{"data":{"id":"2573892b-4d58-4e2a-a5b4-b6569c79680d","title":"CVE-2026-33626: LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Ser","summary":"LMDeploy, a toolkit for compressing, deploying, and serving large language models, contains a Server-Side Request Forgery vulnerability (SSRF, a flaw that lets attackers trick a server into making requests to unintended targets) in versions before 0.12.3. The vulnerability exists in the `load_image()` function, which downloads images from URLs without checking if those URLs point to private or internal systems, potentially allowing attackers to access sensitive cloud services and internal networks.","solution":"Update LMDeploy to version 0.12.3 or later, which patches the issue.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-33626","publishedAt":"2026-04-20T21:16:35.097Z","cveId":"CVE-2026-33626","cweIds":["CWE-918"],"cvssScore":"7.5","cvssSeverity":"high","severity":"high","attackType":[],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["LMDeploy"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","attackVector":"network","attackComplexity":"low","privilegesRequired":"none","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-04-20T21:16:35.097Z","capecIds":["CAPEC-664"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"inference","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}