LocalAI - Partial Local File Read

A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery SSRF and partial Local File Inclusion LFI. The endpoint supports both https-// and file-// schemes, where the latter can lead to LFI. However, the output is limited due to the...

EUVD-2024-47862

Malicious code in bioql PyPI...

EUVD-2024-46427

Malicious code in bioql PyPI...

EUVD-2024-47964

Malicious code in bioql PyPI...

EUVD-2024-1234

Malicious code in bioql PyPI...

EUVD-2024-46799

Malicious code in bioql PyPI...

EUVD-2024-2025

Malicious code in bioql PyPI...

CVE-2024-6095

A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery SSRF and partial Local File Inclusion LFI. The endpoint supports both https:// and file:// schemes, where the latter can lead to LFI. However, the output is limited due to the...

CVE-2024-5616

A Cross-Site Request Forgery CSRF vulnerability exists in mudler/LocalAI versions up to and including 2.15.0, which allows attackers to trick victims into deleting installed models. By crafting a malicious HTML page, an attacker can cause the deletion of a model, such as 'gpt-4-vision-preview',...

CVE-2024-3135

A Cross-Site Request Forgery CSRF vulnerability exists in the mudler/localai application, allowing attackers to craft malicious webpages that, when visited by a victim, perform unauthorized actions on the victim's local LocalAI instance without their consent. This vulnerability enables attackers ...

CVE-2024-48057

localai =2.20.1 is vulnerable to Cross Site Scripting XSS. When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage...

SUSE CVE-2024-9900

mudler/localai version v2.21.1 contains a Cross-Site Scripting XSS vulnerability in its search functionality. The vulnerability arises due to improper sanitization of user input, allowing the injection and execution of arbitrary JavaScript code. This can lead to the execution of malicious scripts...

GO-2025-3542 LocalAI Cross-Site Scripting (XSS) vulnerability in its search functionality in github.com/mudler/LocalAI

LocalAI Cross-Site Scripting XSS vulnerability in its search functionality in github.com/mudler/LocalAI. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

Cross-Site Scripting (XSS)

github.com/mudler/localai is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of user input in the search functionality, allowing the injection and execution of arbitrary JavaScript code...

CVE-2024-9901

LocalAI version v2.19.4 af0545834fd565ab56af0b9348550ca9c3cb5349 contains a vulnerability where the delete model API improperly neutralizes input during web page generation, leading to a one-time storage cross-site scripting XSS vulnerability. This vulnerability allows an attacker to store a...

CVE-2024-9900

mudler/localai version v2.21.1 contains a Cross-Site Scripting XSS vulnerability in its search functionality. The vulnerability arises due to improper sanitization of user input, allowing the injection and execution of arbitrary JavaScript code. This can lead to the execution of malicious scripts...

GHSA-W6HH-W36C-VXMW LocalAI Cross-Site Scripting (XSS) vulnerability in its search functionality

mudler/localai version v2.21.1 contains a Cross-Site Scripting XSS vulnerability in its search functionality. The vulnerability arises due to improper sanitization of user input, allowing the injection and execution of arbitrary JavaScript code. This can lead to the execution of malicious scripts...

CVE-2024-9901

Rejected reason: REJECT DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-48057. Notes: All CVE users should reference CVE-2024-48057 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage...

CVE-2024-9901

Rejected reason: REJECT DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-48057. Notes: All CVE users should reference CVE-2024-48057 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage...

CVE-2024-9901

...