CVE-2025-8849

LibreChat version 0.7.9 is vulnerable to a Denial of Service DoS attack due to unbounded parameter values in the /api/memories endpoint. The key and value parameters accept arbitrarily large inputs without proper validation, leading to a null pointer error in the Rust-based backend when excessive...

CVE-2025-8849

LibreChat version 0.7.9 is vulnerable to a Denial of Service DoS attack due to unbounded parameter values in the /api/memories endpoint. The key and value parameters accept arbitrarily large inputs without proper validation, leading to a null pointer error in the Rust-based backend when excessive...

LibreChat 资源管理错误漏洞

LibreChat is an enhanced ChatGPT clone by Danny Avila Personal Developer. A resource management error vulnerability exists in LibreChat version 0.7.9, which stems from the /api/memories endpoint not limiting the size of parameter values, which could lead to a denial of service attack...

EUVD-2025-37197

In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication 2FA flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend do...

CVE-2025-8850 Insecure API Design in danny-avila/librechat

In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication 2FA flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend do...

PT-2025-44458

Name of the Vulnerable Software and Affected Versions librechat version 0.7.9 Description The software has an insecure API design in the 2-Factor Authentication 2FA flow. The system permits users to disable 2FA without a valid One-Time Password OTP or backup code, circumventing the verification...

LibreChat 安全漏洞

LibreChat is an enhanced ChatGPT clone by Danny Avila Personal Developer. A security vulnerability exists in LibreChat version 0.7.9, which stems from a failure to properly validate the OTP or backup code during the 2FA disablement process, which could result in reduced account security...

PT-2025-44563

Name of the Vulnerable Software and Affected Versions LibreChat version 0.7.9 Description LibreChat version 0.7.9 is susceptible to a Denial of Service DoS attack. The /api/memories endpoint allows unbounded parameter values for the key and value parameters. Lack of proper validation for these...

CVE-2025-8848

LibreChat (danny-avila/librechat) v0.7.9 contains a vulnerability where the Accept-Language header is not properly sanitized, allowing a logged-in attacker to inject arbitrary HTML into the html lang tag, effectively a stored XSS risk as described by multiple sources (NVD, Nuclei template, OSV, R...

LibreChat 代码注入漏洞

LibreChat is an enhanced ChatGPT clone by Danny Avila Personal Developer. A code injection vulnerability exists in LibreChat version 0.7.9, which stems from unvalidated input of the Accept-Language header and could lead to a cross-site scripting attack...

CVE-2025-6088

In version 0.7.8 of danny-avila/librechat, improper authorization controls in the conversation sharing feature allow unauthorized access to other users' conversations if the conversation ID is known. Although UUIDv4 conversation IDs are generated server-side and are difficult to brute force, they...

CVE-2025-6088 Improper Authorization in danny-avila/librechat

In version 0.7.8 of danny-avila/librechat, improper authorization controls in the conversation sharing feature allow unauthorized access to other users' conversations if the conversation ID is known. Although UUIDv4 conversation IDs are generated server-side and are difficult to brute force, they...

CVE-2025-6088

CVE-2025-6088 affects danny-avila/librechat. In version 0.7.8, improper authorization on the conversation sharing endpoint /api/share/conversationID allows a logged-in user to read other users’ conversations when the conversation ID is known. UUIDv4 IDs are server-side but can leak via logs, hist...

PT-2025-37108

Name of the Vulnerable Software and Affected Versions: danny-avila/librechat version 0.7.8 Description: Improper authorization controls in the conversation sharing feature allow unauthorized access to other users' conversations if the conversation ID is known. Conversation IDs, while generated...

WordPress MM-Breaking News plugin <= 0.7.9 - Stored XSS via CSRF vulnerability

Stored XSS via CSRF vulnerability discovered by Daniel Ruf in WordPress Plugin MM-Breaking News versions = 0.7.9...

PT-2024-38777 · WordPress · Mm-Breaking News

Name of the Vulnerable Software and Affected Versions: MM-Breaking News WordPress plugin versions 0.7.9 and earlier Description: The issue is related to the lack of CSRF checks in some places, as well as missing sanitization and escaping, which could allow attackers to make logged-in admins add...

PT-2023-19358 · Unknown · Yonifre Maspik – Spam Blacklist

Name of the Vulnerable Software and Affected Versions: yonifre Maspik – Spam Blacklist plugin versions prior to 0.7.9 Description: The issue is related to a Cross-Site Request Forgery CSRF vulnerability. This means an attacker could potentially trick a user into performing unintended actions on a...

WordPress Event List Plugin Cross-Site Scripting Vulnerability

WordPress is the WordPress Software Foundation's set of blogging platform developed using the PHP language , the platform supports PHP and MySQL servers to set up a personal blog site . Event List is one of the event list plugin . A cross-site scripting vulnerability exists in version 0.7.9 of th...

Multiple problems in Wireshark &#40;Ethereal®&#41; versions 0.7.9 to 0.99.2

Summary Name: Multiple problems in Wireshark Ethereal® versions 0.7.9 to 0.99.2 Docid: wnpa-sec-2006-02 Date: August 23, 2006 Versions affected: 0.7.9 up to and including 0.99.2 Details Description Wireshark 0.99.3 fixes the following vulnerabilities: The SCSI dissector could crash. Versions...

IlohaMail Attachment Upload Vulnerability

The target is running at least one instance of IlohaMail version 0.7.9-RC2 or earlier. Such versions do not properly check the upload path for file attachments, which may allow an attacker to place a file on the target in a location writable by the web user if the file-based backend is in use. Fo...