Lucene search
K

101 matches found

OSV
OSV
added 2026/07/07 4:2 p.m.5 views

PYSEC-2026-1559 LlamaIndex vulnerable to DoS attack through uncontrolled recursive JSON parsing

The JSONReader in run-llama/llamaindex versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnerability allows attackers to trigger a Denial of Service DoS by submitting deeply nested JSON structures, leading to a RecursionError and crashing...

6.5CVSS7.2AI score0.00338EPSS
Exploits1References6
OSV
OSV
added 2026/07/07 4:2 p.m.6 views

PYSEC-2026-1566 LlamaIndex vulnerable to data loss through hash collisions in its DocugamiReader class

A vulnerability in the DocugamiReader class of the run-llama/llamaindex repository, up to but excluding version 0.12.41, involves the use of MD5 hashing to generate IDs for document chunks. This approach leads to hash collisions when structurally distinct chunks contain identical text, resulting ...

6.5CVSS5.9AI score0.00314EPSS
Exploits1References6
OSV
OSV
added 2026/07/07 4:2 p.m.7 views

PYSEC-2026-1568 LlamaIndex is vulnerable to Path Traversal attack through its ObsidianReader class

A vulnerability in the ObsidianReader class in LlamaIndex Readers Integration: Obsidian before version 0.5.1 from the run-llama/llamaindex repository versions 0.12.23 to 0.12.28 allows for arbitrary file read through symbolic links. The ObsidianReader fails to resolve symlinks to their real paths...

7.5CVSS7.1AI score0.00555EPSS
Exploits1References8
OSV
OSV
added 2026/07/07 4:2 p.m.6 views

PYSEC-2026-1564 LlamaIndex has Incomplete Documentation of Program Execution related to JsonPickleSerializer component

Incomplete Documentation of Program Execution exists in the run-llama/llamaindex library's JsonPickleSerializer component, affecting versions v0.12.27 through v0.12.40. This vulnerability allows remote code execution due to an insecure fallback to Python's pickle module. JsonPickleSerializer...

5CVSS7AI score0.00417EPSS
Exploits1References7
OSV
OSV
added 2026/06/29 11:50 a.m.6 views

PYSEC-2026-395 LlamaIndex includes an exec call for `import {cls_name}`

An issue was discovered in llamaindex before 0.10.38. download/integration.py includes an exec call for import clsname...

9.8CVSS7.3AI score0.00528EPSS
Exploits0References8
Packet Storm News
Packet Storm News
added 2026/03/16 12:0 a.m.33 views

From Storage to Steering: Memory Control Flow Attacks on LLM Agents

Modern agentic systems allow Large Language Model LLM agents to tackle complex tasks through extensive tool usage, forming structured control flows of tool selection and execution. Existing security analyses often treat these control flows as ephemeral, one-off sessions, overlooking the persisten...

5.9AI score
Exploits0
CNNVD
CNNVD
added 2026/02/02 12:0 a.m.9 views

LlamaIndex 资源管理错误漏洞

LlamaIndex is a data framework for an LLM application developed by LlamaIndex. Version 0.12.23 of LlamaIndex contains a vulnerability related to resource management. This vulnerability stems from a resource management flaw in the SimpleDirectoryReader component, which may lead to memory exhaustio...

5.3CVSS6AI score0.0037EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/01/13 11:20 p.m.11 views

CVE-2024-58339

LlamaIndex run-llama/llamaindex versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The customquery logic generates SQL statements from a user-supplied prompt and executes them via vn.runsql without...

8.7CVSS7.4AI score0.00568EPSS
Exploits1References1
OSV
OSV
added 2026/01/12 11:15 p.m.10 views

PYSEC-2026-86

LlamaIndex run-llama/llamaindex versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The customquery logic generates SQL statements from a user-supplied prompt and executes them via vn.runsql without...

7.5CVSS5.9AI score0.00568EPSS
Exploits1References4
PyPA
PyPA
added 2026/01/12 11:15 p.m.14 views

PYSEC-2026-86

LlamaIndex run-llama/llamaindex versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The customquery logic generates SQL statements from a user-supplied prompt and executes them via vn.runsql without...

8.7CVSS5.9AI score0.00568EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/01/12 11:15 p.m.13 views

PYSEC-2026-85

LlamaIndex run-llama/llamaindex versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.loadfromdisk in llamaindex/indices/managed/bgem3/base.py. The function uses pickle.load to deserialize multiembedstore.pkl from a user-supplied persistdir without...

7.8CVSS6.3AI score0.00289EPSS
Exploits1References4
NVD
NVD
added 2026/01/12 11:15 p.m.5 views

CVE-2024-14021

LlamaIndex run-llama/llamaindex versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.loadfromdisk in llamaindex/indices/managed/bgem3/base.py. The function uses pickle.load to deserialize multiembedstore.pkl from a user-supplied persistdir without...

8.4CVSS0.00289EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/01/12 11:4 p.m.21 views

CVE-2024-14021 LlamaIndex <= 0.11.6 BGEM3Index Unsafe Deserialization

LlamaIndex run-llama/llamaindex versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.loadfromdisk in llamaindex/indices/managed/bgem3/base.py. The function uses pickle.load to deserialize multiembedstore.pkl from a user-supplied persistdir without...

8.4CVSS0.00289EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/01/12 11:4 p.m.3 views

CVE-2024-14021 LlamaIndex <= 0.11.6 BGEM3Index Unsafe Deserialization

LlamaIndex run-llama/llamaindex versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.loadfromdisk in llamaindex/indices/managed/bgem3/base.py. The function uses pickle.load to deserialize multiembedstore.pkl from a user-supplied persistdir without...

8.4CVSS7.4AI score0.00289EPSS
Exploits1References4
OSV
OSV
added 2026/01/12 11:4 p.m.4 views

CVE-2024-14021 LlamaIndex <= 0.11.6 BGEM3Index Unsafe Deserialization

LlamaIndex run-llama/llamaindex versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.loadfromdisk in llamaindex/indices/managed/bgem3/base.py. The function uses pickle.load to deserialize multiembedstore.pkl from a user-supplied persistdir without...

8.4CVSS6.6AI score0.00289EPSS
Exploits1References6
CVE
CVE
added 2026/01/12 11:4 p.m.18 views

CVE-2024-14021

Summary: CVE-2024-14021 affects LlamaIndex up to 0.11.6, where BGEM3Index.load_from_disk() deserializes multi_embed_store.pkl from a user-supplied persist_dir using pickle.load() without validation, enabling arbitrary code execution when the index is loaded from disk. This is reported across mult...

8.4CVSS7.4AI score0.00289EPSS
Exploits1References4Affected Software1
CVE
CVE
added 2026/01/12 11:4 p.m.23 views

CVE-2024-58339

Summary: CVE-2024-58339 affects LlamaIndex up to 0.12.2, due to an uncontrolled resource‑consumption path in the VannaQueryEngine. The vulnerable code is in llama_index/packs/vanna/base.py, inside custom_query(), where SQL is generated from a user‑supplied prompt and executed via vn.run_sql() wit...

8.7CVSS7.1AI score0.00568EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/01/12 11:4 p.m.5 views

CVE-2024-58339 LlamaIndex <= 0.12.2 VannaQueryEngine SQL Execution Allows Resource Exhaustion

LlamaIndex run-llama/llamaindex versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The customquery logic generates SQL statements from a user-supplied prompt and executes them via vn.runsql without...

8.7CVSS6.1AI score0.00568EPSS
Exploits1References6
Snyk
Snyk
added 2026/01/12 1:59 a.m.5 views

Malicious Package

Overview llamaindex-js is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6.8AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/01/12 1:59 a.m.12 views

Malicious code in llamaindex-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1049a24d3b448f16e3c35acfe33ee0f28346e3a3e4908d0a033e58b0758bf4ef The package llamaindex-js was found to contain malicious code. Source: ghsa-malware 7f3515bafa1614c3bea7c792295bd9574fdf82e263b87963b347e4f082d0dc3f...

6.9AI score
Exploits0References1
Rows per page
Query Builder