Lucene search
K
HuntrMost viewed

4072 matches found

Huntr
Huntr
added 2021/05/29 4:12 p.m.8 views

Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp

✍️ Description An XSS vulnerability is present in https://github.com/FalconChristmas/fpp/blob/f032d800a67ed280f8d577d95519a71c95114579/www/upgradeOS.phpL26 due to absence of user input sanitization : php Image: 🕵️‍♂️ Proof of Concept Visit...

0.3AI score
Exploits0
Huntr
Huntr
added 2021/05/24 3:33 p.m.8 views

Improper Access Control in causefx/organizr

✍️ Description Google Maps API key without proper referer restrictions is found in your repo. It can be embeded to anyone's website and if the billing account is active, it will incur charges on your account. 🕵️‍♂️ Proof of Concept Visit the following link to verify that you can use the service...

0.9AI score
Exploits0
Huntr
Huntr
added 2021/05/23 3:21 p.m.8 views

Stack-based Buffer Overflow in codeplea/tinyexpr

✍️ Description Whilst experimenting with repl built from commit 61af1d, with Clang 10 +ASan on Ubuntu 20.04.2 LTS, we discovered an expression containing 4 null characters after a newline which, due to insufficient bounds checking, triggers a stack-buffer-overflow. 🕵️‍♂️ Proof of Concept echo...

0.4AI score
Exploits0
Huntr
Huntr
added 2021/05/18 6:31 a.m.8 views

Cross-site Scripting (XSS) - Reflected in tagspaces/viewertext

✍️ Description viewerText used within the Tagspaces to show a preview of text files is vulnerable to cross site scripting. 🕵️‍♂️ Proof of Concept If any HTML is feeded to setContent function: javascript setContent"alert'xss'; It appends it to the dom without any filteration: javascript...

0.2AI score
Exploits0References2
Huntr
Huntr
added 2021/05/17 5:5 p.m.8 views

Cross-site Scripting (XSS) - Stored in dolibarr/dolibarr

💥 BUG Stored xss bypassing xss filter 💥 SUMMURY There are many different user with different role . Here using this xss bug lower level user can make xss attack against higher level user 💥 PAYLOAD XSS15 💥 STEP TO REPRODUCE 1. First goto your account and edit a product . Now put above xss payload ...

7.1AI score
Exploits0
Huntr
Huntr
added 2021/05/12 2:37 p.m.8 views

Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp

✍️ Description In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/runEventScript.phpL30 you echo unsanitied user input in two places : php \n"; // 1 echo "\n"; system$SUDO . " $fppDir/scripts/eventScript $scriptDirectory/$script $args"; echo "\n"; else ?...

7AI score
Exploits0
Huntr
Huntr
added 2021/05/12 2:20 p.m.8 views

OS Command Injection in falconchristmas/fpp

✍️ Description In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/copystorage.phpL27 you build a command using unsanitized user input : php &1"; // no sanitization : echo "Command: $command\n"; echo...

1AI score
Exploits0
Huntr
Huntr
added 2021/05/06 10:45 p.m.8 views

Path Traversal in thecodingmachine/mouf

✍️ Description Mouf is vulnerable to path traversal attacks on mouf/mouf/src/direct/getsourcefile.php because it doesnt sanitize user supplied parameters as shown below. Vulnerable variable: file Method: GET The $file variable is constructed using the user supplied data, and then a file is open...

2.1AI score
Exploits0
Huntr
Huntr
added 2021/03/31 12:36 a.m.8 views

Cross-site Scripting (XSS) - Generic in forkcms/forkcms

✍️ Description The forkcms is vulnerable to XSS through adding new media. 🕵️‍♂️ Proof of Concept Payload: . 1. With an authenticated user, access: http://localhost/private/en/medialibrary/mediaitemindex. 2. Select the option Online movies Youtube, Vimeo, ... and click on Next. 3. Select any source...

0.4AI score
Exploits0
Huntr
Huntr
added 2021/03/23 9:14 p.m.8 views

Cross-site Scripting (XSS) - Generic in forkcms/library

✍️ Description Please enter a description of the vulnerability. Submitted values weren't escaped in case of date, time or hidden fields. This made it possible to perform an XSS attack by URL tampering 🕵️‍♂️ Proof of Concept Find a Spoon Form where there is a date, time or hidden field and pass...

0.1AI score
Exploits0References1
Huntr
Huntr
added 2021/02/19 12:0 a.m.8 views

Cross-site Scripting (XSS) - Generic in prasathmani/tinyfilemanager

:book: Description TinyFileManager is web based file manager and it is a simple, fast and small file manager with a single file, multi-language ready web application for storing, uploading, editing and managing files and folders online via web browser. The Application runs on PHP 5.5+, It allows...

7.2AI score
Exploits0
Huntr
Huntr
added 2020/11/24 12:0 a.m.8 views

Prototype Pollution in nodef/extra-object

Description extra-object is vulnerable to Prototype Pollution. This package allowing for modification of prototype behavior, which may result in Information Disclosure/DoS/RCE. Proof of Concept 1. Create the following PoC file: js // poc.js var extraObject = require"extra-object" var obj =...

1.9AI score
Exploits0
Huntr
Huntr
added 2026/03/12 3:45 p.m.7 views

Uncontrolled Search Path in HunposTagger Allows Untrusted Local Binary Selection in nltk/nltk

This report is not public...

5.3AI score
Exploits0
Huntr
Huntr
added 2026/03/06 8:31 a.m.7 views

Unbounded Frame Count in video/jpeg Base64 Data URL Processing Leads to OOM DoS

Summary The VideoMediaIO.loadbase64 method in vLLM's multimodal processing pipeline splits video/jpeg data URLs by comma delimiters to extract individual JPEG frames, but does not enforce a frame count limit. An attacker can craft a single API request containing thousands of comma-separated...

7.5CVSS5.7AI score0.00543EPSS
Exploits1
Huntr
Huntr
added 2025/12/29 5:46 p.m.7 views

Content-Type Spoofing in LollMS Image Upload

Executive Summary A security vulnerability has been identified in LollMS that allows authenticated users to bypass file type validation by spoofing the Content-Type header. The /api/upload/chatimage endpoint only validates the HTTP header, not the actual file content, allowing malicious files to ...

6AI score
Exploits0
Huntr
Huntr
added 2025/12/04 3:39 p.m.7 views

Command Injection in example_xcom.py via XCom race condition

This report is not public...

5.8AI score
Exploits0
Huntr
Huntr
added 2025/10/19 4:53 a.m.7 views

Path traversal vulnerability via `FileSystemPathPointer.join()` method allows unauthorized file access

Description A critical path traversal vulnerability exists in the FileSystemPathPointer.join method within the nltk library. The vulnerability allows attackers to bypass directory restrictions and access files outside the intended directory structure by using path traversal sequences such as ../ ...

5.5AI score
Exploits0
Huntr
Huntr
added 2025/10/02 4:18 a.m.7 views

Integer Overflow lead to DOS in API `v2/models/<model-name>/infer`

This report is not public...

6.9AI score
Exploits0
Huntr
Huntr
added 2025/09/26 7:3 a.m.7 views

Arbitrary code execution during YAML config parsing in Kubernetes materializer

Summary The Kubernetes materializer entry point feast/sdk/python/feast/infra/computeengines/kubernetes/main.py deserializes /var/feast/featurestore.yaml and /var/feast/materializationconfig.yaml using yaml.load..., Loader=yaml.Loader. Because yaml.Loader eagerly instantiates arbitrary Python...

7.8CVSS6.8AI score0.00264EPSS
Exploits0
Huntr
Huntr
added 2025/09/05 3:17 a.m.7 views

Integer Overflow → Heap Buffer Overflow in BYTES-Tensor Parsing (DoS)

This report is not public...

6.9AI score
Exploits0
Huntr
Huntr
added 2025/07/24 1:53 p.m.7 views

Possible HTML Injection in Accept-Language header

This report is not public...

5.4CVSS5.4AI score0.00423EPSS
Exploits1
Huntr
Huntr
added 2025/07/18 2:40 p.m.7 views

User Enumeration via "Account not found" Message

This report is not public...

5.3CVSS6.9AI score0.00722EPSS
Exploits1
Huntr
Huntr
added 2025/07/15 4:14 p.m.7 views

World-Writable NLTK Cache Directory Enables Local Users to Tamper with or Delete NLP Data

Description The llamaindex library sets the NLTK data directory to a subdirectory of the codebase by default e.g., static/nltkcache inside the package directory. In multi-user environments or shared hosting, this directory is world-writable or accessible by multiple users. As a result, any user c...

7.8CVSS7.4AI score0.00171EPSS
Exploits1
Huntr
Huntr
added 2025/06/24 5:10 p.m.7 views

Mass Assignment

Description Mass assignment is a vulnerability that occurs when an application automatically binds user-provided data e.g., from JSON via req.query to internal object properties or database fields without proper filtering. This can allow attackers to manipulate sensitive fields they shouldn’t hav...

7.5CVSS6AI score0.00277EPSS
Exploits1
Huntr
Huntr
added 2025/06/13 8:33 a.m.7 views

Full system file read and delete via GET /api/v1/images/download/{bulk_download_item_name}

Description For invokeai version v6.0.0a1 and below, there is an endpoint for bulk downloading zip file. With some manipulation of the filename arguments, attacker can read and also delete any files on the server through this endpoint. P/S: Tested on Windows Proof of Concept Request: GET...

9.8CVSS7AI score0.00353EPSS
Exploits0
Huntr
Huntr
added 2025/06/13 12:43 a.m.7 views

I

Description Improper authorization controls in the conversation sharing feature make it possible to access other user's conversations given a known conversation ID. The exploitability is limited by the fact that UUIDv4 conversation IDs are generated on the server side and are practically impossib...

4.2CVSS5.9AI score0.00267EPSS
Exploits1
Huntr
Huntr
added 2025/04/21 7:56 a.m.7 views

Python sandbox escape leading to Remote Code Execution (RCE)

Smolagents python sandbox escape leading to Remote Code Execution RCE Summary Smolagents is a barebones library for building agents that “ think in Python code ”—generating and executing Python as part of their reasoning process. Given this design, secure code execution is a critical backbone of...

10CVSS8.6AI score0.18654EPSS
Exploits1
Huntr
Huntr
added 2025/03/31 10:47 p.m.7 views

Unsafe `Deserialization` in `JsonPickleSerializer` Enables Remote Code Execution

Description A critical deserialization vulnerability exists in the llamaindex library’s JsonPickleSerializer component, enabling remote code execution RCE due to an insecure fallback to Python’s pickle module. When deserializing untrusted data, JsonPickleSerializer prioritizes pickle.loads, which...

7.5CVSS5.9AI score0.00417EPSS
Exploits1
Huntr
Huntr
added 2025/03/19 8:59 p.m.7 views

URL Parsing Issue

Repository: Hugging Face Transformers File: imageutils.py Line: 834 Code Snippet: if video.startswith"https://www.youtube.com" or video.startswith"http://www.youtube.com": Vulnerability Description: The current implementation checks if a video URL starts with "https://www.youtube.com" or...

3.5CVSS7.2AI score0.00329EPSS
Exploits1
Huntr
Huntr
added 2025/03/19 1:7 p.m.7 views

unsanitised Input in code node

Description We can run sandboxed code node with full permissions, before the the sandbox security restrictions are imposed. Javascript allows overriding global functions, thus by defining the parseInt function inside a javascript code node, we are able to execute code with full root permissions o...

9.8CVSS7.6AI score0.00718EPSS
Exploits1
Huntr
Huntr
added 2025/03/17 4:10 p.m.7 views

Regular expression Denial of Service - ReDoS

Description A regular expression denial of service ReDoS vulnerability has been identified in the Hugging Face Transformers library's dynamic module utilities. The vulnerability exists in the getimports function in dynamicmoduleutils.py, which uses a vulnerable regular expression pattern to filte...

5.3CVSS7.3AI score0.00431EPSS
Exploits1
Huntr
Huntr
added 2025/03/12 11:27 p.m.7 views

Path Traversal via Symbolic Links in `ObsidianReader`

Description The ObsidianReader class, designed to parse Obsidian vaults, contains a critical security flaw that allows arbitrary file read through symbolic links symlinks. When processing a vault, the reader does not resolve or validate the absolute paths of files, enabling an attacker to place a...

7.5CVSS6.9AI score0.00555EPSS
Exploits1
Huntr
Huntr
added 2025/03/02 3:6 a.m.7 views

Privilege escalation from writing file into temporary directory to arbitrary code execution

Description The MLFlow temporary directory gets assigned insecure world-writable permissions 0o777. def getorcreatetmpdir: """ Get or create a temporary directory which will be removed once python process exit. """ from mlflow.utils.databricksutils import getreplid, isindatabricksruntime if...

7CVSS7.4AI score0.00215EPSS
Exploits1
Huntr
Huntr
added 2025/02/28 4:54 a.m.7 views

SQL injection vulnerabilities in multiple vector stores

Description Multiple vector store integrations have SQL injection vulnerabilities, which can allow an attacker to read and write data using SQL. Example vulnerable code snippet in the Couchbase vector store integration: def deleteself, refdocid: str, kwargs: Any - None: """ Delete a document by i...

9.8CVSS8AI score0.00581EPSS
Exploits1
Huntr
Huntr
added 2025/02/02 1:21 p.m.7 views

A DoS attack occurred in run-llama/llama_index due to inappropriate secure coding measures

Description A DoS vulnerability has been identified in the KnowledgeBaseWebReader class of the run-llama/llamaindex project, and this issue has been reported see the link below: Huntr Report : https://huntr.com/bounties/27883f22-35ff-49df-aaa5-05031c7d6ad8 However, due to the developer's...

7.5CVSS7.9AI score0.00438EPSS
Exploits1
Huntr
Huntr
added 2025/01/25 8:10 p.m.7 views

Bucket "h2o-release" publicly writable, allowing an attacker to replace any file

The S3 bucket "h2o-release" where you host docs and which you instruct your users to use as a Maven repo e.g. in here https://github.com/h2oai/h2o-3?tab=readme-ov-file3-using-h2o-3-artifacts is publicly writable. It is possible to overwrite any file in that bucket. As a PoC I created the followin...

7.1AI score
Exploits0
Huntr
Huntr
added 2025/01/22 11:30 a.m.7 views

Regular expression Denial of Service - ReDoS

Description A Regular Expression Denial of Service ReDoS vulnerability was identified in the Transformers library, specifically in the file tokenizationgptneoxjapanese.py of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions...

6.5CVSS5.5AI score0.00384EPSS
Exploits1
Huntr
Huntr
added 2024/12/06 5:37 a.m.7 views

SQL Injection to RCE on FinanceChatLlamaPack

Summary The Finance Chat Llama Pack implements a hierarchical agent based on LLM for financial chat and information extraction. It includes an agent called 'database agent' for interacting with a PostgreSQL database. However, due to the lack of protections in the runsqlquery function on the...

10CVSS10AI score0.01311EPSS
Exploits1
Huntr
Huntr
added 2024/12/04 7:28 p.m.7 views

SSRF check bypass in Requests utility

Description The autogpt application relies on a wrapper around the requests library in order to avoid SSRF attacks performing a check on the provided URL. Such check is performed using the urlparse function from urllib.parse library, and the request is later performed using the requests library...

7.5CVSS7.7AI score0.00534EPSS
Exploits1
Huntr
Huntr
added 2024/11/22 8:56 a.m.7 views

MD5 Hash Collision in SageMaker Workflow

The possibility exists that MD5 collisions could occur in past cache configurations, potentially leading to workflows being inadvertently replaced. Impact In a SageMaker workflow, there is a potential risk associated with using MD5 hashes due to hash collisions. MD5 is vulnerable to collision...

5.9CVSS5.8AI score0.00245EPSS
Exploits0
Huntr
Huntr
added 2024/11/13 4:42 a.m.7 views

Partial Account Takeover due to Insecure Data Querying

This report is not public...

8.1CVSS7.1AI score0.00641EPSS
Exploits1
Huntr
Huntr
added 2024/11/11 6:4 a.m.7 views

Path traversal, lead to arbitrary file write, lead to remote code execution

Description Anythingllm use multer library to handle http multi-part file upload. Anything llm use the following code to handle non-ascii file name file.originalname = Buffer.fromfile.originalname, "latin1".toString "utf8" ; This way of manipulating filename is will lead to path traversal. multer...

7.2CVSS7.6AI score0.21121EPSS
Exploits1
Huntr
Huntr
added 2024/11/06 11:56 a.m.7 views

malicious gguf model can cause DoS by allocate unlimited memory via network access

This report is not public...

7.5CVSS7.7AI score0.00672EPSS
Exploits1
Huntr
Huntr
added 2024/11/02 8:22 a.m.7 views

dify tools vanna has pandas query inject

This report is not public...

8.8CVSS7.1AI score0.00983EPSS
Exploits1
Huntr
Huntr
added 2024/11/01 8:43 p.m.7 views

Denial of service by tracking large images

This report is not public...

7.5CVSS7.1AI score0.0059EPSS
Exploits1
Huntr
Huntr
added 2024/10/25 8:24 a.m.7 views

unhandled exception caused server crash

Description in javascript express framework, if async router handler throw an exception, the whole server will crash. In librechat, some API, when leading with some malformed input, will have uncaught exception. This will lead to server crash, thus a full denial of service. Mind that although thi...

6.5CVSS6.8AI score0.00796EPSS
Exploits1
Huntr
Huntr
added 2024/10/19 9:6 a.m.7 views

Improper Role Modification by Admins for Billing Permissions

Description Admins, who do not have direct permissions to access billing resources, are able to change the permissions of existing users to have billing permissions. This can lead to a privilege escalation scenario where an administrator can: 1. Change the role of an existing user to include...

7.3CVSS7.7AI score0.00469EPSS
Exploits1
Huntr
Huntr
added 2024/10/17 8:57 p.m.7 views

Open Redirect

This report is not public...

7.1AI score
Exploits0
Huntr
Huntr
added 2023/09/20 6:14 p.m.7 views

Deleted account still has the right to create, delete other accounts (delete surveys)

Description An account that has been deleted still has the right to create, delete surveys other accounts Proof of Concept Video Poc https://drive.google.com/file/d/1kvNqK8tYvWDabLigI6dZsp4kpKKkrfIx/view?usp=sharing...

7.2AI score
Exploits0
Huntr
Huntr
added 2023/06/29 8:12 a.m.7 views

Reflected XSS via "importFormat" parameter

Description Please enter a description of the vulnerability. Proof of Concept - Login as administrator or any user with access to User import/export feature. - Visit the following URL...

6.9AI score
Exploits0References1
Total number of security vulnerabilities4072