AI Threat Alert
AI Component
API
AI API vulnerabilities affect the interfaces used to interact with language models and ML services — including authentication, rate limiting, input validation, and response handling.
224
Total CVEs
12
Pages
Page 3 of 12
Current
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2024-13698 | Jobify WP: missing authz allows OpenAI key abuse, SSRF | 6.5 | |
| MEDIUM | CVE-2025-29770 | vLLM: DoS via unbounded grammar cache exhausts disk | vllm | 6.5 |
| UNKNOWN | CVE-2024-11037 | gpt_academic: path traversal exposes LLM API keys | gpt_academic | - |
| UNKNOWN | CVE-2024-12775 | Dify: SSRF via custom tool URL enables credential theft | - | |
| HIGH | CVE-2024-7959 | Open-WebUI: SSRF via unchecked OpenAI URL leaks internal secrets | open-webui | 7.7 |
| MEDIUM | CVE-2025-31843 | OpenAI WP Plugin: broken access control on AI settings | 4.3 | |
| HIGH | CVE-2025-5018 | Hive Support WP: OpenAI key theft + prompt hijack | 7.1 | |
| MEDIUM | CVE-2025-7021 | OpenAI Operator: fullscreen spoofing captures credentials | operator | 6.5 |
| MEDIUM | CVE-2025-6716 | Contest Gallery WP Plugin: Stored XSS in OpenAI integration | 6.4 | |
| MEDIUM | CVE-2025-53621 | DSpace: XXE injection enables server file disclosure | 6.9 | |
| MEDIUM | CVE-2025-7780 | WordPress AI Engine: SSRF leaks files via OpenAI API | 6.5 | |
| HIGH | CVE-2025-7725 | WP Contest Gallery: Stored XSS exposes OpenAI API creds | 7.2 | |
| CRITICAL | CVE-2025-53767 | Azure OpenAI: SSRF EoP, no auth required (CVSS 10) | azure_openai | 10.0 |
| CRITICAL | CVE-2025-59434 | Flowise Cloud: cross-tenant env var exposure leaks API keys | 9.6 | |
| MEDIUM | CVE-2025-60511 | Moodle: IDOR enables unauthorized data access | 4.3 | |
| MEDIUM | CVE-2025-12360 | Better: security flaw enables exploitation | 4.3 | |
| MEDIUM | CVE-2025-11972 | AI component: SQL Injection exposes database | 4.9 | |
| MEDIUM | CVE-2025-12732 | AI component: Info Disclosure leaks sensitive data | 4.3 | |
| HIGH | CVE-2025-12973 | AI component: Arbitrary File Upload enables RCE | 7.2 | |
| MEDIUM | CVE-2025-13354 | taxopress: Missing Auth allows unauthorized operations | 4.3 |