AI Threat Alert
Attack Type
Auth Bypass
Authentication bypass vulnerabilities in AI platforms allow attackers to access protected APIs, model endpoints, or admin interfaces without valid credentials.
309
Total CVEs
16
Pages
Page 7 of 16
Current
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2025-13374 | Kalrav: Arbitrary File Upload enables RCE | 9.8 | |
| HIGH | CVE-2026-25580 | pydantic-ai: SSRF allows internal network access | pydantic-ai-slim | 8.6 |
| HIGH | CVE-2026-24780 | agpt: Code Injection enables RCE | 8.8 | |
| MEDIUM | CVE-2023-34094 | ChuanhuChatGPT: config exposure leaks API keys | chuanhuchatgpt | 5.3 |
| HIGH | CVE-2024-36420 | Flowise: unauthenticated arbitrary file read via API | flowise | 7.5 |
| HIGH | CVE-2024-36421 | Flowise: CORS wildcard enables file read and data theft | flowise | 7.5 |
| MEDIUM | CVE-2024-36423 | Flowise: reflected XSS in chatflow API enables session hijack | flowise | 6.1 |
| MEDIUM | CVE-2024-37146 | Flowise: reflected XSS enables credential theft | flowise | 6.1 |
| HIGH | CVE-2025-30358 | Mesop: class pollution enables DoS and LLM jailbreak | 8.1 | |
| CRITICAL | CVE-2025-58434 | Flowise: auth bypass in reset flow allows full ATO | flowise | 9.8 |
| CRITICAL | CVE-2025-61913 | Flowise: path traversal in file tools leads to RCE | flowise | 9.9 |
| CRITICAL | CVE-2024-49326 | Affiliator WP Plugin: Unauthenticated Web Shell Upload | affiliator | 9.8 |
| CRITICAL | CVE-2025-54381 | BentoML: unauthenticated SSRF via file upload URLs | bentoml | 9.9 |
| MEDIUM | CVE-2023-27562 | n8n: path traversal allows arbitrary file read | n8n | 6.5 |
| HIGH | CVE-2023-27563 | n8n: privilege escalation exposes full workflow admin | n8n | 8.8 |
| HIGH | CVE-2023-27564 | n8n: unauthenticated info disclosure exposes credentials | n8n | 7.5 |
| MEDIUM | CVE-2025-46343 | n8n: stored XSS enables account takeover | n8n | 5.4 |
| MEDIUM | CVE-2025-49592 | n8n: open redirect enables phishing via login flow | n8n | 5.4 |
| MEDIUM | CVE-2025-52554 | n8n: broken authz enables cross-user workflow termination | n8n | 4.3 |
| MEDIUM | CVE-2025-52478 | n8n: Stored XSS enables full account takeover | n8n | 5.4 |