Insecure Direct Object Reference (IDOR) in LollMS Friend Request Response

Executive Summary A critical security vulnerability has been identified in LollMS that allows any authenticated user to accept or reject friend requests belonging to other users. The respondrequest function lacks authorization checks, enabling Insecure Direct Object Reference IDOR attacks. Affect...

Content-Type Spoofing in LollMS Image Upload

Executive Summary A security vulnerability has been identified in LollMS that allows authenticated users to bypass file type validation by spoofing the Content-Type header. The /api/upload/chatimage endpoint only validates the HTTP header, not the actual file content, allowing malicious files to ...

Job API exposed without authorization

This report is not public...

Tracing + Assessments Access

This report is not public...

Airflow externalLogUrl Permission Bypass

1. Summary The externalLogUrl endpoint in Airflow’s FastAPI enforces only the weaker Task Instance access permission TASKINSTANCE instead of the intended Task Logs permission TASKLOGS. As a result, low-privileged users who are not authorized to view task logs can still obtain external log access...

Command Injection via Malicious Model Artifacts

A command injection vulnerability exists in MLflow's model serving container initialization code. When deploying a model with envmanager=LOCAL, MLflow reads dependency specifications from the model artifact's pythonenv.yaml file and directly interpolates them into a shell command without...

MLflow Tarfile Path traversal in mlflow/mlflow

Description Vulnerability Report: Unsafe Tar Extraction Path Traversal Due to the lack of path traversal verification in the tar decompression part, it may lead to the possibility of overwriting any file or gaining elevated privileges. This is a non-expected vulnerability. Location File:...

Apache Arrow IPC cached prebuffer path triggers signed integer overflow UB in read-range coalescing

Description Apache Arrow C++ commit d89c14b5d5203bc403fb62060fdf1ef2c0a49339 contains a signed integer overflow undefined behavior in the IO range coalescing logic, specifically in arrow/cpp/src/arrow/io/interfaces.cc:475 arrow::io::internal::CoalesceReadRanges. The overflow is reachable from...

Unsafe Pickle Deserialization in apache-airflow-providers-http leading to RCE via HttpOperator

A High severity Unsafe Deserialization vulnerability exists in the airflow.providers.http package. The HttpOperator uses pickle.loads to deserialize untrusted data received from the Triggerer service via the database in the executecomplete method. This allows an attacker who has gained write acce...

Arbitrary file write via tar traversal

Summary A crafted tar.gz passed to MLflow pyfunc extraction is unpacked with tarfile.extractall without path validation. Archive entries containing .. or absolute paths can escape the destination directory and write arbitrary files on the host. This is reachable when users supply prebuiltenvuri o...

Arbitrary File Read via Absolute Path Input in nltk.util.filestring() enabling Local & Remote File Disclosure

This report is not public...

MLflow SageMaker Command Injection Vulnerability

Description The vulnerability exists in /mlflow/sagemaker/init.py at lines 161-167, where user-supplied container image names are directly interpolated into shell commands without proper sanitization before being passed to os.system. Vulnerable Code Path : CLI Input --container parameter ↓...

Arbitrary Code Execution in NLTK StanfordSegmenter via untrusted JAR loading

This report is not public...

NLTK – Multiple CorpusReader classes allow Arbitrary File Read via Path Traversal

This report is not public...

Arbitrary File Read via FileSystemPathPointer + PlaintextCorpusReader (bypass even if nltk.data.find() is patched

This report is not public...

Command Injection in example_xcom.py via XCom race condition

This report is not public...

Zip Slip Vulnerability in NLTK Downloader Leading to Remote Code Execution

This report is not public...

Unlimited-memory decompression leads to DoS bypassing `--http-max-input-size`

This report is not public...

Persistent Temp-File incomplete cleanup / resource exhaustion in `transformers` Serve

Description The transformers OpenAI-compatible server leaks every base64 image it decodes to disk. Because the temporary files are never cleaned up, an attacker can exhaust disk space by repeatedly calling /v1/chat/completions with base64 imageurl entries. Vulnerable Code In...

Remote code execution via transformers_utils/get_config

This report is not public...

Path traversal vulnerability via `FileSystemPathPointer.join()` method allows unauthorized file access

Description A critical path traversal vulnerability exists in the FileSystemPathPointer.join method within the nltk library. The vulnerability allows attackers to bypass directory restrictions and access files outside the intended directory structure by using path traversal sequences such as ../ ...

MLFlow server is exposed to data exfiltration and destruction due to lack of Origin validation

The MLFlow REST server is vulnerable to DNS rebinding attacks, allowing malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. Once rebinding is successful, the attacker can: Query for experiments via the 2.0/mlflow/experiments/search...

text-generation-inference: Unbounded external image fetch in validation leads to resource-exhaustion DoS

Description Text Generation Inference Router DoS via pre-validation image fetch in VLM mode. Affected: Router workspace version 3.3.6 the latest repo, when deployed with a vision/VLM model e.g., Idefics/Mllama/Idefics2/Idefics3/Gemma3/Llama4/Paligemma/LlavaNext/Qwen2VL/Qwen25VL. Pure text LLMs do...

Integer Overflow lead to DOS in API `v2/models/<model-name>/infer`

This report is not public...

Arbitrary code execution during YAML config parsing in Kubernetes materializer

Summary The Kubernetes materializer entry point feast/sdk/python/feast/infra/computeengines/kubernetes/main.py deserializes /var/feast/featurestore.yaml and /var/feast/materializationconfig.yaml using yaml.load..., Loader=yaml.Loader. Because yaml.Loader eagerly instantiates arbitrary Python...

Integer Overflow → Heap Buffer Overflow in BYTES-Tensor Parsing (DoS)

This report is not public...

Path Traversal vulnerability in keras using tar extract

Technical Details of the Vulnerability Summary Keras's keras.utils.getfile function is vulnerable to directory traversal attacks despite implementing filtersafepaths. The vulnerability exists because extractarchive uses Python's tarfile.extractall method without the security-critical filter="data...

Account takeover due to missing oauth audience verification in google sign in

Description The web application integrates Google OAuth for user authentication. Upon successful Google sign-in and user consent, the application receives a token from Google. This token is used by the web application to fetch user profile information such as email and name and complete the login...

Authorization Bypass in MLflow Basic Auth (unprotected Flask/GraphQL routes)

This report is not public...

Denial of Service via Unbounded parameter values

Description The /api/memories endpoint in the LibreChat application is found to be accepting arbitrarily large values for the key and value parameters. These inputs are not being properly validated or restricted in terms of maximum allowed character length. When an input containing more than 100...

Insecure API Design: Able to Disable 2-Factor Authentication Without OTP or Backup Code

Description There is a minor issue in the 2-Factor Authentication 2FA flow. when a user tries to disable 2FA from the dashboard, the system should ask for a valid OTP or backup code and verify it through the following API: POST /api/auth/2fa/verify HTTP/1.1 Host: 127.0.0.1:3080 User-Agent:...

Possible HTML Injection in Accept-Language header

This report is not public...

SQLite Operator-Based SQL Injection Vulnerability in LangGraph

This report is not public...

User Enumeration via "Account not found" Message

This report is not public...

XPath Injection in search_item_ctrl_f Function - Hugging Face Smolagents v1.20.0

The searchitemctrlf function in the Hugging Face Smolagents library is vulnerable to XPath injection. The function simply concatenates user input into an XPath query without sanitizing or escaping the input. Vulnerable Code Location: File: src/smolagents-1.20.0/smolagents/visionwebbrowser.py...

World-Writable NLTK Cache Directory Enables Local Users to Tamper with or Delete NLP Data

Description The llamaindex library sets the NLTK data directory to a subdirectory of the codebase by default e.g., static/nltkcache inside the package directory. In multi-user environments or shared hosting, this directory is world-writable or accessible by multiple users. As a result, any user c...

Dependacy chain attack through hijacking broken github repository at https://github.com/huggingface/transformers/blob/main/src/\ntransformers/models/fuyu/\nconvert_fuyu_model_weights_to_hf.py

Description Type: Dependency Chain Attack through hijacking broken github repository Risk: High Allows arbitrary code execution in model conversion workflows Affected Asset: https://github.com/adept-ai-labs/adept-inference Broken URL in Hugging Face Transformers Root Cause The Hugging Face...

LangChain HTMLSectionSplitter – XXE caused by unsafe XSLT parsing

This report is not public...

Path traversal, lead to remote code execution

Description clearml's safeextract is actually ​​NOT secure​​. It fails to properly handle symbolic links and hard links. When these links point to files ​​outside the TAR archive​​, it can lead to ​​arbitrary file writes​​, potentially resulting in ​​remote code execution​​. Due to a change in th...

Path traversal, lead to remote code execution

Description In zenml's PathMaterializer class, the load function uses ispathwithindirectory to validate files during data.tar.gz extraction. While this prevents path traversal vulnerabilities, it fails to effectively detect symbolic and hard links. with tarfile.openarchivepathlocal, "r:gz" as tar...

Insecure Temporary File Handling Vulnerability in llama-index-core

Description The getcachedir function in llama-index-core uses a predictable, hardcoded directory path /tmp/llamaindex on Linux systems without proper security controls. This vulnerability allows attackers on multi-user systems to steal proprietary models, poison cached embeddings, or conduct...

Incorrect Access Control check results in authorization bypass

Description When setting the access control for users, an incorrect access check allows for the bypass of authorization, due to the incorrect use of .some Proof of Concept 1. This is for a scenario, where I admin have created a custom agent and want everyone on the platform to use it, without bei...

SSRF in MLflow via user-controlled gateway_path parameter

Description A Server-Side Request Forgery SSRF vulnerability exists in the gatewayproxyhandler function of MLflow. This function accepts a user-controlled gatewaypath parameter and concatenates it directly with a targeturi, allowing an attacker to control the full outbound HTTP request path from...

Mass Assignment

Description Mass assignment is a vulnerability that occurs when an application automatically binds user-provided data e.g., from JSON via req.query to internal object properties or database fields without proper filtering. This can allow attackers to manipulate sensitive fields they shouldn’t hav...

Bypass of Mysql Jdbc Attck for CVE-2025-6507

Credits Le1ahttps://github.com/Le1a A1kaidhttps://github.com/for-A1kaid ph0ebushttps://github.com/ph0ebus Description Attackers can exploit this vulnerability to read any system file and even execute arbitrary code through deserialization. The project manager fixed CVE-2025-6507 which I discovere...

Improper Access Control in Socket.IO Event Handlers Allows Unauthenticated Execution of Sensitive Actions

1. Summary Vulnerability: Unauthenticated Access to Sensitive Socket.IO Events Affected Component: lollmsgenerationevents.py in the lollms server Root Cause: Sensitive actions exposed via Socket.IO events lack authentication and authorization checks, and the application relies on insecure global...

Regular Expression Denial of Service (ReDoS) in AdamWeightDecay Optimizer

The AdamWeightDecay optimizer is vulnerable to Regular Expression Denial of Service ReDoS. If an attacker can control the patterns in the includeinweightdecay or excludefromweightdecay lists, they can provide a malicious regular expression that causes catastrophic backtracking. When the optimizer...

Path Traversal in Tokenizer Conversion Script

The script for converting slow tokenizers is vulnerable to a Path Traversal attack via the --checkpointname command-line argument. This allows an attacker to create files outside of the intended dumppath directory. Vulnerable Code Location: The vulnerability is located in the logic for converting...

Brotli decompression bomb DoS

This report is not public...

Regular expression Denial of Service - ReDoS

Description A regular expression denial of service ReDoS vulnerability has been identified in the Hugging Face Transformers library's MarianTokenizer. The vulnerability exists in the removelanguagecode method of the MarianTokenizer class, which processes text to remove language codes. The method...