4 matches found
CVE-2026-5497
CVE-2026-5497 affects vLLM 0.8.0 and later, where VideoMediaIO.load_base64() can perform unbounded frame processing for video/jpeg data URLs, leading to an Out-of-Memory DoS. An attacker can craft a single API request with thousands of comma-separated base64 JPEG frames, causing the server to dec...
EUVD-2026-19351
vLLM is an inference and serving engine for large language models LLMs. From 0.1.0 to before 0.19.0, a Denial of Service vulnerability exists in the vLLM OpenAI-compatible API server. Due to the lack of an upper bound validation on the n parameter in the ChatCompletionRequest and CompletionReques...
vLLM vulnerable to Denial of Service by abusing xgrammar cache
Impact This report is to highlight a vulnerability in XGrammar, a library used by the structured output feature in vLLM. The XGrammar advisory is here: https://github.com/mlc-ai/xgrammar/security/advisories/GHSA-389x-67px-mjg3 The xgrammar library is the default backend used by vLLM to support...
PYSEC-2025-223
vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. The outlines library is one of the backends used by vLLM to support structured output a.k.a. guided decoding. Outlines provides an optional cache for its compiled grammars on the local filesystem. This cache has...