Lucene search
K

126 matches found

Nuclei
Nuclei
added 10 hours ago89 views

LocalAI - Partial Local File Read

A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery SSRF and partial Local File Inclusion LFI. The endpoint supports both https-// and file-// schemes, where the latter can lead to LFI. However, the output is limited due to the...

5.8CVSS6.3AI score0.02475EPSS
Exploits1References3
EUVD
EUVD
added last week5 views

EUVD-2026-42097

LocalAI contains an unauthenticated server-side request forgery vulnerability in the POST /models/apply endpoint that allows attackers to fetch arbitrary internal URLs. The endpoint passes unsanitized gallery URL fields directly to gallery.GetGalleryConfigFromURLWithContext without proper...

9.2CVSS6.1AI score0.0036EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added last week9 views

CVE-2026-59707

LocalAI contains an unauthenticated server-side request forgery vulnerability in the POST /models/apply endpoint that allows attackers to fetch arbitrary internal URLs. The endpoint passes unsanitized gallery URL fields directly to gallery.GetGalleryConfigFromURLWithContext without proper...

9.2CVSS6.1AI score0.0036EPSS
Exploits0References5
Cvelist
Cvelist
added last week31 views

CVE-2026-59707 LocalAI - Server-Side Request Forgery via POST /models/apply

LocalAI contains an unauthenticated server-side request forgery vulnerability in the POST /models/apply endpoint that allows attackers to fetch arbitrary internal URLs. The endpoint passes unsanitized gallery URL fields directly to gallery.GetGalleryConfigFromURLWithContext without proper...

9.2CVSS0.0036EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added last week5 views

CVE-2026-59707 LocalAI - Server-Side Request Forgery via POST /models/apply

LocalAI contains an unauthenticated server-side request forgery vulnerability in the POST /models/apply endpoint that allows attackers to fetch arbitrary internal URLs. The endpoint passes unsanitized gallery URL fields directly to gallery.GetGalleryConfigFromURLWithContext without proper...

9.2CVSS6.1AI score0.0036EPSS
Exploits0References4
CVE
CVE
added last week15 views

CVE-2026-59707

CVE-2026-59707 : LocalAI exposes an unauthenticated SSRF via POST /models/apply. The endpoint forwards unsanitized gallery URL fields to gallery.GetGalleryConfigFromURLWithContext, allowing requests to internal/private/loopback URLs and leaking partial responses in error messages. No exploitation...

9.2CVSS6.1AI score0.0036EPSS
Exploits0References4
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2024-2025

Malicious code in bioql PyPI...

9.1CVSS7.7AI score0.25538EPSS
Exploits1References4
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2024-47964

Malicious code in bioql PyPI...

8.8CVSS8.9AI score0.01289EPSS
Exploits1References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2024-47862

Malicious code in bioql PyPI...

9.8CVSS8.1AI score0.01501EPSS
Exploits1References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.10 views

EUVD-2024-46799

Malicious code in bioql PyPI...

4.3CVSS4.9AI score0.00242EPSS
Exploits1References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.4 views

EUVD-2024-1234

Malicious code in bioql PyPI...

6.5CVSS6.5AI score0.00297EPSS
Exploits1References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2024-46427

Malicious code in bioql PyPI...

9.8CVSS9.5AI score0.02685EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2025/05/23 10:14 a.m.8 views

CVE-2024-6095

A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery SSRF and partial Local File Inclusion LFI. The endpoint supports both https:// and file:// schemes, where the latter can lead to LFI. However, the output is limited due to the...

5.8CVSS6.4AI score0.02475EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/23 10:13 a.m.11 views

CVE-2024-5616

A Cross-Site Request Forgery CSRF vulnerability exists in mudler/LocalAI versions up to and including 2.15.0, which allows attackers to trick victims into deleting installed models. By crafting a malicious HTML page, an attacker can cause the deletion of a model, such as 'gpt-4-vision-preview',...

4.3CVSS6.8AI score0.00242EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/23 9:20 a.m.7 views

CVE-2024-3135

A Cross-Site Request Forgery CSRF vulnerability exists in the mudler/localai application, allowing attackers to craft malicious webpages that, when visited by a victim, perform unauthorized actions on the victim's local LocalAI instance without their consent. This vulnerability enables attackers ...

6.5CVSS6.6AI score0.00297EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/05/23 7:29 a.m.10 views

CVE-2024-48057

localai =2.20.1 is vulnerable to Cross Site Scripting XSS. When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage...

6.1CVSS6.3AI score0.00191EPSS
Exploits1References1
SUSE CVE
SUSE CVE
added 2025/03/29 3:36 a.m.2 views

SUSE CVE-2024-9900

mudler/localai version v2.21.1 contains a Cross-Site Scripting XSS vulnerability in its search functionality. The vulnerability arises due to improper sanitization of user input, allowing the injection and execution of arbitrary JavaScript code. This can lead to the execution of malicious scripts...

6.1CVSS6.4AI score0.00491EPSS
Exploits1References3
OSV
OSV
added 2025/03/25 7:38 p.m.53 views

GO-2025-3542 LocalAI Cross-Site Scripting (XSS) vulnerability in its search functionality in github.com/mudler/LocalAI

LocalAI Cross-Site Scripting XSS vulnerability in its search functionality in github.com/mudler/LocalAI. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

6.1CVSS5.2AI score0.00491EPSS
Exploits1References4
Veracode
Veracode
added 2025/03/25 5:11 a.m.8 views

Cross-Site Scripting (XSS)

github.com/mudler/localai is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of user input in the search functionality, allowing the injection and execution of arbitrary JavaScript code...

6.1CVSS6.8AI score0.00491EPSS
Exploits1References3Affected Software1
RedhatCVE
RedhatCVE
added 2025/03/22 1:28 p.m.14 views

CVE-2024-9901

LocalAI version v2.19.4 af0545834fd565ab56af0b9348550ca9c3cb5349 contains a vulnerability where the delete model API improperly neutralizes input during web page generation, leading to a one-time storage cross-site scripting XSS vulnerability. This vulnerability allows an attacker to store a...

6.4AI score
Exploits0References4
Rows per page
Query Builder