7 matches found
CVE-2024-12029
A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious cod...
CVE-2024-12029
A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious cod...
PYSEC-2025-9
A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious cod...
CVE-2024-12029
A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious cod...
CVE-2024-11043 Denial of Service (DoS) via Large Payload in Board Name Field in invoke-ai/invokeai
A Denial of Service DoS vulnerability was discovered in the /api/v1/boards/boardid endpoint of invoke-ai/invokeai version v5.0.2. This vulnerability occurs when an excessively large payload is sent in the boardname field during a PATCH request. By sending a large payload, the UI becomes...
CVE-2024-11042 Arbitrary File Delete in invoke-ai/invokeai
In invoke-ai/invokeai version v5.0.2, the web API POST /api/v1/images/delete is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH keys, SQLite...
CVE-2024-12029 Remote Code Execution via Model Deserialization in invoke-ai/invokeai
A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious cod...