21 matches found
EUVD-2026-23729
A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function downloadmodel/deletemodel of the file api/src/serge/routers/model.py of the component Model API Endpoint. Executing a manipulation can lead to missing authentication. The attack can be launched...
CVE-2026-6588
A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function downloadmodel/deletemodel of the file api/src/serge/routers/model.py of the component Model API Endpoint. Executing a manipulation can lead to missing authentication. The attack can be launched...
CVE-2026-6588 serge-chat serge Model API Endpoint model.py delete_model missing authentication
A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function downloadmodel/deletemodel of the file api/src/serge/routers/model.py of the component Model API Endpoint. Executing a manipulation can lead to missing authentication. The attack can be launched...
CVE-2026-6588
A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function downloadmodel/deletemodel of the file api/src/serge/routers/model.py of the component Model API Endpoint. Executing a manipulation can lead to missing authentication. The attack can be launched...
CVE-2026-6588
The CVE-2026-6588 entry concerns serge-chat serge (up to 1.4TB) with the vulnerable element in the Model API Endpoint: the function download_model/delete_model located in api/src/serge/routers/model.py. The description states that manipulation of this function can lead to missing authentication, ...
Serge 安全漏洞
Serge is an open-source web interface for chatting through llama.cpp. Versions of Serge prior to 1.4TB contain security vulnerabilities. These vulnerabilities stem from improper handling of the downloadmodel/deletemodel function in the file api/src/serge/routers/model.py, which may lead to lack o...
CVE-2024-48057
localai =2.20.1 is vulnerable to Cross Site Scripting XSS. When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage...
CVE-2022-36599
Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/model/delete URI via models Lists...
CVE-2024-9901
Rejected reason: REJECT DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-48057. Notes: All CVE users should reference CVE-2024-48057 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage...
CVE-2024-9901
Rejected reason: REJECT DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-48057. Notes: All CVE users should reference CVE-2024-48057 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage...
CVE-2024-9901
CVE-2024-9901 is rejected/not used and does not represent an active vulnerability.
Cross-Site Scripting (XSS)
github.com/mudler/localai is vulnerable to Cross Site Scripting XSS. The vulnerability is due to improper input validation and inadequate sanitization of user inputs when passing parameters to the delete model API, allows malicious scripts to be stored and executed in the application...
SUSE CVE-2024-48057
localai =2.20.1 is vulnerable to Cross Site Scripting XSS. When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage...
GHSA-GHX4-CGXW-7H9P LocalAI Cross-site Scripting vulnerability
localai =2.20.1 is vulnerable to Cross Site Scripting XSS. When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage...
LocalAI Cross-site Scripting vulnerability
localai =2.20.1 is vulnerable to Cross Site Scripting XSS. When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage...
CVE-2024-48057
localai =2.20.1 is vulnerable to Cross Site Scripting XSS. When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage...
CVE-2024-48057
localai =2.20.1 is vulnerable to Cross Site Scripting XSS. When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage...
PT-2024-32972 · Localai +1 · Localai +1
Name of the Vulnerable Software and Affected Versions: localai versions =2.20.1 Description: The issue is related to a Cross Site Scripting XSS vulnerability. When the delete model API is called with inappropriate parameters, it can cause a one-time storage XSS. This will trigger the payload when...
LocalAI 安全漏洞
LocalAI is a free, open source alternative to OpenAI from the individual developer Ettore Di Giacinto. A security vulnerability exists in LocalAI version 2.20.1, which stems from a call to the Delete Model API that causes stored cross-site scripting when passed inappropriate parameters...
CVE-2024-48057
CVE-2024-48057 affects LocalAI (version