{"data":{"id":"ca8f4e09-da6e-4013-ac5e-2d402b2455d5","title":"LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure","summary":"A serious flaw in LMDeploy (an open-source toolkit for deploying language models) called CVE-2026-33626 was exploited by attackers within 13 hours of being made public. The vulnerability is a server-side request forgery (SSRF, a weakness where a server is tricked into making requests to internal systems it shouldn't access) in the image-loading function that fails to block requests to private IP addresses, potentially letting attackers steal cloud credentials and access internal networks.","solution":"The vulnerability affects LMDeploy versions 0.12.0 and prior with vision language support. The source text does not explicitly mention a patched version number, update, or mitigation steps. N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://thehackernews.com/2026/04/lmdeploy-cve-2026-33626-flaw-exploited.html","publishedAt":"2026-04-24T07:24:00.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["supply_chain"],"issueType":"news","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["LMDeploy","internlm-xcomposer2","OpenGVLab/InternVL2-8B"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-04-24T07:24:00.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"inference","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}