Lucene search
+L

35 matches found

OSV
OSV
added 2026/06/17 2:4 p.m.7 views

GHSA-HGG8-FQQC-VFMW vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router

vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via the Anthropic API router Researcher: Kai Aizen — SnailSploit @SnailSploit, Adversarial & Offensive Security Research Severity: CVSS 3.1 5.3 Medium AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Target: https://github.com/vllm-project/vllm ---...

5.3CVSS5.7AI score0.00796EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/06/17 12:0 a.m.21 views

PT-2026-50491

Name of the Vulnerable Software and Affected Versions vLLM versions prior to 0.23.1rc0 Description An incomplete fix for a previous memory leak issue allows unauthenticated attackers to leak heap memory addresses. The system fails to properly sanitize error messages in several response paths,...

5.3CVSS6.7AI score0.00796EPSS
Exploits1References15
OSV
OSV
added 2026/06/16 5:36 p.m.12 views

GHSA-94F4-HR76-P5J6 vLLM: OpenAI auth bypass

Summary A vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware, which was discovered during @x41sec's source code audit. It allows to use the API without providing the configured VLLMAPIKEY or...

9.1CVSS5.6AI score0.01014EPSS
Exploits0References13
Snyk
Snyk
added 2026/06/11 8:31 a.m.9 views

Allocation of Resources Without Limits or Throttling

Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the VideoMediaIO.loadbase64 function. An attacker can cause the server to exhaust memory...

8.7CVSS7.1AI score0.00543EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/05/26 10:30 a.m.48 views

CVE-2026-9540 vllm-project vllm OpenAI-compatible Serving Path denial of service

A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used...

6.9CVSS0.00427EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/05/26 10:30 a.m.10 views

CVE-2026-9540

A vulnerability was identified in vllm-project vllm 0.19.0. This issue affects some unknown processing of the component OpenAI-compatible Serving Path. Such manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit is publicly available and might be used...

6.9CVSS5.8AI score0.00427EPSS
Exploits0References7Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/26 12:0 a.m.11 views

PT-2026-43245

Name of the Vulnerable Software and Affected Versions vllm version 0.19.0 Description A remote denial of service can be triggered through improper processing within the OpenAI-compatible Serving Path component. Recommendations At the moment, there is no information about a newer version that...

6.9CVSS6.2AI score0.00427EPSS
Exploits0References14
Circl
Circl
added 2026/04/27 6:0 p.m.25 views

CVE-2026-44222

creationtimestamp| type| source ---|---|--- 2026-04-27 18:00:06+00:00| published-proof-of-concept| https://github.com/vllm-project/vllm/security/advisories/GHSA-hpv8-x276-m59f...

7.5CVSS5.8AI score0.00414EPSS
Exploits1References1
Snyk
Snyk
added 2026/04/02 9:25 p.m.3 views

Improper Input Validation

Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Improper Input Validation due to inconsistent downmixing behavior in the tomono process. An attacker can manipulate audio inputs to cause the AI mod...

7.1CVSS5.9AI score0.00267EPSS
Exploits0References2
Snyk
Snyk
added 2026/03/27 1:23 a.m.10 views

Unsafe Dependency Resolution

Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Unsafe Dependency Resolution in the process of loading sub-components with the trustremotecode parameter set to True, regardless of user...

8.8CVSS6.2AI score0.01364EPSS
Exploits0References2
OSV
OSV
added 2026/01/28 4:14 p.m.2 views

GHSA-QH4C-XF7M-GXFC vLLM vulnerable to Server-Side Request Forgery (SSRF) through MediaConnector

Summary A Server-Side Request Forgery SSRF vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The loadfromurl and loadfromurlasync methods obtain and process media from URLs provided by users, using different Python parsing libraries when restrictin...

7.1CVSS6.1AI score0.00528EPSS
Exploits2References19
Snyk
Snyk
added 2026/01/27 10:49 p.m.2 views

Server-side Request Forgery (SSRF)

Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the MediaConnector class. An attacker can access internal network resources and cause system instability or...

7.1CVSS5.9AI score0.00528EPSS
Exploits1References2
OSV
OSV
added 2025/11/20 9:26 p.m.1 views

GHSA-69J4-GRXJ-J64P vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs`

Summary The /v1/chat/completions and /tokenize endpoints allow a chattemplatekwargs request parameter that is used in the code before it is properly validated against the chat template. With the right chattemplatekwargs parameters, it is possible to block processing of the API server for long...

6.5CVSS6.1AI score0.00326EPSS
Exploits0References10
OSV
OSV
added 2025/11/20 8:59 p.m.4 views

GHSA-MRW7-HF4F-83PF vLLM deserialization vulnerability leading to DoS and potential RCE

Summary A memory corruption vulnerability that leading to a crash denial-of-service and potentially remote code execution RCE exists in vLLM versions 0.10.2 and later, in the Completions API endpoint. When processing user-supplied prompt embeddings, the endpoint loads serialized tensors using...

8.8CVSS6.5AI score0.00849EPSS
Exploits0References8
OSV
OSV
added 2025/10/07 10:14 p.m.4 views

GHSA-3F6C-7FW2-PPM4 vLLM is vulnerable to Server-Side Request Forgery (SSRF) through `MediaConnector` class

Summary A Server-Side Request Forgery SSRF vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The loadfromurl and loadfromurlasync methods fetch and process media from user-provided URLs without adequate restrictions on the target hosts. This allows...

7.1CVSS6.5AI score0.00231EPSS
Exploits0References6
NVD
NVD
added 2025/10/07 8:15 p.m.9 views

CVE-2025-6242

A Server-Side Request Forgery SSRF vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The loadfromurl and loadfromurlasync methods fetch and process media from user-provided URLs without adequate restrictions on the target hosts. This allows an...

7.1CVSS0.00231EPSS
Exploits0References2
OSV
OSV
added 2025/10/07 5:24 p.m.2 views

GHSA-WR9H-G72X-MWHM vLLM is vulnerable to timing attack at bearer auth

Summary The API key support in vLLM performed validation using a method that was vulnerable to a timing attack. This could potentially allow an attacker to discover a valid API key using an approach more efficient than brute force. Details...

7.5CVSS7AI score0.00532EPSS
Exploits1References9
Positive Technologies
Positive Technologies
added 2025/10/07 12:0 a.m.5 views

PT-2025-41177

Name of the Vulnerable Software and Affected Versions vLLM affected versions not specified Description An issue exists within the MediaConnector class in the vLLM project’s multimodal feature set. Specifically, the load from url and load from url async methods do not sufficiently restrict the...

7.1CVSS6.6AI score0.00231EPSS
Exploits0References17
EUVD
EUVD
added 2025/10/03 8:7 p.m.11 views

EUVD-2025-6874

Malicious code in bioql PyPI...

9.8CVSS7AI score0.01274EPSS
Exploits1References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.8 views

EUVD-2025-7068

Malicious code in bioql PyPI...

9.8CVSS7AI score0.01424EPSS
Exploits1References4
Rows per page
Query Builder