CVE Database

37700+ vulnerabilities with CVSS scores, EPSS exploit predictions, and CISA KEV status. Updated daily.

Filter: All CRITICAL HIGH MEDIUM LOW CISA KEV
Sort: Newest CVSS EPSS
CVE-2024-8063
7.5 HIGH

A divide by zero vulnerability exists in ollama/ollama version v0.3.3. The vulnerability occurs when importing GGUF models with a crafted type for `block_count` in the …

Mar 20, 2025
CVE-2024-8062
7.5 HIGH

A vulnerability in the typeahead endpoint of h2oai/h2o-3 version 3.46.0 allows for a denial of service. The endpoint performs a `HEAD` request to verify the …

Mar 20, 2025
CVE-2024-8061
7.5 HIGH

In version 3.23.0 of aimhubio/aim, certain methods that request data from external servers do not have set timeouts, causing the server to wait indefinitely for …

Mar 20, 2025
CVE-2024-8060
8.1 HIGH

OpenWebUI version 0.3.0 contains a vulnerability in the audio API endpoint `/audio/api/v1/transcriptions` that allows for arbitrary file upload. The application performs insufficient validation on the …

Mar 20, 2025
CVE-2024-8055
7.5 HIGH

Vanna v0.6.3 is vulnerable to SQL injection via Snowflake database in its file staging operations using the `PUT` and `COPY` commands. This vulnerability allows unauthenticated …

Mar 20, 2025
CVE-2024-8053
8.2 HIGH

In version v0.3.10 of open-webui/open-webui, the `api/v1/utils/pdf` endpoint lacks authentication mechanisms, allowing unauthenticated attackers to access the PDF generation service. This vulnerability can be exploited …

Mar 20, 2025
CVE-2024-8028
7.5 HIGH

A vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to cause a Denial of Service (DoS) by uploading a file with a malformed multipart boundary. By …

Mar 20, 2025
CVE-2024-8026
8.1 HIGH

A Cross-Site Request Forgery (CSRF) vulnerability exists in the backend API of netease-youdao/qanything, as of commit d9ab8bc. The backend server has overly permissive CORS headers, …

Mar 20, 2025
CVE-2024-8024
7.5 HIGH

A CORS misconfiguration vulnerability exists in netease-youdao/qanything version 1.4.1. This vulnerability allows an attacker to bypass the Same-Origin Policy, potentially leading to sensitive information exposure. …

Mar 20, 2025
CVE-2024-8020
7.5 HIGH

A vulnerability in lightning-ai/pytorch-lightning version 2.3.2 allows an attacker to cause a denial of service by sending an unexpected POST request to the `/api/v1/state` endpoint …

Mar 20, 2025
CVE-2024-8018
7.5 HIGH

A vulnerability in imartinez/privategpt version 0.5.0 allows for a Denial of Service (DOS) attack. When uploading a file, if an attacker appends a large number …

Mar 20, 2025
CVE-2024-7990
8.4 HIGH

A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the `/api/v1/models/add` endpoint, where the model description field is …

Mar 20, 2025
CVE-2024-7983
7.5 HIGH

In version 0.3.8 of open-webui, an endpoint for converting markdown to HTML is exposed without authentication. A maliciously crafted markdown payload can cause the server …

Mar 20, 2025
CVE-2024-7959
7.7 HIGH

The `/openai/models` endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery (SSRF). An attacker can change the OpenAI URL to any URL without …

Mar 20, 2025
CVE-2024-7819
7.4 HIGH

A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information such as chat contents, API keys, and other data. This vulnerability occurs due …

Mar 20, 2025
CVE-2024-7806
8.8 HIGH

A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the …

Mar 20, 2025
CVE-2024-7779
7.5 HIGH

A vulnerability in danswer-ai/danswer version 1 allows an attacker to perform a Regular Expression Denial of Service (ReDoS) by manipulating regular expressions. This can significantly …

Mar 20, 2025
CVE-2024-7768
7.5 HIGH

A vulnerability in the `/3/ImportFiles` endpoint of h2oai/h2o-3 version 3.46.1 allows an attacker to cause a denial of service. The endpoint takes a single GET …

Mar 20, 2025
CVE-2024-7767
8.1 HIGH

An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. This vulnerability allows the first user created in the system to view, modify, and delete …

Mar 20, 2025
CVE-2024-7765
7.5 HIGH

In h2oai/h2o-3 version 3.46.0.2, a vulnerability exists where uploading and repeatedly parsing a large GZIP file can cause a denial of service. The server becomes …

Mar 20, 2025
CVE-2024-7764
8.1 HIGH

Vanna-ai v0.6.2 is vulnerable to SQL Injection due to insufficient protection against injecting additional SQL commands from user requests. The vulnerability occurs when the `generate_sql` …

Mar 20, 2025
CVE-2024-7044
8.9 HIGH

A Stored Cross-Site Scripting (XSS) vulnerability exists in the chat file upload functionality of open-webui/open-webui version 0.3.8. An attacker can inject malicious content into a …

Mar 20, 2025
CVE-2024-7043
8.8 HIGH

An improper access control vulnerability in open-webui/open-webui v0.3.8 allows attackers to view and delete any files. The application does not verify whether the attacker is …

Mar 20, 2025
CVE-2024-7036
7.5 HIGH

A vulnerability in open-webui/open-webui v0.3.8 allows an unauthenticated attacker to sign up with excessively large text in the 'name' field, causing the Admin panel to …

Mar 20, 2025
CVE-2024-7034
7.2 HIGH

In open-webui version 0.3.8, the endpoint `/models/upload` is vulnerable to arbitrary file write due to improper handling of user-supplied filenames. The vulnerability arises from the …

Mar 20, 2025
CVE-2024-7033
7.2 HIGH

In version 0.3.8 of open-webui/open-webui, an arbitrary file write vulnerability exists in the download_model endpoint. When deployed on Windows, the application improperly handles file paths, …

Mar 20, 2025
CVE-2024-6982
8.4 HIGH

A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Python's `eval()` function to …

Mar 20, 2025
CVE-2024-6866
7.5 HIGH

corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended …

Mar 20, 2025
CVE-2024-6854
7.1 HIGH

In h2oai/h2o-3 version 3.46.0, the endpoint for exporting models does not restrict the export location, allowing an attacker to export a model to any file …

Mar 20, 2025
CVE-2024-6851
7.5 HIGH

In version 3.22.0 of aimhubio/aim, the LocalFileManager._cleanup function in the aim tracking server accepts a user-specified glob-pattern for deleting files. The function does not verify …

Mar 20, 2025
CVE-2024-6842
7.5 HIGH

In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` API endpoint allows unauthorized users to access sensitive system settings. The data returned by the `currentSettings` function includes …

Mar 20, 2025
CVE-2024-6827
7.5 HIGH

Gunicorn version 21.2.0 does not properly validate the value of the 'Transfer-Encoding' header as specified in the RFC standards, which leads to the default fallback …

Mar 20, 2025
CVE-2024-6825
8.8 HIGH

BerriAI/litellm version 1.40.12 contains a vulnerability that allows remote code execution. The issue exists in the handling of the 'post_call_rules' configuration, where a callback function …

Mar 20, 2025
CVE-2024-4023
8.1 HIGH

A stored cross-site scripting (XSS) vulnerability exists in flatpressblog/flatpress version 1.3. When a user uploads a file with a `.xsig` extension and directly accesses this …

Mar 20, 2025
CVE-2024-2292
7.1 HIGH

Due to a lack of access control, unauthorized users are able to view and modify information pertaining to other users.

Mar 20, 2025
CVE-2024-12911
7.1 HIGH

A vulnerability in the `default_jsonalyzer` function of the `JSONalyzeQueryEngine` in the run-llama/llama_index repository allows for SQL injection via prompt injection. This can lead to arbitrary …

Mar 20, 2025
CVE-2024-12886
7.5 HIGH

An Out-Of-Memory (OOM) vulnerability exists in the `ollama` server version 0.3.14. This vulnerability can be triggered when a malicious API server responds with a gzip …

Mar 20, 2025
CVE-2024-12882
7.5 HIGH

comfyanonymous/comfyui version v0.2.4 suffers from a non-blind Server-Side Request Forgery (SSRF) vulnerability. This vulnerability can be exploited by combining the REST APIs `POST /internal/models/download` and …

Mar 20, 2025
CVE-2024-12866
7.5 HIGH

A local file inclusion vulnerability exists in netease-youdao/qanything version v2.0.0. This vulnerability allows an attacker to read arbitrary files on the file system, which can …

Mar 20, 2025
CVE-2024-12864
7.5 HIGH

A Denial of Service (DoS) vulnerability was discovered in the file upload feature of netease-youdao/qanything version v2.0.0. The vulnerability is due to improper handling of …

Mar 20, 2025
CVE-2024-12779
7.5 HIGH

A Server-Side Request Forgery (SSRF) vulnerability exists in infiniflow/ragflow version 0.12.0. The vulnerability is present in the `POST /v1/llm/add_llm` and `POST /v1/conversation/tts` endpoints. Attackers can …

Mar 20, 2025
CVE-2024-12778
7.5 HIGH

A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service (DoS) attack. The issue arises when a large number of tracked metrics are …

Mar 20, 2025
CVE-2024-12776
8.1 HIGH

In langgenius/dify v0.10.1, the `/forgot-password/resets` endpoint does not verify the password reset code, allowing an attacker to reset the password of any user, including administrators. …

Mar 20, 2025
CVE-2024-12766
7.5 HIGH

parisneo/lollms-webui version V13 (feather) suffers from a Server-Side Request Forgery (SSRF) vulnerability in the `POST /api/proxy` REST API. Attackers can exploit this vulnerability to abuse …

Mar 20, 2025
CVE-2024-12761
7.5 HIGH

A Denial of Service (DoS) vulnerability exists in the brycedrennan/imaginairy repository, version 15.0.0. The vulnerability is present in the `/api/stablestudio/generate` endpoint, which can be exploited …

Mar 20, 2025
CVE-2024-12720
7.5 HIGH

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_nougat_fast.py. The vulnerability occurs in the post_process_single() …

Mar 20, 2025
CVE-2024-12704
7.5 HIGH

A vulnerability in the LangChainLLM class of the run-llama/llama_index repository, version v0.12.5, allows for a Denial of Service (DoS) attack. The stream_complete method executes the …

Mar 20, 2025
CVE-2024-12537
7.5 HIGH

In version 0.3.32 of open-webui/open-webui, the absence of authentication mechanisms allows any unauthenticated attacker to access the `api/v1/utils/code/format` endpoint. If a malicious actor sends a …

Mar 20, 2025
CVE-2024-12534
7.5 HIGH

In version v0.3.32 of open-webui/open-webui, the application allows users to submit large payloads in the email and password fields during the sign-in process due to …

Mar 20, 2025
CVE-2024-12390
8.8 HIGH

A vulnerability in binary-husky/gpt_academic version git 310122f allows for remote code execution. The application supports the extraction of user-provided RAR files without proper validation. The …

Mar 20, 2025

Scan your infrastructure for known CVEs

Free website and port scanning — find vulnerabilities before attackers do.