Security Advisories
Browse security advisories and track which Dependabot PRs address them.
25,050
Total Advisories
1,846
With Dependabot PRs
3,534
Critical Severity
8,712
High Severity
LiteLLM Vulnerable to Denial of Service (DoS) via Crafted HTTP Request
GHSA-fh2c-86xm-pm2x CVE-2024-8984 HIGH 9 months ago
A Denial of Service (DoS) vulnerability exists in berriai/litellm version v1.44.5. This vulnerability can be exploited by appending characters, suc...
pypi
No PRs yet
Gradio DOS in multipart boundry while uploading the file
GHSA-5cpq-9538-jm2j CVE-2024-8966 HIGH 9 months ago
A vulnerability in the file upload process of gradio-app/gradio version @gradio/video@0.10.2 allows for a Denial of Service (DoS) attack. An attack...
pypi
No PRs yet
MLflow has a Local File Read/Path Traversal in dbfs
GHSA-4rqf-8pfm-p36r CVE-2024-8859 HIGH 9 months ago
A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. When users configure and use the dbfs service, concatenating the URL directl...
pypi
No PRs yet
AgentScope Path Traversal in /api/file
GHSA-f4hc-q562-cc5r CVE-2024-8438 HIGH 9 months ago
A path traversal vulnerability exists in modelscope/agentscope version v.0.0.4. The API endpoint `/api/file` does not properly sanitize the `path` ...
pypi
No PRs yet
H2O Vulnerable to Arbitrary File Overwrite
GHSA-g48v-3p35-88jr CVE-2024-8616 HIGH 9 months ago
In h2oai/h2o-3 version 3.46.0, the `/99/Models/{name}/json` endpoint allows for arbitrary file overwrite on the target server. The vulnerability ar...
maven
pypi
No PRs yet
AgentScope directory traversal vulnerability in /read-examples
GHSA-6v28-q95m-93qr CVE-2024-8524 HIGH 9 months ago
A directory traversal vulnerability exists in modelscope/agentscope version 0.0.4. An attacker can exploit this vulnerability to read any local JSO...
pypi
No PRs yet
AgentScope arbitrary file download vulnerability in rpc_agent_client
GHSA-p6h7-hfj2-vmcf CVE-2024-8501 HIGH 9 months ago
An arbitrary file download vulnerability exists in the rpc_agent_client component of modelscope/agentscope version v0.0.4. This vulnerability allow...
pypi
No PRs yet
AgentScope Cross-Origin Resource Sharing (CORS) vulnerability
GHSA-75v5-6885-59f9 CVE-2024-8487 HIGH 9 months ago
A Cross-Origin Resource Sharing (CORS) vulnerability exists in modelscope/agentscope version v0.0.4. The CORS configuration on the agentscope serve...
pypi
No PRs yet
Open WebUI stored cross-site scripting (XSS) vulnerability
GHSA-gj27-76gq-5v3p CVE-2024-7990 HIGH 9 months ago
A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the `/api/v1/model...
pypi
No PRs yet
Open WebUI denial of service through endpoint for converting markdown
GHSA-5v9m-57mq-qc75 CVE-2024-7983 HIGH 9 months ago
In version 0.3.8 of open-webui, an endpoint for converting markdown to HTML is exposed without authentication. A maliciously crafted markdown paylo...
pypi
No PRs yet
Ollama Divide by Zero Vulnerability
GHSA-2xf2-gjm6-g2c6 CVE-2024-8063 HIGH 9 months ago
A divide by zero vulnerability exists in ollama/ollama version v0.3.3. The vulnerability occurs when importing GGUF models with a crafted type for ...
go
No PRs yet
Prefect CORS (Cross-Origin Resource Sharing) misconfiguration
GHSA-4v9f-r55g-g6hc CVE-2024-8183 HIGH 9 months ago
A CORS (Cross-Origin Resource Sharing) misconfiguration in prefecthq/prefect prior to version 3.0.3 allows unauthorized domains to access sensitive...
pypi
No PRs yet
PyTorch Lightning denial of service vulnerability
GHSA-98fp-7v67-4v3q CVE-2024-8020 HIGH 9 months ago
A vulnerability in lightning-ai/pytorch-lightning version 2.3.2 allows an attacker to cause a denial of service by sending an unexpected POST reque...
pypi
No PRs yet
Open WebUI lacks authentication for the `api/v1/utils/pdf` endpoint
GHSA-9vf8-xgwm-97r8 CVE-2024-8053 HIGH 9 months ago
In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing unauthenticated attackers to...
pypi
No PRs yet
Aim allows denial of service due to no timeouts for some tracking server endpoints
GHSA-6w7p-xrvp-p7xv CVE-2024-8061 HIGH 9 months ago
In version 3.23.0 of aimhubio/aim, certain methods that request data from external servers do not have set timeouts, causing the server to wait ind...
pypi
No PRs yet
Open WebUI allows Remote Code Execution via Arbitrary File Upload to /audio/api/v1/transcriptions
GHSA-ff5c-56m7-vc75 CVE-2024-8060 HIGH 9 months ago
OpenWebUI version 0.3.0 contains a vulnerability in the audio API endpoint `/audio/api/v1/transcriptions` that allows for arbitrary file upload. Th...
pypi
No PRs yet
H2O Vulnerable to Denial of Service (DoS) via `HEAD` Request
GHSA-5c8j-g96x-cj78 CVE-2024-8062 HIGH 9 months ago
A vulnerability in the typeahead endpoint of h2oai/h2o-3 version 3.46.0 allows for a denial of service. The endpoint performs a `HEAD` request to v...
maven
pypi
No PRs yet
H2O Vulnerable to Denial of Service (DoS) via Large GZIP Parsing
GHSA-6w62-3jvj-mfj6 CVE-2024-7765 HIGH 9 months ago
In h2oai/h2o-3 version 3.46.0.2, a vulnerability exists where uploading and repeatedly parsing a large GZIP file can cause a denial of service. The...
maven
pypi
No PRs yet
Open WebUI Unauthenticated Multipart Boundary Denial of Service (DoS) Vulnerability in api/chat/file
GHSA-6wj5-5pgr-jwq8 HIGH 9 months ago
A vulnerability in open-webui/open-webui version 79778fa allows an attacker to cause a Denial of Service (DoS) by uploading a file with a malformed...
pypi
No PRs yet
Aim vulnerable to Cross-Site Request Forgery
GHSA-38r9-3j52-h92v CVE-2024-7760 HIGH 9 months ago
aimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the tracking server. The vulnerability is due to overly p...
pypi
No PRs yet
Open WebUI Cross-Site Request Forgery (CSRF) Vulnerability
GHSA-85jc-8h5p-8vw8 CVE-2024-7806 HIGH 9 months ago
A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). T...
pypi
No PRs yet
H2O Vulnerable to Denial of Service (DoS) via `/3/ImportFiles` Endpoint
GHSA-p2vc-m5fv-9w9m CVE-2024-7768 HIGH 9 months ago
A vulnerability in the `/3/ImportFiles` endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of service. The endpoint takes ...
maven
pypi
No PRs yet
Open WebUI has SSRF in /openai/models
GHSA-x757-hv69-jr45 CVE-2024-7959 HIGH 9 months ago
The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF). An attacker can change th...
pypi
No PRs yet
Open WebUI Vulnerable to a Session Fixation Attack
GHSA-43g4-487m-5q6m CVE-2024-7053 HIGH 9 months ago
A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session fixation attack. The sessi...
pypi
No PRs yet
Open Neural Network Exchange (ONNX) Path Traversal Vulnerability
GHSA-h36j-8vv3-cj52 CVE-2024-7776 HIGH 9 months ago
A vulnerability in the `download_model` function of the onnx/onnx framework, before and including version 1.16.1, allows for arbitrary file overwri...
pypi
No PRs yet
Aim Path Traversal vulnerability
GHSA-mrvr-7493-pfq3 CVE-2024-6851 HIGH 9 months ago
In version 3.22.0 of aimhubio/aim, the LocalFileManager._cleanup function in the aim tracking server accepts a user-specified glob-pattern for dele...
pypi
No PRs yet
Open WebUI Allows Arbitrary File Reading and Deletion
GHSA-jrhc-9qg9-4qfq CVE-2024-7043 HIGH 9 months ago
An improper access control vulnerability in open-webui/open-webui v0.3.8 allows attackers to view and delete any files. The application does not ve...
pypi
No PRs yet
LoLLMS Code Injection vulnerability
GHSA-jccx-m9v4-9hwh CVE-2024-6982 HIGH 9 months ago
A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Pyt...
pypi
2
Dependabot PRs
Open WebUI Uncontrolled Resource Consumption vulnerability
GHSA-wcwp-9rcp-jvfg CVE-2024-7036 HIGH 9 months ago
A vulnerability in open-webui/open-webui v0.3.8 allows an unauthenticated attacker to sign up with excessively large text in the 'name' field, caus...
pypi
No PRs yet
Gunicorn HTTP Request/Response Smuggling vulnerability
GHSA-hc5x-x2vx-497g CVE-2024-6827 HIGH 9 months ago
Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to th...
pypi
No PRs yet
Open WebUI Allows Admin Deletion via API Endpoint
GHSA-pqwr-phvv-v49f CVE-2024-7039 HIGH 9 months ago
In open-webui/open-webui version v0.3.8, there is an improper privilege management vulnerability. The application allows an attacker, acting as an ...
pypi
No PRs yet
LiteLLM Vulnerable to Remote Code Execution (RCE)
GHSA-53gh-p8jc-7rg8 CVE-2024-6825 HIGH 9 months ago
BerriAI/litellm version 1.40.12 contains a vulnerability that allows remote code execution. The issue exists in the handling of the 'post_call_rule...
pypi
No PRs yet
H2O Vulnerable to Arbitrary File Overwrite via File Export
GHSA-47f6-5p7h-5f3h CVE-2024-6854 HIGH 9 months ago
In h2oai/h2o-3 version 3.46.0, the endpoint for exporting models does not restrict the export location, allowing an attacker to export a model to a...
maven
pypi
No PRs yet
LlamaIndex vulnerable to Creation of Temporary File in Directory with Insecure Permissions
GHSA-jmgm-gx32-vp4w CVE-2024-12911 HIGH 9 months ago
A vulnerability in the `default_jsonalyzer` function of the `JSONalyzeQueryEngine` in the run-llama/llama_index repository allows for SQL injection...
pypi
No PRs yet
Open WebUI has vulnerable dependency on starlette via fastapi
GHSA-w466-2wfc-8g58 HIGH 9 months ago
In version 0.3.32 of open-webui, the application uses a vulnerable version of the starlette package through its dependency on fastapi. The starlett...
pypi
No PRs yet
Ollama Vulnerable to Denial of Service (DoS) via Crafted GZIP
GHSA-v464-r2r9-www7 CVE-2024-12886 HIGH 9 months ago
An Out-Of-Memory (OOM) vulnerability exists in the `ollama` server version 0.3.14. This vulnerability can be triggered when a malicious API server ...
go
No PRs yet
Aim Uncontrolled Resource Consumption vulnerability
GHSA-35p3-6j45-prwm CVE-2024-12778 HIGH 9 months ago
A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service (DoS) attack. The issue arises when a large number of tracked metrics...
pypi
No PRs yet
Open WebUI Uncontrolled Resource Consumption vulnerability
GHSA-g3mx-83mp-3rwc CVE-2024-12534 HIGH 9 months ago
In version v0.3.32 of open-webui/open-webui, the application allows users to submit large payloads in the email and password fields during the sign...
npm
pypi
No PRs yet
Open WebUI Uncontrolled Resource Consumption vulnerability
GHSA-chf7-q7m5-fq92 CVE-2024-12537 HIGH 9 months ago
In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the `api/v1/util...
npm
pypi
No PRs yet
BentoML vulnerable to Uncontrolled Resource Consumption
GHSA-hh3j-9m59-p8vc HIGH 9 months ago
In bentoml/bentoml version 1.3.9, the `/login` endpoint of the newly integrated Gradio app is vulnerable to a Denial of Service (DoS) attack. This ...
pypi
No PRs yet
imaginAIry Denial of Service (DoS) vulnerability
GHSA-x5xw-28w4-53j5 CVE-2024-12761 HIGH 9 months ago
A Denial of Service (DoS) vulnerability exists in the brycedrennan/imaginairy repository, version 15.0.0. The vulnerability is present in the `/api...
pypi
No PRs yet
FastChat Server-Side Request Forgery vulnerability
GHSA-g44m-hpf4-vmrp CVE-2024-12376 HIGH 9 months ago
A Server-Side Request Forgery (SSRF) vulnerability was identified in the lm-sys/fastchat web server, specifically in the affected version git 2c68a...
pypi
No PRs yet
LlamaIndex Improper Handling of Exceptional Conditions vulnerability
GHSA-j3wr-m6xh-64hg CVE-2024-12704 HIGH 9 months ago
A vulnerability in the LangChainLLM class of the run-llama/llama_index repository, version v0.12.5, allows for a Denial of Service (DoS) attack. Th...
pypi
No PRs yet
Kedro allows Remote Code Execution by Pulling Micro Packages
GHSA-rm69-wvpv-r2w7 CVE-2024-12215 HIGH 9 months ago
In kedro-org/kedro version 0.19.8, the `pull_package()` API function allows users to download and extract micro packages from the Internet. However...
pypi
1
Dependabot PRs
FastChat Server-Side Request Forgery vulnerability
GHSA-h254-g997-685c CVE-2024-11603 HIGH 9 months ago
A Server-Side Request Forgery (SSRF) vulnerability exists in lm-sys/fastchat version 0.2.36. The vulnerability is present in the `/queue/join?` end...
pypi
No PRs yet
Feast Cross-Origin Resource Sharing vulnerability
GHSA-wxpc-2674-rxvw CVE-2024-11602 HIGH 9 months ago
A Cross-Origin Resource Sharing (CORS) vulnerability exists in feast-dev/feast version 0.40.0. The CORS configuration on the agentscope server does...
pypi
No PRs yet
Ollama Allows Out-of-Bounds Read
GHSA-89qx-m49c-8crf CVE-2024-12055 HIGH 9 months ago
A vulnerability in Ollama versions <=0.3.14 allows a malicious user to create a customized gguf model file that can be uploaded to the public Ollam...
go
No PRs yet
GluonCV Arbitrary File Write via TarSlip
GHSA-m724-hqmc-ggpx CVE-2024-12216 HIGH 9 months ago
A vulnerability in the `ImageClassificationDataset.from_csv()` API of the `dmlc/gluon-cv` repository, version 0.10.0, allows for arbitrary file wri...
pypi
No PRs yet
InvokeAI Uncontrolled Resource Consumption vulnerability
GHSA-ffh5-w482-c7m5 CVE-2024-11043 HIGH 9 months ago
A Denial of Service (DoS) vulnerability was discovered in the /api/v1/boards/{board_id} endpoint of invoke-ai/invokeai version v5.0.2. This vulnera...
pypi
No PRs yet
FastChat Uncontrolled Resource Consumption vulnerability
GHSA-qg86-f892-m4hj CVE-2024-10907 HIGH 9 months ago
In lm-sys/fastchat Release v0.2.36, the server fails to handle excessive characters appended to the end of multipart boundaries. This flaw can be e...
pypi
No PRs yet