CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-9052 – Remote Code Execution by Pickle Deserialization in vllm-project/vllm
https://notcve.org/view.php?id=CVE-2024-9052
20 Mar 2025 — The function vllm.distributed.GroupCoordinator.recv_object() deserializes received object bytes using pickle.loads() without sanitization, leading to a remote code execution vulnerability. • https://huntr.com/bounties/ea75728f-4efe-4a3d-9f53-33f2c908e9f8 • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-12909 – SQL Injection to RCE in run-llama/llama_index
https://notcve.org/view.php?id=CVE-2024-12909
20 Mar 2025 — A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for SQL injection in the `run_sql_query` function of the `database_agent`. This vulnerability can be exploited by an attacker to inject arbitrary SQL queries, leading to remote code execution (RCE) through the use of PostgreSQL's large object functionality. • https://github.com/run-llama/llama_index/commit/5d03c175476452db9b8abcdb7d5767dd7b310a75 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.4EPSS: 0%CPEs: -EXPL: 0CVE-2024-10902 – Arbitrary File Upload with Path Traversal in eosphoros-ai/db-gpt
https://notcve.org/view.php?id=CVE-2024-10902
20 Mar 2025 — The impact of this vulnerability includes the potential for remote code execution (RCE) by writing malicious files, such as a malicious `__init__.py` in the Python's `/site-packages/` directory. • https://huntr.com/bounties/f7fbf76e-aa1c-4106-b007-e9579f4f7d5f • CWE-73: External Control of File Name or Path •
CVSS: 9.4EPSS: 0%CPEs: -EXPL: 0CVE-2024-7773 – Remote Code Execution via ZipSlip in ollama/ollama
https://notcve.org/view.php?id=CVE-2024-7773
20 Mar 2025 — A vulnerability in ollama/ollama version 0.1.37 allows for remote code execution (RCE) due to improper input validation in the handling of zip files. ... The code does not check for directory traversal sequences (../) in file names within the zip archive, allowing an attacker to write arbitrary files to the file system. This can be exploited to create files such as /etc/ld.so.preload and a malicious shared library, leading to RCE. • https://github.com/ollama/ollama/commit/123a722a6f541e300bc8e34297ac378ebe23f527 • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-0185 – Pandas Query Injection in langgenius/dify
https://notcve.org/view.php?id=CVE-2025-0185
20 Mar 2025 — A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in the latest version. ... This can potentially lead to Remote Code Execution (RCE) if exploited. • https://huntr.com/bounties/7d9eb9b2-7b86-45ed-89bd-276c1350db7e • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-9415 – Path Traversal in transformeroptimus/superagi
https://notcve.org/view.php?id=CVE-2024-9415
20 Mar 2025 — This vulnerability allows an attacker to upload an arbitrary file to the server, potentially leading to remote code execution or overwriting any file on the server. • https://huntr.com/bounties/31bdf98c-5205-4c48-9bc7-9e780ba63398 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-10553 – Jdbc Deserialization in h2oai/h2o-3
https://notcve.org/view.php?id=CVE-2024-10553
20 Mar 2025 — A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. • https://github.com/h2oai/h2o-3/commit/ac1d642b4d86f10a02d75974055baf2a4b2025ac • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-7760 – CSRF in aimhubio/aim
https://notcve.org/view.php?id=CVE-2024-7760
20 Mar 2025 — This enables CSRF attacks on all endpoints of the tracking server, which can be chained with other existing vulnerabilities such as remote code execution, denial of service, and arbitrary file read/write. • https://huntr.com/bounties/2038df5f-4829-4040-8573-67bf9bb89229 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-11170 – Path Traversal in danny-avila/librechat
https://notcve.org/view.php?id=CVE-2024-11170
20 Mar 2025 — This can lead to arbitrary file write and potentially remote code execution. • https://github.com/danny-avila/librechat/commit/629be5c0ca2b332178524b4e3f6fac715aea8cc4 • CWE-29: Path Traversal: '\..\filename' •
CVSS: 9.4EPSS: 0%CPEs: -EXPL: 0CVE-2024-8019 – Arbitrary File Write/Overwrite in lightning-ai/pytorch-lightning
https://notcve.org/view.php?id=CVE-2024-8019
20 Mar 2025 — This can lead to potential remote code execution (RCE) by overwriting critical files or placing malicious files in sensitive locations. • https://github.com/lightning-ai/pytorch-lightning/commit/330af381de88cff17515418a341cbc1f9f127f9a • CWE-434: Unrestricted Upload of File with Dangerous Type •