Lucene search
K

125 matches found

RedhatCVE
RedhatCVE
added 5 days ago6 views

CVE-2026-56340

A flaw was found in vLLM. This vulnerability allows a remote attacker to trigger crashes or resource exhaustion, leading to a denial of service DoS. By submitting specially crafted embedding requests with malformed tensor indices, when the prompt-embeds feature is enabled, an attacker could also...

8.8CVSS6.1AI score0.00352EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/06/24 3:19 p.m.5 views

CVE-2026-48746

A flaw was found in vLLM, an inference and serving engine for large language models LLMs. This vulnerability, residing in ASGI web servers and Starlette's trust in them, allows an attacker to bypass the OpenAI API Authentication Middleware. This bypass enables unauthorized access to the API witho...

9.1CVSS5.8AI score0.0086EPSS
Exploits0References6
NVD
NVD
added 2026/06/22 11:16 p.m.9 views

CVE-2026-41523

vLLM is an inference and serving engine for large language models LLMs. Prior to 0.22.0, an assert-based security check in vLLM's activation function loading allows any unauthenticated attacker to achieve arbitrary code execution on the server by publishing a malicious HuggingFace model, when vLL...

7.5CVSS0.00463EPSS
Exploits1References6
NVD
NVD
added 2026/06/22 11:16 p.m.9 views

CVE-2026-48746

vLLM is an inference and serving engine for large language models LLMs. From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing t...

9.1CVSS0.0086EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/06/22 10:18 p.m.6 views

CVE-2026-41523

vLLM is an inference and serving engine for large language models LLMs. Prior to 0.22.0, an assert-based security check in vLLM's activation function loading allows any unauthenticated attacker to achieve arbitrary code execution on the server by publishing a malicious HuggingFace model, when vLL...

7.5CVSS6.5AI score0.00463EPSS
Exploits1References4Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/06/22 9:57 p.m.5 views

CVE-2026-48746

vLLM is an inference and serving engine for large language models LLMs. From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. It allows to use the API without providing t...

9.1CVSS5.9AI score0.0086EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/06/20 7:16 p.m.12 views

CVE-2025-71379

vLLM versions = 0.6.3 and 0.9.0 contain multiple regular expression denial of service ReDoS vulnerabilities. Several regex patterns — in vllm/lora/utils.py, the phi4mini tool parser, and the OpenAI-compatible serving chat endpoint — are susceptible to catastrophic backtracking. An attacker...

7.5CVSS0.00321EPSS
Exploits1References2
Snyk
Snyk
added 2026/06/17 2:6 p.m.8 views

Improper Handling of Highly Compressed Data (Data Amplification)

Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data Data Amplification through the audio.py file. An attacker can cause excessive memory consumption by...

7.1CVSS5.9AI score0.00243EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/17 2:3 p.m.9 views

Incorrect Conversion between Numeric Types

Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Incorrect Conversion between Numeric Types in the ggmldequantize, ggmlmulmatveca8, ggmlmulmata8, and ggmlmoea8 functions when tensor dimensions are...

7.5CVSS5.9AI score0.00281EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/17 2:2 p.m.21 views

vLLM: temperature=NaN and temperature=Infinity bypass validation and propagate to GPU kernels

Summary All temperature validation gates use comparison operators , which silently evaluate to False for NaN and for positive Infinity in Python's IEEE 754 float semantics. Both values pass every guard and propagate to GPU sampling kernels, where they produce undefined behavior or CUDA errors tha...

6.9CVSS5.6AI score0.00261EPSS
Exploits1References4Affected Software1
Snyk
Snyk
added 2026/06/16 5:36 p.m.6 views

HTTP Request Smuggling

Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to HTTP Request Smuggling via improper validation of the Host header in the request scope. An attacker can gain unauthorized access to API endpoints by...

9.1CVSS5.9AI score0.0086EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/16 5:36 p.m.81 views

vLLM: OpenAI auth bypass

Summary A vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware, which was discovered during @x41sec's source code audit. It allows to use the API without providing the configured VLLMAPIKEY or...

9.1CVSS5.5AI score0.0086EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/06/10 5:11 p.m.7 views

Use of Incorrectly-Resolved Name or Reference

Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference through several model loading paths. An attacker can make the server load a different Hugging Face...

6.5CVSS5.5AI score0.00146EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/28 6:4 p.m.30 views

CVE-2026-4944 Hardcoded trust_remote_code=True in vllm-project/vllm Bypasses User Security Control

vllm-project/vllm version 0.14.1 contains a vulnerability where the trustremotecode=True parameter is hardcoded in two model implementation files vllm/modelexecutor/models/nemotronvl.py and vllm/modelexecutor/models/kimik25.py. This bypasses the user's explicit --trust-remote-code=False setting,...

8.8CVSS0.00747EPSS
Exploits0References1
CVE
CVE
added 2026/05/28 6:4 p.m.25 views

CVE-2026-4944

The provided documents describe a vulnerability in vllm-project/vllm version 0.14.1 where trust_remote_code is hardcoded to True in nemotron_vl.py and kimi_k25.py, bypassing user-specified --trust-remote-code=False and enabling remote code execution via malicious HuggingFace model repositories. T...

8.8CVSS7.9AI score0.00747EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/26 2:43 p.m.12 views

Improper Resource Shutdown or Release

Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Improper Resource Shutdown or Release via the OpenAI-compatible Serving Path component. An attacker can cause the service to become unavailable by...

6.9CVSS6.1AI score0.00427EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/26 10:30 a.m.13 views

EUVD-2026-31810

A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used...

6.9CVSS5.8AI score0.00427EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/05/12 7:57 p.m.11 views

CVE-2026-44222 vLLM: Remote DoS via Special-Token Placeholders

vLLM is an inference and serving engine for large language models LLMs. From 0.6.1 to before 0.20.0, there is a a Token Injection vulnerability in vLLM’s multimodal processing. Unauthenticated, text-only prompts that spell special tokens are interpreted as control. Image and video placeholder...

6.5CVSS5.8AI score0.00414EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/05/12 12:0 a.m.8 views

vLLM 输入验证错误漏洞

vLLM is an open-source inference and service engine designed for LLM models, featuring high throughput and efficient memory usage. Versions of vLLM prior to 0.6.1 to 0.20.0 contained a vulnerability related to input validation errors. This vulnerability stemmed from token injection issues during...

7.5CVSS5.8AI score0.00414EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/05/12 12:0 a.m.10 views

vLLM 安全漏洞

vLLM is an open-source LLM-based inference and service engine that features high throughput and efficient memory usage. Versions of vLLM prior to 0.20.0 contained a security vulnerability. This vulnerability stemmed from the extracthiddenstates speculative decoding proposal, which returned tensor...

6.5CVSS5.8AI score0.00367EPSS
Exploits0References1
Rows per page
Query Builder