Browse All

PraisonAI's CLI automatically expands @url mentions in prompts by making HTTP requests to any URL without restrictions, including localhost addresses. This allows an attacker to embed a malicious prompt with `@url:http://localhost:8766/` to make the user's machine fetch local-only HTTP resources (like metadata services or internal APIs) and inject the response into the model's context, creating a local SSRF (server-side request forgery, where a system is tricked into making requests to internal networks) vulnerability.

FastGPT, an AI Agent building platform, had a vulnerability in its JavaScript sandbox worker that failed to properly block dynamic imports (a way to load code at runtime). An attacker could bypass the security filter using a comment syntax (import/**/("child_process")) that the filter didn't recognize, allowing them to execute arbitrary commands inside the sandbox container.

SillyTavern is a locally installed interface for interacting with text generation AI models and other AI tools. Versions before 1.18.0 had a vulnerability where the corsProxyMiddleware (a component that handles web requests) would forward user-supplied URLs directly to the fetch function without proper security checks, allowing SSRF (server-side request forgery, where an attacker tricks the server into making requests to unintended targets) attacks.

SillyTavern is a locally installed interface for interacting with text generation AI models and related tools. Prior to version 1.18.0, the software had a cross-site scripting vulnerability (XSS, where attackers inject malicious code into web pages), because user-controlled URLs were displayed in error messages without being HTML-escaped (made safe for web display), allowing attackers to inject harmful scripts.

A sandbox escape vulnerability in nono (a sandboxing tool using Landlock/seccomp, which are Linux security features that restrict what programs can do) allows processes running inside the sandbox to break out by communicating with systemd D-Bus sockets (the inter-process communication system that manages user services). An AI agent or untrusted tool with bash access could exploit this to write files or run commands outside the sandbox with the user's permissions.

A removed safety check in OpenTelemetry Go's baggage parsing (the mechanism for passing contextual data between services) allows attackers to send extremely large or malformed baggage headers that consume excessive CPU and memory while being fully processed and logged, creating a denial-of-service vulnerability. The parser no longer rejects oversized inputs upfront and instead processes every invalid member completely, sending errors to the logging system by default.

Gradio versions before 6.15.0 have a cookie injection vulnerability that lets attackers perform session fixation (tricking a system into using a fake session ID) across multiple user spaces. An attacker controlling one Gradio Space can inject a cookie into a shared HTTP client (a tool that sends web requests) that automatically gets sent to all other legitimate Spaces, affecting every user on that Gradio deployment.

Typebot.io has a stored XSS (cross-site scripting, where malicious code is saved and runs when users view it) vulnerability in its chatbot viewer that allows bot creators to embed javascript: URIs in text links. When visitors click these links, the JavaScript executes in their browser with access to cookies and session tokens from the host website.

Vowpal Wabbit, a machine learning system, has a vulnerability in its GitHub workflow file where pull request titles are inserted directly into bash commands without proper protection. An attacker can craft a malicious pull request title with shell commands that will execute on the build system before Python runs, since the shell processes the string first. Since pull requests can be opened on any branch without special permission, anyone can trigger this attack.

A vulnerability (CVE-2026-9540) was found in vllm version 0.19.0 that affects the OpenAI-compatible Serving Path component and can be exploited remotely to cause a denial of service (making a service unavailable by overwhelming it). The vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 5.5 (medium severity), and a public exploit is already available.

Pydantic AI had a security flaw where attackers could bypass protections against accessing cloud-metadata endpoints (special internal servers that store sensitive credentials) by encoding the IP address in IPv6 transition forms (IPv4-mapped IPv6, 6to4, or NAT64, which are ways to represent IPv4 addresses using IPv6 format). This flaw only affects applications that explicitly allow local file downloads with the `force_download='allow-local'` setting on URLs that could be influenced by untrusted users.

Flowise has a security flaw in its `/api/v1/chatflows/apikey` endpoint that allows a user with a valid API key to view chatflow configurations (including system prompts, workflow graphs, and credential IDs) from other workspaces, as long as those chatflows don't have an API key assigned. The endpoint returns both the user's own chatflows and all unprotected chatflows across the entire system without filtering by workspace, breaking the isolation between workspaces.

Flowise has a mass assignment vulnerability in its PUT /api/v1/user endpoint that lets authenticated users directly change their password hash without verifying their old password. An attacker with a stolen session token can send a crafted request that overwrites the credential field, bypassing password verification, hashing enforcement, and policy validation, which gives them permanent access to the account.

Flowise, an AI tool, has a hardcoded setting that allows any webpage on the internet to make requests to its text-to-speech (TTS, a feature that converts written text into spoken audio) endpoint using your stored credentials. This bypasses the server's normal cross-origin request protection (CORS, which controls what websites can access a server's data), letting malicious webpages secretly generate speech on your behalf.

RTK (Rust Token Killer, a tool that filters sensitive data before showing command output to an LLM) had a vulnerability where it automatically loaded filter configuration files from a project directory without asking the user first, allowing attackers to secretly modify what an LLM sees. An attacker could place a malicious filter file in a repository to hide or alter command output (like file contents or security scan results) without any warning, potentially concealing malicious code during development.

NVIDIA Triton Inference Server has a vulnerability in its DALI backend (a component that processes data) that allows attackers to cause uncontrolled resource consumption, potentially leading to a denial of service attack (making the service unavailable to legitimate users).

NVIDIA Triton Inference Server contains a path traversal vulnerability (CWE-22, a flaw where attackers can access files outside the intended directory) that could allow an attacker to cause a denial of service (making the service unavailable). The vulnerability has a CVSS 4.0 severity rating, though a detailed assessment has not yet been provided by NIST.