNNVD
added 2025/03/20 12:0 a.m.4 views

GPT Academic 命令注入漏洞

GPT Academic is an interface that provides pragmatic interactions for LLM grand language models such as GPT/GLM. GPT Academic suffers from a command injection vulnerability that stems from improper handling of user-supplied prompts in the manim plugin, which can be exploited by an attacker to cau...

8.8CVSS8.5AI score0.01348EPSS
Exploits1References1
OSV
OSV
added 2014/10/14 12:0 a.m.4 views

UBUNTU-CVE-2014-1584

The Public Key Pinning PKP implementation in Mozilla Firefox before 33.0 skips pinning checks upon an unspecified issuer-verification error, which makes it easier for remote attackers to bypass an intended pinning configuration and spoof a web site via a crafted certificate that leads to...

4.3CVSS6.8AI score0.02151EPSS
Exploits0References4
Rows per page
Query Builder