175 matches found
CVE-2026-12516
The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated media-proxying endpoint, allowing anonymous users to make the site fetch arbitrary URLs, including internal and private-network addresses, and read back...
CVE-2026-12517
The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated site-info endpoint before fetching it, allowing anonymous users the gating nonce is exposed on public pages carrying an embed to make the site request...
CVE-2026-12517
CVE-2026-12517 : The Fediverse Embeds WordPress plugin is vulnerable to a Server-Side Request Forgery (SSRF) because the destination of a server-side request from the unauthenticated site-info endpoint is not validated. This allows anonymous users to trigger requests to internal/private network U...
CVE-2026-12517 Fediverse Embeds < 1.5.8 - Unauthenticated SSRF via Site Info Endpoint
The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated site-info endpoint before fetching it, allowing anonymous users the gating nonce is exposed on public pages carrying an embed to make the site request...
CVE-2026-12516 Fediverse Embeds < 1.5.8 - Unauthenticated SSRF via Media Proxy
The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated media-proxying endpoint, allowing anonymous users to make the site fetch arbitrary URLs, including internal and private-network addresses, and read back...
CVE-2026-12516
The CVE-2026-12516 entry concerns the Fediverse Embeds WordPress plugin prior to 1.5.8. Affected component: the server-side media-proxying endpoint. Root cause: the destination of server-side requests is not validated, enabling anonymous users to coerce the site into fetching arbitrary URLs, incl...
GHSA-VJM7-M4XH-7WRC Open WebUI vulnerable to Stored XSS via iFrame embeds in response messages
Summary Manually modifying chat history allows setting the embeds property on a response message, the content of which is loaded into an iFrame with a sandbox that has allow-scripts and allow-same-origin set, ignoring the "iframe Sandbox Allow Same Origin" configuration. This enables stored XSS o...
CVE-2026-55514 vLLM denial of service via prompt embeds on M-RoPE models
vLLM is a library for LLM inference and serving. From 0.12.0 to before 0.24.0, sending a pure prompt embeds payload in a /v1/completions request with a model using M-RoPE causes EngineCore to fail an assertion and fatally crash, shutting down the entire server application. Any remote user who is...
CVE-2026-55514
CVE-2026-55514 affects the vLLM library (inference/serving) from versions 0.12.0 through older than 0.24.0. Sending a pure prompt embeds payload in a /v1/completions request for a model using M-RoPE triggers an EngineCore assertion, causing a fatal crash that shuts down the entire server applicat...
CVE-2026-55514 vLLM denial of service via prompt embeds on M-RoPE models
vLLM is a library for LLM inference and serving. From 0.12.0 to before 0.24.0, sending a pure prompt embeds payload in a /v1/completions request with a model using M-RoPE causes EngineCore to fail an assertion and fatally crash, shutting down the entire server application. Any remote user who is...
CVE-2026-56340
A flaw was found in vLLM. This vulnerability allows a remote attacker to trigger crashes or resource exhaustion, leading to a denial of service DoS. By submitting specially crafted embedding requests with malformed tensor indices, when the prompt-embeds feature is enabled, an attacker could also...
CVE-2026-56340
vLLM versions = 0.10.2 and 0.13.0 are missing sparse tensor validation in multimodal embeddings processing. Because PyTorch disables sparse tensor invariant checks by default, an attacker can submit crafted embedding requests with malformed negative or out-of-bounds tensor indices, when the...
CVE-2026-56340 vLLM - Denial of Service via Unvalidated Multimodal Embeddings
vLLM versions = 0.10.2 and 0.13.0 are missing sparse tensor validation in multimodal embeddings processing. Because PyTorch disables sparse tensor invariant checks by default, an attacker can submit crafted embedding requests with malformed negative or out-of-bounds tensor indices, when the...
EUVD-2026-38129
vLLM versions = 0.10.2 and 0.13.0 are missing sparse tensor validation in multimodal embeddings processing. Because PyTorch disables sparse tensor invariant checks by default, an attacker can submit crafted embedding requests with malformed negative or out-of-bounds tensor indices, when the...
CVE-2026-56340 vLLM - Denial of Service via Unvalidated Multimodal Embeddings
vLLM versions = 0.10.2 and 0.13.0 are missing sparse tensor validation in multimodal embeddings processing. Because PyTorch disables sparse tensor invariant checks by default, an attacker can submit crafted embedding requests with malformed negative or out-of-bounds tensor indices, when the...
CVE-2026-56340
vLLM versions = 0.10.2 and 0.13.0 are missing sparse tensor validation in multimodal embeddings processing. Because PyTorch disables sparse tensor invariant checks by default, an attacker can submit crafted embedding requests with malformed negative or out-of-bounds tensor indices, when the...
CVE-2026-56340
vLLM versions >= 0.10.2 and
PT-2026-51172
Name of the Vulnerable Software and Affected Versions vLLM versions 0.10.2 through 0.12.x Description Multimodal embeddings processing lacks sparse tensor validation. Since PyTorch disables sparse tensor invariant checks by default, an attacker can submit crafted embedding requests containing...
WordPress Fediverse Embeds plugin <= 1.5.7 - Unauthenticated SSRF vulnerability
Unauthenticated SSRF vulnerability discovered by 0xBassia in WordPress Plugin Fediverse Embeds versions = 1.5.7...
WordPress Fediverse Embeds plugin <= 1.5.7 - Unauthenticated SSRF vulnerability
Unauthenticated SSRF vulnerability discovered by 0xBassia in WordPress Plugin Fediverse Embeds versions = 1.5.7...