2 matches found
PYSEC-2026-1570 LlamaIndex has an XML Entity Expansion vulnerability in its sitemap parser
An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llamaindex repository, specifically affecting the Papers Loaders package before version 0.3.2 in llama-index v0.10.0 and above through v0.12.29. This vulnerability allows ...
XML External Entity (XXE) Injection
llama-index-readers-papers Papers Loaders package is vulnerable to XML External Entity XXE Injection. The vulnerability is due to the sitemap parser accepting untrusted XML input without disabling entity expansion, allowing attackers to exhaust system memory and cause a denial of service...