AI Security Threat Feed

A vulnerability was found in vllm up to 0.19.0. The affected element is the function has_mamba_layers of the file vllm/v1/kv_cache_interface.py of the...

A security flaw has been discovered in Ollama up to 0.20.2. This affects the function digestToPath of the file x/imagegen/transfer/transfer.go of the component...

A vulnerability was detected in lm-sys fastchat up to 0.2.36. Impacted is the function add_text of the component Arena Side-by-Side View Handler. The...

A vulnerability was detected in langflow-ai langflow up to 1.8.3. The impacted element is the function get_client_ip/install_mcp_config of the file...

A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function create_project/encrypt_auth_settings of...

langsmith: prototype pollution enables auth bypass, RCE

rembg: path traversal exposes arbitrary files via HTTP API

PraisonAI: MCP env inheritance exposes API keys

PraisonAI: decompression bomb causes disk exhaustion

praisonaiagents: glob traversal leaks filesystem metadata

PraisonAI: unauthenticated agent config and system prompt disclosure

PraisonAI: unbounded body read enables local DoS

OpenClaw: SSRF via web-fetch enables internal network pivot

PraisonAI: arbitrary file read via unguarded skill tool

PraisonAI: XSS via no-op HTML sanitizer in agent output

openai-realtime-ui: SSRF in API proxy endpoint

LobeChat: auth bypass via forged XOR obfuscated header

lollms: sessions persist after password reset

MLflow: auth bypass exposes model artifacts across experiments

MLflow: stored XSS via MLmodel YAML artifact upload