API
AI APIs are the boundary between the application and the model. Self-hosted inference servers (vLLM, Triton, Ollama, TGI) and third-party gateways (LiteLLM, OpenRouter) expose OpenAI-compatible endpoints, and the same web-app vulnerability classes appear here: missing or weak authentication on /v1/chat/completions, broken authorization between tenants, lack of rate limiting that lets an attacker drain quota or burn GPU time, and overly permissive CORS that leaks API keys from browser-side calls. The blast radius is unusual: a single auth-bypass on an inference endpoint exposes both data and compute, and in the case of paid hosted models, directly costs money. We have seen production CVEs across most popular self-hosted servers in the last 18 months. Defenses: require auth on every endpoint, per-tenant rate limits, separate key scopes for read vs admin, and pin server versions aggressively.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-46339 | 9router: unauthenticated RCE exposes LLM API keys | 9router | 10.0 |
| CRITICAL | GHSA-3875-8gcx-7v46 | n8n: SSRF bypasses credential domain restrictions | n8n | 9.1 |
| MEDIUM | GHSA-m837-xvxr-vqwg | Flowise: hardcoded CORS wildcard enables drive-by credential abuse | flowise | - |
| HIGH | CVE-2026-47101 | LiteLLM: RBAC bypass enables proxy admin escalation | litellm | 8.8 |
| HIGH | CVE-2026-47102 | LiteLLM: privilege escalation to proxy_admin via /user/update | litellm | 8.8 |
| MEDIUM | CVE-2026-9540 | vllm: unauthenticated DoS in OpenAI-compatible serving path | vllm | 5.3 |
| HIGH | CVE-2026-44175 | Kirby CMS: stored XSS in list field enables session hijack | getkirby/cms | - |
| HIGH | CVE-2026-44174 | Kirby: unsafe reflection allows privilege escalation | getkirby/cms | - |
| UNKNOWN | CVE-2026-9806 | CTI Transmute: stored XSS in notification panel | - | |
| HIGH | CVE-2026-41235 | Froxlor: shell whitelist bypass grants host shell access | froxlor/froxlor | - |
| MEDIUM | CVE-2026-49384 | PyCharm: stored XSS via Jupyter Markdown cells | 6.1 | |
| HIGH | CVE-2026-47406 | praisonai-platform: IDOR enables cross-workspace data poisoning | praisonai-platform | 8.1 |
| MEDIUM | CVE-2026-47408 | praisonai-platform: IDOR exposes cross-tenant activity logs | praisonai-platform | 6.5 |
| HIGH | CVE-2026-48169 | praisonai-platform: IDOR allows full workspace takeover | praisonai-platform | 8.8 |
| CRITICAL | CVE-2026-47393 | PraisonAI: auth bypass in deployed API exposes LLM + tools | PraisonAI | 9.8 |
| CRITICAL | CVE-2026-47396 | PraisonAI: fail-open auth exposes remote agent control API | PraisonAI | 9.8 |
| MEDIUM | CVE-2026-47411 | PraisonAI: auth bypass allows workspace settings injection | praisonai-platform | 6.5 |
| CRITICAL | CVE-2026-9319 | IBM WebSphere: RCE via JAX-WS deserialization (CVSS 9.0) | 9.0 | |
| MEDIUM | CVE-2026-43625 | CodexBar: session cookie leak via HTTP redirect | 5.9 | |
| MEDIUM | CVE-2026-28511 | eLabFTW: IDOR exposes restricted resource titles | 4.3 |