20 matches found
CVE-2026-6588
A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function downloadmodel/deletemodel of the file api/src/serge/routers/model.py of the component Model API Endpoint. Executing a manipulation can lead to missing authentication. The attack can be launched...
GHSA-P58C-Q354-6C4F pgAdmin 4 contains local file inclusion (LFI) and server-side request forgery (SSRF) vulnerabilities
Local file inclusion LFI and server-side request forgery SSRF vulnerabilities in pgAdmin 4 LLM API configuration endpoints. User-supplied apikeyfile and apiurl preferences were passed to the LLM provider clients without validation. An authenticated user could read arbitrary server-side files by...
PT-2026-35512
A vulnerability was detected in JoeCastrom mcp-chat-studio up to 1.5.0. Affected by this issue is some unknown functionality of the file server/routes/llm.js of the component LLM Models API. Performing a manipulation of the argument req.query.base url results in server-side request forgery. Remot...
EUVD-2026-23729
A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function downloadmodel/deletemodel of the file api/src/serge/routers/model.py of the component Model API Endpoint. Executing a manipulation can lead to missing authentication. The attack can be launched...
CVE-2026-6588
A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function downloadmodel/deletemodel of the file api/src/serge/routers/model.py of the component Model API Endpoint. Executing a manipulation can lead to missing authentication. The attack can be launched...
CVE-2026-6588
A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function downloadmodel/deletemodel of the file api/src/serge/routers/model.py of the component Model API Endpoint. Executing a manipulation can lead to missing authentication. The attack can be launched...
CVE-2026-6588 serge-chat serge Model API Endpoint model.py delete_model missing authentication
A weakness has been identified in serge-chat serge up to 1.4TB. The impacted element is the function downloadmodel/deletemodel of the file api/src/serge/routers/model.py of the component Model API Endpoint. Executing a manipulation can lead to missing authentication. The attack can be launched...
CVE-2026-6588
The CVE-2026-6588 entry concerns serge-chat serge (up to 1.4TB) with the vulnerable element in the Model API Endpoint: the function download_model/delete_model located in api/src/serge/routers/model.py. The description states that manipulation of this function can lead to missing authentication, ...
CVE-2024-48057
localai =2.20.1 is vulnerable to Cross Site Scripting XSS. When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage...
CVE-2024-9901
Rejected reason: REJECT DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-48057. Notes: All CVE users should reference CVE-2024-48057 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage...
CVE-2024-9901
Rejected reason: REJECT DO NOT USE THIS CVE ID NUMBER. The Rejected CVE Record is a duplicate of CVE-2024-48057. Notes: All CVE users should reference CVE-2024-48057 instead of this CVE Record. All references and descriptions in this candidate have been removed to prevent accidental usage...
CVE-2024-9901
CVE-2024-9901 is rejected/not used and does not represent an active vulnerability.
Cross-Site Scripting (XSS)
github.com/mudler/localai is vulnerable to Cross Site Scripting XSS. The vulnerability is due to improper input validation and inadequate sanitization of user inputs when passing parameters to the delete model API, allows malicious scripts to be stored and executed in the application...
GHSA-GHX4-CGXW-7H9P LocalAI Cross-site Scripting vulnerability
localai =2.20.1 is vulnerable to Cross Site Scripting XSS. When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage...
LocalAI Cross-site Scripting vulnerability
localai =2.20.1 is vulnerable to Cross Site Scripting XSS. When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage...
CVE-2024-48057
localai =2.20.1 is vulnerable to Cross Site Scripting XSS. When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the homepage...
PT-2024-32972 · Localai +1 · Localai +1
Name of the Vulnerable Software and Affected Versions: localai versions =2.20.1 Description: The issue is related to a Cross Site Scripting XSS vulnerability. When the delete model API is called with inappropriate parameters, it can cause a one-time storage XSS. This will trigger the payload when...
CVE-2024-48057
CVE-2024-48057 affects LocalAI (version
CVE-2024-23445 Elasticsearch Remote Cluster Search Cross Cluster API Key insufficient restrictions
It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.htmlsecurity-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the fieldsecurity parameter, an...
com.amadeus.jenkins.plugins:workflow-cps-global-lib-http (>=2.33.0 <=2.54.0), com.lookout.jenkins:environment-script (=100.v3a_f1a_6a_b_7549) +126 more potentially affected by CVE-2024-34145 via org.jenkins-ci.plugins:script-security (>=1138.v8e727069a_025 <=1335.vf07d9ce377a_e)
org.jenkins-ci.plugins:script-security MAVEN version =1138.v8e727069a025, =2.33.0, =1.1.0.413.v3023d27e8434, =320.v5a0933ae7d61, =2.4.2, =3.0, =4.1.0, =1.27.17, =1.27.4, =1.27.4, =1714.v09593e830cfa, =11.2.0, =12.9.1 and more Source cves: CVE-2024-34145 Source advisory:...