CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-10366 |
Description: An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat version v0.7.5-rc2. The endpoint does not verify whether the provided attachment ID belongs to the current user, allowing any authenticated user to delete attachments of other users.
CVSS: HIGH (7.6) EPSS Score: 0.04%
March 20th, 2025 (4 months ago)
|
|
CVE-2024-10361 |
Description: An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /api/files endpoint. This vulnerability arises from improper input validation, allowing path traversal techniques to delete arbitrary files on the server. Attackers can exploit this to bypass security mechanisms and delete files outside the intended directory, including critical system files, user data, or application resources. This vulnerability impacts the integrity and availability of the system.
CVSS: HIGH (8.1) EPSS Score: 0.05%
March 20th, 2025 (4 months ago)
|
|
CVE-2024-10275 |
Description: In version 1.5.5 of lunary-ai/lunary, a vulnerability exists where admins, who do not have direct permissions to access billing resources, can change the permissions of existing users to include billing permissions. This can lead to a privilege escalation scenario where an administrator can manage billing, effectively bypassing the intended role-based access control. Only users with the 'owner' role should be allowed to invite members with billing permissions. This flaw allows admins to circumvent those restrictions, gaining unauthorized access and control over billing information, posing a risk to the organization’s financial resources.
CVSS: HIGH (7.3) EPSS Score: 0.02%
March 20th, 2025 (4 months ago)
|
|
CVE-2024-10272 |
Description: lunary-ai/lunary is vulnerable to broken access control in the latest version. An attacker can view the content of any dataset without any kind of authorization by sending a GET request to the /v1/datasets endpoint without a valid authorization token.
CVSS: HIGH (7.5) EPSS Score: 0.04%
March 20th, 2025 (4 months ago)
|
|
CVE-2024-10267 |
Description: An information disclosure vulnerability exists in the latest version of transformeroptimus/superagi. An attacker can leak sensitive user information, including names, emails, and passwords, by attempting to register a new account with an email that is already in use. The server returns all information associated with the existing account. The vulnerable endpoint is located in the user registration functionality.
CVSS: HIGH (7.5) EPSS Score: 0.04%
March 20th, 2025 (4 months ago)
|
|
CVE-2024-10264 |
Description: HTTP Request Smuggling vulnerability in netease-youdao/qanything version 1.4.1 allows attackers to exploit inconsistencies in the interpretation of HTTP requests between a proxy and a server. This can lead to unauthorized access, bypassing security controls, session hijacking, data leakage, and potentially arbitrary code execution.
CVSS: HIGH (7.5) EPSS Score: 0.1%
March 20th, 2025 (4 months ago)
|
|
CVE-2024-10252 |
Description: A vulnerability in langgenius/dify versions <=v0.9.1 allows for code injection via internal SSRF requests in the Dify sandbox service. This vulnerability enables an attacker to execute arbitrary Python code with root privileges within the sandbox environment, potentially leading to the deletion of the entire sandbox service and causing irreversible damage.
CVSS: HIGH (8.8) EPSS Score: 0.05%
March 20th, 2025 (4 months ago)
|
|
CVE-2024-10225 |
Description: A vulnerability in haotian-liu/llava v1.2.0 allows an attacker to cause a Denial of Service (DoS) by appending a large number of characters to the end of a multipart boundary in a file upload request. This causes the server to continuously process each character, rendering the application inaccessible.
CVSS: HIGH (7.5) EPSS Score: 0.05%
March 20th, 2025 (4 months ago)
|
|
CVE-2024-10188 |
Description: A vulnerability in BerriAI/litellm, as of commit 26c03c9, allows unauthenticated users to cause a Denial of Service (DoS) by exploiting the use of ast.literal_eval to parse user input. This function is not safe and is prone to DoS attacks, which can crash the litellm Python server.
CVSS: HIGH (7.5) EPSS Score: 0.04%
March 20th, 2025 (4 months ago)
|
|
CVE-2024-10110 |
Description: In version 3.23.0 of aimhubio/aim, the ScheduledStatusReporter object can be instantiated to run on the main thread of the tracking server, leading to the main thread being blocked indefinitely. This results in a denial of service as the tracking server becomes unable to respond to other requests.
CVSS: HIGH (7.5) EPSS Score: 0.06%
March 20th, 2025 (4 months ago)
|