5 matches found
CVE-2026-59707
CVE-2026-59707 : LocalAI exposes an unauthenticated SSRF via POST /models/apply. The endpoint forwards unsanitized gallery URL fields to gallery.GetGalleryConfigFromURLWithContext, allowing requests to internal/private/loopback URLs and leaking partial responses in error messages. No exploitation...
CVE-2026-59707
LocalAI contains an unauthenticated server-side request forgery vulnerability in the POST /models/apply endpoint that allows attackers to fetch arbitrary internal URLs. The endpoint passes unsanitized gallery URL fields directly to gallery.GetGalleryConfigFromURLWithContext without proper...
CVE-2024-6095
Vulnerability: LocalAI (mudler/localai) 2.15.0 has a SSRF and partial LFI in the /models/apply endpoint. The endpoint accepts both http(s):// and file:// schemes, with file:// enabling local-file access. Impact is described as potential unauthorized access to internal HTTP(S) services and partial...
LocalAI Code Issues Vulnerabilities
LocalAI is a free, open source alternative to OpenAI from the individual developer Ettore Di Giacinto. A code issue vulnerability exists in LocalAI version 2.15.0, which stems from a cross-site request forgery and local file inclusion vulnerability in the /models/apply API...
PT-2024-37382 · Unknown · Mudler/Localai
Name of the Vulnerable Software and Affected Versions: mudler/localai versions 2.15.0 Description: A vulnerability in the "/models/apply" endpoint allows for Server-Side Request Forgery SSRF and partial Local File Inclusion LFI. The endpoint supports both https:// and file:// schemes, where the...