CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-12534 |
Description: In version v0.3.32 of open-webui/open-webui, the application allows users to submit large payloads in the email and password fields during the sign-in process due to the lack of character length validation on these inputs. This vulnerability can lead to a Denial of Service (DoS) condition when a user submits excessively large strings, exhausting server resources such as CPU, memory, and disk space, and rendering the service unavailable for legitimate users. This makes the server susceptible to resource exhaustion attacks without requiring authentication.
CVSS: HIGH (7.5) EPSS Score: 0.09%
March 20th, 2025 (4 months ago)
|
|
CVE-2024-12390 |
Description: A vulnerability in binary-husky/gpt_academic version git 310122f allows for remote code execution. The application supports the extraction of user-provided RAR files without proper validation. The Python rarfile module, which supports symlinks, can be exploited to perform arbitrary file writes. This can lead to remote code execution by writing to sensitive files such as SSH keys, crontab files, or the application's own code.
CVSS: HIGH (8.8) EPSS Score: 0.41%
March 20th, 2025 (4 months ago)
|
|
CVE-2024-12389 |
Description: A path traversal vulnerability exists in binary-husky/gpt_academic version git 310122f. The application supports the extraction of user-provided 7z files without proper validation. The Python py7zr package used for extraction does not guarantee that files will remain within the intended extraction directory. An attacker can exploit this vulnerability to perform arbitrary file writes, which can lead to remote code execution.
CVSS: HIGH (8.8) EPSS Score: 0.48%
March 20th, 2025 (4 months ago)
|
|
CVE-2024-12376 |
Description: A Server-Side Request Forgery (SSRF) vulnerability was identified in the lm-sys/fastchat web server, specifically in the affected version git 2c68a13. This vulnerability allows an attacker to access internal server resources and data that are otherwise inaccessible, such as AWS metadata credentials.
CVSS: HIGH (7.5) EPSS Score: 0.04%
March 20th, 2025 (4 months ago)
|
|
CVE-2024-12216 |
Description: A vulnerability in the `ImageClassificationDataset.from_csv()` API of the `dmlc/gluon-cv` repository, version 0.10.0, allows for arbitrary file write. The function downloads and extracts `tar.gz` files from URLs without proper sanitization, making it susceptible to a TarSlip vulnerability. Attackers can exploit this by crafting malicious tar files that, when extracted, can overwrite files on the victim's system via path traversal or faked symlinks.
CVSS: HIGH (7.1) EPSS Score: 0.03%
March 20th, 2025 (4 months ago)
|
|
CVE-2024-12215 |
Description: In kedro-org/kedro version 0.19.8, the `pull_package()` API function allows users to download and extract micro packages from the Internet. However, the function `project_wheel_metadata()` within the code path can execute the `setup.py` file inside the tar file, leading to remote code execution (RCE) by running arbitrary commands on the victim's machine.
CVSS: HIGH (8.8) EPSS Score: 0.32%
March 20th, 2025 (4 months ago)
|
|
CVE-2024-12070 |
Description: A Denial of Service (DoS) vulnerability exists in the file upload feature of haotian-liu/llava, specifically in Release v1.2.0 (LLaVA-1.6). The vulnerability is due to improper handling of form-data with a large filename in the file upload request. By sending a payload with an excessively large filename, the server becomes overwhelmed and unresponsive, leading to unavailability for legitimate users. This issue can be exploited without authentication, making it highly scalable and increasing the risk of exploitation.
CVSS: HIGH (7.5) EPSS Score: 0.12%
March 20th, 2025 (4 months ago)
|
|
CVE-2024-12068 |
Description: A Server-Side Request Forgery (SSRF) vulnerability was discovered in haotian-liu/llava, affecting version git c121f04. This vulnerability allows an attacker to make the server perform HTTP requests to arbitrary URLs, potentially accessing sensitive data that is only accessible from the server, such as AWS metadata credentials.
CVSS: HIGH (7.5) EPSS Score: 0.04%
March 20th, 2025 (4 months ago)
|
|
CVE-2024-12065 |
Description: A local file inclusion vulnerability exists in haotian-liu/llava at commit c121f04. This vulnerability allows an attacker to access any file on the system by sending multiple crafted requests to the server. The issue is due to improper input validation in the gradio web UI component.
CVSS: HIGH (7.5) EPSS Score: 0.12%
March 20th, 2025 (4 months ago)
|
|
CVE-2024-12063 |
Description: A Denial of Service (DoS) vulnerability exists in the file upload feature of imartinez/privategpt version v0.6.2. The vulnerability is due to improper handling of form-data with a large filename in the file upload request. An attacker can exploit this by sending a payload with an excessively large filename, causing the server to become overwhelmed and unavailable to legitimate users.
CVSS: HIGH (7.5) EPSS Score: 0.05%
March 20th, 2025 (4 months ago)
|