Security Bulletin: Unauthenticated File Upload Vulnerability Allows Disk Space Exhaustion and Path Disclosure in Langflow OSS

Summary Unauthenticated users can upload unlimited files to the Langflow OSS server via the deprecated /api/v1/upload/flowid endpoint without authentication or validation, leading to potential disk space exhaustion DoS and information disclosure through absolute file path leakage in API responses...

Security Bulletin: Path Traversal Vulnerability in File Processing Components Allows Unauthorized File System Access and Potential Remote Code Execution

Summary A path traversal vulnerability exists in multiple Langflow OSS file processing components Docling, Docling Serve, Read File, NVIDIA Retriever Extraction, Video File, and Unstructured API that are based on BaseFileComponent. The vulnerability in the unpackbundle function allows attackers t...

PT-2023-29433 · Unknown · Change Request

Name of the Vulnerable Software and Affected Versions: Change Request versions 0.11 through 1.9.2 Description: The issue allows a user without specific rights to perform script injection and remote code execution by inserting an appropriate title when creating a new Change Request. This is...

PT-2023-10329 · Unknown · Django-Ucamlookup

Name of the Vulnerable Software and Affected Versions: django-ucamlookup versions up to 1.9.1 Description: A vulnerability was found in the Lookup Handler component of django-ucamlookup, leading to cross-site scripting. The attack can be launched remotely. This issue affects products that are no...