AI Threat Alert
ATLAS Landscape
AML.T0055
Unsecured Credentials
Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. bash history), environment variables, operating system, or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. private keys).
229 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2023-3765 | MLflow: path traversal allows arbitrary file read | mlflow | 10.0 |
| CRITICAL | GHSA-wpqr-6v78-jr5g | Gemini CLI: RCE via malicious workspace in CI/CD | 10.0 | |
| CRITICAL | CVE-2026-33663 | n8n: member role steals plaintext HTTP credentials | n8n | 10.0 |
| CRITICAL | CVE-2026-21858 | n8n: Input Validation flaw enables exploitation | n8n | 10.0 |
| CRITICAL | CVE-2026-25053 | n8n: Command Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2024-52384 | Sage AI Plugin: unrestricted upload → web shell RCE | 9.9 | |
| CRITICAL | CVE-2025-61913 | Flowise: path traversal in file tools leads to RCE | flowise | 9.9 |
| CRITICAL | CVE-2026-27577 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2026-25052 | n8n: security flaw enables exploitation | n8n | 9.9 |
| CRITICAL | CVE-2026-25115 | n8n: Protection Bypass circumvents security controls | n8n | 9.9 |
| CRITICAL | CVE-2026-2635 | mlflow: security flaw enables exploitation | mlflow | 9.8 |
| CRITICAL | CVE-2026-33017 | langflow: Code Injection enables RCE | langflow | 9.8 |
| CRITICAL | CVE-2023-25823 | Gradio: hardcoded SSH key leaks via share=True demos | gradio | 9.8 |
| CRITICAL | CVE-2026-25960 | vllm: SSRF allows internal network access | vllm | 9.8 |
| CRITICAL | CVE-2026-30821 | flowise: Arbitrary File Upload enables RCE | flowise | 9.8 |
| CRITICAL | CVE-2023-3686 | QuickAI: unauthenticated SQLi exposes OpenAI API keys | quickai_openai | 9.8 |
| CRITICAL | CVE-2023-36281 | LangChain: RCE via malicious JSON prompt template | langchain | 9.8 |
| CRITICAL | CVE-2026-27966 | langflow: Code Injection enables RCE | langflow | 9.8 |
| CRITICAL | CVE-2023-6019 | Ray: unauthenticated RCE via dashboard command injection | ray | 9.8 |
| CRITICAL | CVE-2023-1177 | MLflow: path traversal allows arbitrary file read/write | mlflow | 9.8 |
| CRITICAL | CVE-2024-3234 | ChuanhuChatGPT: path traversal exposes LLM API keys | chuanhuchatgpt | 9.8 |
| CRITICAL | CVE-2026-35022 | Claude Code: OS command injection, credential theft | 9.8 | |
| CRITICAL | CVE-2026-42208 | LiteLLM: SQL injection exposes LLM API credentials | litellm | 9.8 |
| CRITICAL | CVE-2025-58434 | Flowise: auth bypass in reset flow allows full ATO | flowise | 9.8 |
| CRITICAL | CVE-2024-31224 | gpt_academic: deserialization RCE, no auth required | gpt_academic | 9.8 |
| CRITICAL | CVE-2025-3248 | Langflow: Unauth RCE via code injection endpoint | langflow | 9.8 |
| CRITICAL | CVE-2024-49326 | Affiliator WP Plugin: Unauthenticated Web Shell Upload | affiliator | 9.8 |
| CRITICAL | CVE-2025-11200 | mlflow: security flaw enables exploitation | mlflow | 9.8 |
| CRITICAL | CVE-2025-45150 | ChatGLM-Webui: arbitrary file read, no auth required | langchain-chatglm-webui | 9.8 |
| CRITICAL | CVE-2025-59434 | Flowise Cloud: cross-tenant env var exposure leaks API keys | 9.6 | |
| CRITICAL | CVE-2024-0964 | Gradio: unauthenticated LFI exposes full server filesystem | gradio | 9.4 |
| CRITICAL | CVE-2023-6021 | Ray: LFI allows unauthenticated file read | ray | 9.3 |
| CRITICAL | CVE-2023-6020 | Ray: unauthenticated LFI exposes entire filesystem | ray | 9.3 |
| CRITICAL | CVE-2026-40154 | PraisonAI: supply chain RCE via unverified template exec | PraisonAI | 9.3 |
| CRITICAL | CVE-2025-55526 | n8n-workflows: path traversal in download_workflow endpoint | fastapi | 9.1 |
| CRITICAL | CVE-2026-35216 | Budibase: Unauthenticated RCE as root via webhook | 9.1 | |
| CRITICAL | CVE-2026-33475 | langflow: security flaw enables exploitation | langflow | 9.1 |
| CRITICAL | CVE-2024-4253 | Gradio: CI/CD command injection enables secrets exfiltration | gradio | 9.1 |
| CRITICAL | CVE-2026-7482 | Ollama: heap OOB read leaks API keys and chat data | ollama | 9.1 |
| HIGH | GHSA-qwgj-rrpj-75xm | PraisonAI: hardcoded approval bypass enables RCE | PraisonAI | 8.8 |
| HIGH | CVE-2023-6709 | MLflow: SSTI enables RCE in ML experiment tracking | mlflow | 8.8 |
| HIGH | CVE-2026-31829 | Flowise: SSRF via HTTP Node exposes internal network | flowise-components | 8.8 |
| HIGH | CVE-2026-42271 | LiteLLM: RCE via MCP test endpoint command injection | litellm | 8.8 |
| HIGH | CVE-2026-40217 | LiteLLM: RCE via bytecode rewriting in guardrails API | litellm | 8.8 |
| HIGH | CVE-2026-33053 | langflow: IDOR enables unauthorized data access | langflow | 8.8 |
| HIGH | CVE-2025-6855 | Langchain-Chatchat: path traversal exposes system files | langchain-chatchat | 8.8 |
| HIGH | CVE-2026-6543 | Langflow: RCE exposes API keys and DB credentials | langflow | 8.8 |
| HIGH | CVE-2025-64495 | Open WebUI: XSS-to-RCE via malicious prompt injection | open-webui | 8.7 |
| HIGH | GHSA-gqqj-85qm-8qhf | paperclipai: connector trust bypass enables Gmail read/write | paperclipai | 8.7 |
| HIGH | CVE-2026-40158 | PraisonAI: AST sandbox bypass enables host RCE | PraisonAI | 8.6 |
| HIGH | CVE-2024-32965 | Lobe Chat: pre-auth SSRF leaks OpenAI API keys | 8.6 | |
| HIGH | CVE-2025-25297 | Label Studio: SSRF via S3 endpoint exposes internal services | label-studio | 8.6 |
| HIGH | CVE-2024-4325 | Gradio: SSRF exposes internal network and cloud metadata | gradio | 8.6 |
| HIGH | CVE-2026-26286 | sillytavern: SSRF allows internal network access | 8.5 | |
| HIGH | CVE-2026-42449 | n8n-mcp: SSRF bypass via IPv6 leaks API keys | n8n-mcp | 8.5 |
| HIGH | CVE-2025-65958 | open-webui: SSRF allows internal network access | open-webui | 8.5 |
| HIGH | CVE-2026-44334 | praisonai: RCE via unpatched tool_override exec_module | praisonai | 8.4 |
| HIGH | CVE-2026-40113 | PraisonAI: arg injection injects env vars into Cloud Run | praisonai | 8.4 |
| HIGH | GHSA-8g7g-hmwm-6rv2 | n8n-mcp: path traversal + SSRF exposes n8n API keys | n8n-mcp | 8.3 |
| HIGH | CVE-2026-41270 | Flowise: SSRF bypass exposes cloud metadata services | flowise | 8.3 |
| HIGH | CVE-2024-1540 | Gradio: CI/CD command injection enables secrets exfil | gradio | 8.2 |
| HIGH | CVE-2026-27826 | mcp-atlassian: SSRF allows internal network access | mcp-atlassian | 8.2 |
| HIGH | CVE-2026-29872 | awesome-llm-apps MCP Agent: cross-session credential theft | 8.2 | |
| HIGH | CVE-2026-2033 | mlflow: Path Traversal enables file access | mlflow | 8.1 |
| HIGH | CVE-2025-61784 | LLaMA-Factory: SSRF+LFI in multimodal chat API | llamafactory | 8.1 |
| HIGH | CVE-2024-28088 | LangChain: path traversal enables RCE and API key theft | langchain | 8.1 |
| HIGH | CVE-2026-32730 | 8.1 | ||
| HIGH | CVE-2026-35021 | Claude Code CLI: shell injection enables RCE | 7.8 | |
| HIGH | CVE-2026-35043 | BentoML: cmd injection RCE on cloud build infra | bentoml | 7.8 |
| HIGH | CVE-2026-22219 | chainlit: SSRF allows internal network access | chainlit | 7.7 |
| HIGH | CVE-2024-7959 | Open-WebUI: SSRF via unchecked OpenAI URL leaks internal secrets | open-webui | 7.7 |
| HIGH | CVE-2025-61917 | n8n: Info Disclosure leaks sensitive data | n8n | 7.7 |
| HIGH | CVE-2026-34936 | PraisonAI: SSRF via api_base steals cloud IAM credentials | praisonai | 7.7 |
| HIGH | CVE-2025-25185 | gpt_academic: symlink traversal exposes all server files | gpt_academic | 7.5 |
| HIGH | CVE-2025-6985 | langchain-text-splitters: XXE enables arbitrary file read | langchain-text-splitters | 7.5 |
| HIGH | CVE-2025-0330 | LiteLLM: Langfuse API key leak via error handling | litellm | 7.5 |
| HIGH | CVE-2025-68616 | 7.5 | ||
| HIGH | CVE-2024-9606 | LiteLLM: API key leakage in logs exposes credentials | litellm | 7.5 |
| HIGH | CVE-2026-35485 | text-generation-webui: unauthenticated path traversal file read | gradio | 7.5 |
| HIGH | CVE-2024-8859 | MLflow: path traversal allows arbitrary file read via DBFS | mlflow | 7.5 |
| HIGH | CVE-2026-21852 | claude_code: Weak Credentials allow account compromise | claude_code | 7.5 |
| HIGH | CVE-2024-36421 | Flowise: CORS wildcard enables file read and data theft | flowise | 7.5 |
| HIGH | CVE-2024-11031 | GPT Academic: SSRF in Markdown plugin leaks credentials | gpt_academic | 7.5 |
| HIGH | CVE-2024-11030 | GPT Academic: SSRF via unsanitized HotReload plugin | gpt_academic | 7.5 |
| HIGH | CVE-2026-33497 | langflow: Path Traversal enables file access | langflow | 7.5 |
| HIGH | CVE-2025-14287 | mlflow: Code Injection enables RCE | mlflow | 7.5 |
| HIGH | CVE-2024-3848 | MLflow: URL fragment bypass leaks SSH and cloud keys | mlflow | 7.5 |
| HIGH | CVE-2024-34527 | SolidUI: OpenAI API key exposed via log print statement | 7.5 | |
| HIGH | CVE-2024-34510 | Gradio: credential leakage via Windows path encoding bug | gradio | 7.5 |
| HIGH | CVE-2026-41279 | Flowise: unauth API key abuse via TTS endpoint IDOR | flowise | 7.5 |
| HIGH | CVE-2024-1558 | MLflow: path traversal enables arbitrary file read | mlflow | 7.5 |
| HIGH | CVE-2024-1728 | Gradio: path traversal leaks arbitrary files, potential RCE | gradio | 7.5 |
| HIGH | CVE-2023-2356 | MLflow: path traversal allows unauthenticated file read | mlflow | 7.5 |
| HIGH | CVE-2026-41278 | Flowise: credential exposure in public chatflow API | flowise | 7.5 |
| HIGH | CVE-2023-43472 | MLflow: unauth REST API leaks sensitive ML data | mlflow | 7.5 |
| HIGH | CVE-2026-41275 | Flowise: HTTP password reset link allows MITM takeover | flowise | 7.5 |
| HIGH | CVE-2026-28414 | gradio: security flaw enables exploitation | gradio | 7.5 |
| HIGH | CVE-2023-46315 | Infinite Image Browsing: path traversal leaks credentials | 7.5 | |
| HIGH | CVE-2026-41266 | Flowise: unauthenticated API key exposure via chatbot config | flowise | 7.5 |
| HIGH | CVE-2023-30172 | MLflow: path traversal exposes arbitrary server files | mlflow | 7.5 |
| HIGH | CVE-2023-27564 | n8n: unauthenticated info disclosure exposes credentials | n8n | 7.5 |
| HIGH | CVE-2026-34070 | langchain-core: path traversal exposes host secrets via prompt config | langchain-core | 7.5 |
| HIGH | CVE-2024-6587 | LiteLLM: SSRF leaks OpenAI API key to attacker | litellm | 7.5 |
| HIGH | CVE-2024-45436 | Ollama: ZIP path traversal exposes host filesystem | ollama | 7.5 |
| HIGH | CVE-2024-36420 | Flowise: unauthenticated arbitrary file read via API | flowise | 7.5 |
| HIGH | CVE-2024-2928 | MLflow: URI fragment LFI exposes arbitrary files | mlflow | 7.5 |
| HIGH | CVE-2025-65098 | typebot: XSS enables session hijacking | 7.4 | |
| HIGH | CVE-2026-40153 | praisonaiagents: env var expansion exposes production secrets | praisonaiagents | 7.4 |
| HIGH | CVE-2025-64496 | open-webui: Code Injection enables RCE | open-webui | 7.3 |
| HIGH | CVE-2026-44549 | open-webui: XSS via XLSX preview enables session hijack | open-webui | 7.3 |
| HIGH | CVE-2026-6596 | Langflow: unauthenticated file upload allows RCE | langflow-base | 7.3 |
| HIGH | CVE-2025-8709 | langgraph-checkpoint-sqlite: SQL Injection exposes database | langgraph-checkpoint-sqlite | 7.3 |
| HIGH | GHSA-w8hx-hqjv-vjcq | Paperclip: RCE via workspace runtime command injection | @paperclipai/server | 7.3 |
| HIGH | CVE-2026-44721 | open-webui: XSS in model descriptions steals session tokens | open-webui | 7.3 |
| HIGH | CVE-2025-30167 | jupyter_core: config hijack enables cross-user code exec | 7.3 | |
| HIGH | CVE-2025-12973 | AI component: Arbitrary File Upload enables RCE | 7.2 | |
| HIGH | CVE-2026-1777 | sagemaker: security flaw enables exploitation | sagemaker | 7.2 |
| HIGH | CVE-2025-7725 | WP Contest Gallery: Stored XSS exposes OpenAI API creds | 7.2 | |
| HIGH | GHSA-xhmj-rg95-44hv | Flowise: SSRF bypass exposes cloud IAM credentials | flowise-components | 7.1 |
| HIGH | CVE-2025-5018 | Hive Support WP: OpenAI key theft + prompt hijack | 7.1 | |
| HIGH | CVE-2025-68478 | langflow: File Control enables path manipulation | langflow | 7.1 |
| HIGH | CVE-2024-27134 | MLflow: local privilege escalation via spark_udf ToCToU | mlflow | 7.0 |
| MEDIUM | CVE-2026-40934 | jupyter-server: auth cookie survives password reset | jupyter-server | 6.8 |
| MEDIUM | CVE-2026-28277 | langgraph: Deserialization enables RCE | langgraph | 6.8 |
| MEDIUM | CVE-2026-27794 | langgraph-checkpoint: Deserialization enables RCE | langgraph-checkpoint | 6.6 |
| MEDIUM | CVE-2025-51481 | Dagster: path traversal exposes arbitrary file read via gRPC | 6.6 | |
| MEDIUM | CVE-2024-42474 | Streamlit: path traversal leaks Windows NTLM hash | streamlit | 6.5 |
| MEDIUM | CVE-2024-48052 | Gradio: SSRF in DownloadButton exposes internal resources | gradio | 6.5 |
| MEDIUM | CVE-2025-13922 | AI component: SQL Injection exposes database | 6.5 | |
| MEDIUM | CVE-2025-68477 | langflow: SSRF allows internal network access | langflow | 6.5 |
| MEDIUM | CVE-2025-13359 | taxopress: SQL Injection exposes database | 6.5 | |
| MEDIUM | CVE-2025-57749 | n8n: symlink traversal enables arbitrary file read/write | n8n | 6.5 |
| MEDIUM | CVE-2023-27562 | n8n: path traversal allows arbitrary file read | n8n | 6.5 |
| MEDIUM | CVE-2026-25631 | n8n: Input Validation flaw enables exploitation | n8n | 6.5 |
| MEDIUM | CVE-2026-27496 | n8n: uninitialized buffer leaks secrets via Task Runner | n8n | 6.5 |
| MEDIUM | CVE-2026-4502 | Langflow: path traversal enables arbitrary file write | langflow | 6.5 |
| MEDIUM | CVE-2026-3345 | Langflow: path traversal allows arbitrary file read | langflow | 6.5 |
| MEDIUM | CVE-2022-36551 | Label Studio: SSRF + file read, self-reg bypass | label-studio | 6.5 |
| MEDIUM | CVE-2022-35918 | Streamlit: path traversal leaks server filesystem | streamlit | 6.5 |
| MEDIUM | CVE-2026-30886 | AI component: IDOR enables unauthorized data access | 6.5 | |
| MEDIUM | CVE-2026-24123 | bentoml: Path Traversal enables file access | bentoml | 6.5 |
| MEDIUM | GHSA-mvv8-v4jj-g47j | Directus: cleartext storage exposes AI API keys | 6.5 | |
| MEDIUM | CVE-2025-14980 | BetterDocs: Info Disclosure leaks sensitive data | 6.5 | |
| MEDIUM | CVE-2024-11896 | WP Text Prompter: Stored XSS in OpenAI shortcode plugin | 6.4 | |
| MEDIUM | CVE-2025-6716 | Contest Gallery WP Plugin: Stored XSS in OpenAI integration | 6.4 | |
| MEDIUM | CVE-2026-3346 | Langflow Desktop: stored XSS enables credential theft | langflow | 6.4 |
| MEDIUM | CVE-2025-1979 | Ray: Redis password exposed via plaintext logging | ray | 6.4 |
| MEDIUM | CVE-2026-5803 | openai-realtime-ui: SSRF in API proxy endpoint | 6.3 | |
| MEDIUM | CVE-2026-7687 | Langflow: command injection in code parser enables RCE | langflow | 6.3 |
| MEDIUM | CVE-2026-7700 | Langflow: eval() code injection → remote code execution | langflow | 6.3 |
| MEDIUM | CVE-2025-67743 | local-deep-research: SSRF allows internal network access | 6.3 | |
| MEDIUM | CVE-2024-6577 | TorchServe: unverified S3 bucket exposes benchmark data | 6.3 | |
| MEDIUM | CVE-2024-37146 | Flowise: reflected XSS enables credential theft | flowise | 6.1 |
| MEDIUM | CVE-2024-37145 | Flowise: reflected XSS enables file read chain via chatflow | flowise | 6.1 |
| MEDIUM | CVE-2024-36423 | Flowise: reflected XSS in chatflow API enables session hijack | flowise | 6.1 |
| MEDIUM | CVE-2024-36422 | Flowise: reflected XSS enables session hijack and file read | flowise | 6.1 |
| MEDIUM | CVE-2026-27167 | gradio: Weak Credentials allow account compromise | gradio | 5.9 |
| MEDIUM | GHSA-cc4f-hjpj-g9p8 | Flowise: hardcoded JWT defaults enable full auth bypass | flowise | 5.6 |
| MEDIUM | GHSA-m7mq-85xj-9x33 | Flowise: hardcoded default key enables JWT token forgery | flowise | 5.6 |
| MEDIUM | GHSA-2qqc-p94c-hxwh | Flowise: hardcoded session secret enables auth bypass | flowise | 5.6 |
| MEDIUM | CVE-2025-1474 | MLflow: passwordless accounts enable persistent backdoor | mlflow | 5.5 |
| MEDIUM | CVE-2026-40159 | PraisonAI: MCP env inheritance exposes API keys | PraisonAI | 5.5 |
| MEDIUM | GHSA-ffp3-3562-8cv3 | PraisonAI: tool approval bypass leaks env credentials | praisonaiagents | 5.5 |
| MEDIUM | CVE-2026-44479 | vercel: auth token leak in AI agent non-interactive mode | 5.5 | |
| MEDIUM | GHSA-cqmh-pcgr-q42f | @axonflow/openclaw: credential exposure via insecure file permissions | @axonflow/openclaw | 5.5 |
| MEDIUM | CVE-2025-45809 | LiteLLM: SQL injection in key management API | litellm | 5.4 |
| MEDIUM | CVE-2026-25054 | n8n: XSS enables session hijacking | n8n | 5.4 |
| MEDIUM | CVE-2026-34753 | vLLM: SSRF in batch API exposes cloud metadata endpoints | vllm | 5.4 |
| MEDIUM | GHSA-364x-8g5j-x2pr | n8n: stored XSS via malicious OAuth2 Authorization URL | n8n | 5.4 |
| MEDIUM | CVE-2025-68697 | n8n: security flaw enables exploitation | n8n | 5.4 |
| MEDIUM | CVE-2023-1651 | AI ChatBot WP: auth bypass exposes OpenAI config + XSS | wpbot | 5.4 |
| MEDIUM | CVE-2026-41495 | n8n-mcp: bearer tokens exposed in HTTP transport logs | n8n-mcp | 5.3 |
| MEDIUM | CVE-2024-6845 | ChatGPT WP Plugin: OpenAI API key leak via unauth REST | 5.3 | |
| MEDIUM | CVE-2026-2589 | Greenshift: Info Disclosure leaks sensitive data | 5.3 | |
| MEDIUM | CVE-2023-34094 | ChuanhuChatGPT: config exposure leaks API keys | chuanhuchatgpt | 5.3 |
| MEDIUM | CVE-2026-33722 | n8n: secrets vault bypass exposes credentials to low-priv users | n8n | 5.3 |
| MEDIUM | CVE-2024-4858 | WP Testimonial Carousel: OpenAI API key hijack, no auth | 5.3 | |
| MEDIUM | GHSA-6pcv-j4jx-m4vx | Flowise: unauthenticated SSO config exposes OAuth secrets | flowise | 5.3 |
| MEDIUM | CVE-2025-11972 | AI component: SQL Injection exposes database | 4.9 | |
| MEDIUM | CVE-2026-33682 | Streamlit: SSRF leaks NTLMv2 creds via UNC path | Streamlit | 4.7 |
| MEDIUM | CVE-2024-5206 | scikit-learn: TfidfVectorizer leaks training data tokens | scikit-learn | 4.7 |
| MEDIUM | GHSA-wg4g-395p-mqv3 | n8n-mcp: credential exposure via HTTP transport logging | n8n-mcp | 4.3 |
| MEDIUM | CVE-2026-6598 | Langflow: cleartext auth storage exposes API keys | langflow | 4.3 |
| MEDIUM | CVE-2025-12732 | AI component: Info Disclosure leaks sensitive data | 4.3 | |
| MEDIUM | CVE-2026-42282 | n8n-MCP: credential logging exposes OAuth tokens in HTTP mode | 4.3 | |
| LOW | CVE-2026-26013 | langchain-core: SSRF allows internal network access | langchain_core | 3.7 |
| LOW | CVE-2026-4993 | OpenUI: hard-coded LiteLLM master key credential leak | 3.3 | |
| LOW | CVE-2026-25211 | llama-stack: security flaw enables exploitation | 3.2 | |
| LOW | CVE-2026-6597 | langflow: Plaintext credential storage via Flow API | langflow | 2.7 |
| HIGH | CVE-2026-2472 | google-cloud-aiplatform: XSS enables session hijacking | — | |
| CRITICAL | GHSA-5mg7-485q-xm76 | litellm: supply chain attack harvests AI API credentials | litellm | — |
| UNKNOWN | CVE-2026-33401 | Wallos: SSRF allows internal network access | — | |
| UNKNOWN | CVE-2026-41686 | @anthropic-ai/sdk: insecure file perms expose agent memory | @anthropic-ai/sdk | — |
| UNKNOWN | CVE-2026-42232 | n8n: XML Node prototype pollution → RCE | n8n | — |
| UNKNOWN | CVE-2026-42226 | n8n: IDOR exposes cross-user API key exfiltration | n8n | — |
| UNKNOWN | CVE-2026-42227 | n8n: IDOR leaks cross-project variables via API key | n8n | — |
| MEDIUM | GHSA-h2vw-ph2c-jvwf | OpenClaw: env injection exposes MiniMax API key | openclaw | — |
| CRITICAL | GHSA-r75f-5x8p-qvmc | litellm: SQLi exposes all managed LLM API credentials | litellm | — |
| HIGH | GHSA-xqmj-j6mv-4862 | LiteLLM: RCE via unsandboxed prompt template rendering | litellm | — |
| CRITICAL | CVE-2025-62593 | ray: Code Injection enables RCE | ray | — |
| UNKNOWN | CVE-2024-11037 | gpt_academic: path traversal exposes LLM API keys | gpt_academic | — |
| HIGH | CVE-2026-34511 | OpenClaw: PKCE verifier leak enables OAuth token theft | openclaw | — |
| MEDIUM | GHSA-83f3-hh45-vfw9 | OpenClaw: cleartext WebSocket exposes gateway credentials | openclaw | — |
| MEDIUM | GHSA-jj6q-rrrf-h66h | openclaw: timing side-channel leaks shared-secret length | openclaw | — |
| HIGH | GHSA-vfw7-6rhc-6xxg | openclaw: env var injection via workspace config | openclaw | — |
| HIGH | GHSA-69x8-hrgq-fjj8 | LiteLLM: auth bypass chain enables full privilege escalation | litellm | — |
| CRITICAL | GHSA-2679-6mx9-h9xc | Marimo: pre-auth RCE via terminal WebSocket | marimo | — |
| HIGH | GHSA-qx8j-g322-qj6m | OpenClaw: unsafe body replay on cross-origin redirect | openclaw | — |
| MEDIUM | GHSA-w9j9-w4cp-6wgr | openclaw: env var injection enables host exec hijacking | openclaw | — |
| LOW | GHSA-cm8v-2vh9-cxf3 | openclaw: git env var injection enables host redirect | openclaw | — |
| UNKNOWN | CVE-2024-56516 | free-one-api: MD5 hashing allows credential cracking | — | |
| HIGH | CVE-2026-40160 | praisonaiagents: SSRF in web_crawl exposes cloud metadata | praisonaiagents | — |
| UNKNOWN | CVE-2026-35029 | LiteLLM: auth bypass allows RCE and full takeover | litellm | — |
| HIGH | GHSA-p4h8-56qp-hpgv | mcp-ssh: argument injection enables LLM-driven local RCE | — | |
| UNKNOWN | CVE-2025-11203 | LiteLLM: Info Disclosure leaks sensitive data | — | |
| HIGH | GHSA-x5w6-38gp-mrqh | Flowise: HTTP reset link exposes tokens to MITM takeover | flowise | — |
| HIGH | GHSA-6f7g-v4pp-r667 | Flowise: OAuth token theft via unauthenticated endpoint | flowise | — |
| UNKNOWN | CVE-2024-4254 | Gradio: secrets exfiltration via unsafe fork PR workflow | gradio | — |
| HIGH | GHSA-4jpm-cgx2-8h37 | Flowise: unauth API exposes plaintext API keys and tokens | flowise | — |
| MEDIUM | GHSA-9hrv-gvrv-6gf2 | Flowise: SSRF bypass enables cloud metadata access | flowise-components | — |
| UNKNOWN | CVE-2026-34046 | Langflow: IDOR exposes flows and plaintext API keys | langflow | — |
| UNKNOWN | CVE-2026-0768 | langflow: Code Injection enables RCE | langflow | — |
| UNKNOWN | CVE-2026-0769 | langflow: Code Injection enables RCE | langflow | — |
| UNKNOWN | CVE-2026-0772 | langflow: Deserialization enables RCE | langflow | — |
| UNKNOWN | CVE-2024-3924 | text-generation-inference: workflow injection RCE | — | |
| UNKNOWN | CVE-2026-42203 | LiteLLM: SSTI in prompt template endpoint enables RCE | litellm | — |
| CRITICAL | CVE-2026-44484 | pytorch-lightning: supply chain, credential harvesting | pytorch-lightning | — |
| CRITICAL | GHSA-955r-262c-33jc | telnyx: PyPI supply chain attack steals cloud creds | — | |
| UNKNOWN | CVE-2024-1561 | Gradio: path traversal enables arbitrary file read | gradio | — |