EUVD-2024-47862

Malicious code in bioql PyPI...

EUVD-2024-46799

Malicious code in bioql PyPI...

EUVD-2024-1234

Malicious code in bioql PyPI...

EUVD-2024-47964

Malicious code in bioql PyPI...

CVE-2024-5616

A Cross-Site Request Forgery CSRF vulnerability exists in mudler/LocalAI versions up to and including 2.15.0, which allows attackers to trick victims into deleting installed models. By crafting a malicious HTML page, an attacker can cause the deletion of a model, such as 'gpt-4-vision-preview',...

CVE-2024-48057

localai =2.20.1 is vulnerable to Cross Site Scripting XSS. When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage...

GO-2025-3542 LocalAI Cross-Site Scripting (XSS) vulnerability in its search functionality in github.com/mudler/LocalAI

LocalAI Cross-Site Scripting XSS vulnerability in its search functionality in github.com/mudler/LocalAI. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

Cross-Site Scripting (XSS)

github.com/mudler/localai is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper sanitization of user input in the search functionality, allowing the injection and execution of arbitrary JavaScript code...

CVE-2024-9901

LocalAI version v2.19.4 af0545834fd565ab56af0b9348550ca9c3cb5349 contains a vulnerability where the delete model API improperly neutralizes input during web page generation, leading to a one-time storage cross-site scripting XSS vulnerability. This vulnerability allows an attacker to store a...

GHSA-W6HH-W36C-VXMW LocalAI Cross-Site Scripting (XSS) vulnerability in its search functionality

mudler/localai version v2.21.1 contains a Cross-Site Scripting XSS vulnerability in its search functionality. The vulnerability arises due to improper sanitization of user input, allowing the injection and execution of arbitrary JavaScript code. This can lead to the execution of malicious scripts...

CVE-2024-9901

Rejected reason: REJECT DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-48057. Notes: All CVE users should reference CVE-2024-48057 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage...

CVE-2024-9901

...

PT-2025-12295 · Unknown · Mudler/Localai

Name of the Vulnerable Software and Affected Versions: mudler/localai version v2.21.1 mudler/localai versions prior to v2.22.0 Description: The issue arises due to improper sanitization of user input, allowing the injection and execution of arbitrary JavaScript code. This can lead to the executio...

CVE-2024-6983

mudler/localai version 2.17.1 is vulnerable to remote code execution. The vulnerability arises because the localai backend receives inputs not only from the configuration file but also from other inputs, allowing an attacker to upload a binary file and execute malicious code. This can lead to the...

Timing Attack

mudler/LocalAI is vulnerable to Timing Attack. The vulnerability is due to a side-channel attack that exploits variations in response time during cryptographic operations, potentially exposing valid login credentials...

CVE-2024-48057

localai =2.20.1 is vulnerable to Cross Site Scripting XSS. When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage...

CVE-2024-6983 Remote Code Execution in mudler/localai

mudler/localai version 2.17.1 is vulnerable to remote code execution. The vulnerability arises because the localai backend receives inputs not only from the configuration file but also from other inputs, allowing an attacker to upload a binary file and execute malicious code. This can lead to the...

PT-2024-38020 · Localai · Localai

Name of the Vulnerable Software and Affected Versions: mudler/localai version 2.17.1 Description: The localai backend is susceptible to remote code execution. This occurs because the backend accepts inputs from sources beyond the configuration file, enabling an attacker to upload and execute a...

LocalAI Code Issues Vulnerabilities

LocalAI is a free, open source alternative to OpenAI from the individual developer Ettore Di Giacinto. A code issue vulnerability exists in LocalAI version 2.15.0, which stems from a cross-site request forgery and local file inclusion vulnerability in the /models/apply API...

CVE-2024-3135

A Cross-Site Request Forgery CSRF vulnerability exists in the mudler/localai application, allowing attackers to craft malicious webpages that, when visited by a victim, perform unauthorized actions on the victim's local LocalAI instance without their consent. This vulnerability enables attackers ...