27 matches found
CVE-2026-35487
text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in loadprompt allows reading any .txt file on the server filesystem. The file content is returned verbatim in the API response. This vulnerability...
CVE-2026-35487
text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in loadprompt allows reading any .txt file on the server filesystem. The file content is returned verbatim in the API response. This vulnerability...
EUVD-2026-19672
text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in loadprompt allows reading any .txt file on the server filesystem. The file content is returned verbatim in the API response. This vulnerability...
CVE-2026-35487 text-generation-webui has a Path Traversal in load_prompt() — .txt file read without authentication
text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in loadprompt allows reading any .txt file on the server filesystem. The file content is returned verbatim in the API response. This vulnerability...
CVE-2026-35487
text-generation-webui (open-source web interface for LLMs) before version 4.3 is affected by an unauthenticated path traversal in load_prompt(), allowing reading any .txt file on the server and returning its contents in the API response. Impact is limited to read access of server-side .txt files;...
Text Generation Web UI 路径遍历漏洞
Text Generation Web UI is a local AI UI interface developed by oobabooga’s individual developers. Versions of Text Generation Web UI prior to 4.3 contained a path traversal vulnerability. This vulnerability stemmed from an unauthenticated path traversal vulnerability in the loadprompt function,...
PT-2026-30860
text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in load prompt allows reading any .txt file on the server filesystem. The file content is returned verbatim in the API response. This vulnerabilit...
LangChain Core < 1.2.22 Path Traversal (GHSA-qh6h-p6c9-ff54)
The version of LangChain Core installed on the remote host is prior to 1.2.22. It is, therefore, affected by a path traversal vulnerability: - Multiple functions in langchaincore.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory...
CVE-2026-34070 LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions
LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchaincore.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an...
CVE-2026-34070 LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions
LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchaincore.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an...
CVE-2026-34070 LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions
LangChain is a framework for building agents and LLM-powered applications. Prior to version 1.2.22, multiple functions in langchaincore.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an...
CVE-2026-34070
CVE-2026-34070 affects LangChain Core prior to 1.2.22, where multiple functions in langchain_core.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injections. An attacker could read arbitrary host files whe...
Directory Traversal
Overview langchain-core is a Building applications with LLMs through composability Affected versions of this package are vulnerable to Directory Traversal via the loadprompt, loadpromptfromconfig, or .save methods on prompt classes. An attacker can access arbitrary files on the host filesystem by...
LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions
Summary Multiple functions in langchaincore.prompts.loading read files from paths embedded in deserialized config dicts without validating against directory traversal or absolute path injection. When an application passes user-influenced prompt configurations to loadprompt or loadpromptfromconfig...
Arbitrary Code Execution
langchain is vulnerable to Arbitrary Code Execution. The vulnerability exists due to a lack of validation in the loadprompt parameter, which allows an attacker to execute malicious code into the system...
GHSA-7GFQ-F96F-G85J langchain vulnerable to arbitrary code execution
An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via the via the a json file to the loadprompt parameter. This is related to subclasses or a template...
CVE-2023-36281
An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via a JSON file to loadprompt. This is related to subclasses or a template...
PYSEC-2023-151
An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via the via the a json file to the loadprompt parameter...
LangChain 代码注入漏洞
LangChain builds applications using LLM through composability. A code injection vulnerability exists in LangChain version v.0.0.171 that could allow a remote attacker to execute arbitrary code via a json file and the loadprompt parameter...
PT-2023-25510 · Langchain · Langchain
Name of the Vulnerable Software and Affected Versions: langchain version 0.0.171 Description: An issue in langchain allows a remote attacker to execute arbitrary code via a JSON file to the load prompt parameter. This is related to subclasses or a template. Recommendations: For langchain version...