CVE-2024-9701 - Kedro ShelveStore Remote Code Execution Vulnerability

CVE ID : CVE-2024-9701 Published : March 20, 2025, 10:15 a.m. | 2 days, 4 hours ago Description : A Remote Code Execution (RCE) vulnerability has been identified in the Kedro ShelveStore class (version 0.19.8). This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to

CVE ID : CVE-2024-9701
Published : March 20, 2025, 10:15 a.m. | 2 days, 4 hours ago
Description : A Remote Code Execution (RCE) vulnerability has been identified in the Kedro ShelveStore class (version 0.19.8). This vulnerability allows an attacker to execute arbitrary Python code via deserialization of malicious payloads, potentially leading to a full system compromise. The ShelveStore class uses Python’s shelve module to manage session data, which relies on pickle for serialization. Crafting a malicious payload and storing it in the shelve file can lead to RCE when the payload is deserialized.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2024-9415 - Superagi Path Traversal Remote File Upload Vulnerability

CVE ID : CVE-2024-9415 Published : March 20, 2025, 10:15 a.m. | 1 day, 18 hours ago Description : A Path Traversal vulnerability exists in the file upload functionality of transformeroptimus/superagi version 0.0.14. This vulnerability allows an attacker to upload an arbitrary file to the server, potentially leading to remote code execution or

CVE ID : CVE-2024-9415
Published : March 20, 2025, 10:15 a.m. | 1 day, 18 hours ago
Description : A Path Traversal vulnerability exists in the file upload functionality of transformeroptimus/superagi version 0.0.14. This vulnerability allows an attacker to upload an arbitrary file to the server, potentially leading to remote code execution or overwriting any file on the server.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2024-9099 - Lunary AI Lunary API Key Exposure Vulnerability

CVE ID : CVE-2024-9099 Published : March 20, 2025, 10:15 a.m. | 1 day, 4 hours ago Description : In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. This vulnerability allows unauthorized

CVE ID : CVE-2024-9099
Published : March 20, 2025, 10:15 a.m. | 1 day, 4 hours ago
Description : In lunary-ai/lunary version v1.4.29, the GET /projects API endpoint exposes both public and private API keys for all projects to users with minimal permissions, such as Viewers or Prompt Editors. This vulnerability allows unauthorized users to retrieve sensitive credentials, which can be used to perform actions on behalf of the project, access private data, and delete resources. The private API keys are exposed in the developer tools when the endpoint is called from the frontend.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2024-9216 - ChuanhuChatGPT Authentication Bypass

CVE ID : CVE-2024-9216 Published : March 20, 2025, 10:15 a.m. | 1 day, 4 hours ago Description : An authentication bypass vulnerability exists in gaizhenbiao/ChuanhuChatGPT, as of commit 3856d4f, allowing any user to read and delete other users’ chat history. The vulnerability arises because the username is provided via an HTTP request

CVE ID : CVE-2024-9216
Published : March 20, 2025, 10:15 a.m. | 1 day, 4 hours ago
Description : An authentication bypass vulnerability exists in gaizhenbiao/ChuanhuChatGPT, as of commit 3856d4f, allowing any user to read and delete other users’ chat history. The vulnerability arises because the username is provided via an HTTP request from the client side, rather than being read from a secure source like a cookie. This allows an attacker to pass another user’s username to the get_model function, thereby gaining unauthorized access to that user’s chat history.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2024-9309 - LLaVA Controller API Server SSRF

CVE ID : CVE-2024-9309 Published : March 20, 2025, 10:15 a.m. | 1 day, 18 hours ago Description : A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Controller API Server in haotian-liu/llava version v1.2.0 (LLaVA-1.6). This vulnerability allows attackers to exploit the victim Controller API Server’s

CVE ID : CVE-2024-9309
Published : March 20, 2025, 10:15 a.m. | 1 day, 18 hours ago
Description : A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Controller API Server in haotian-liu/llava version v1.2.0 (LLaVA-1.6). This vulnerability allows attackers to exploit the victim Controller API Server’s credentials to perform unauthorized web actions or access unauthorized web resources.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2024-9016 - Man Group DtaLe Python Command Injection Vulnerability

Source

CVE-2024-9052 - Vllm-Project Pickle Deserialization Remote Code Execution

Source

CVE-2024-9053 - Vllm-Project Cloudpickle Remote Code Execution

Source

CVE-2024-9070 - BentoML Runner Server Deserialization Code Execution Vulnerability

CVE ID : CVE-2024-9070 Published : March 20, 2025, 10:15 a.m. | 1 day, 4 hours ago Description : A deserialization vulnerability exists in BentoML’s runner server in bentoml/bentoml versions Severity: 9.8 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2024-9070
Published : March 20, 2025, 10:15 a.m. | 1 day, 4 hours ago
Description : A deserialization vulnerability exists in BentoML’s runner server in bentoml/bentoml versions <=1.3.4.post1. By setting specific parameters, an attacker can execute unauthorized arbitrary code on the server, causing severe harm. The vulnerability is triggered when the args-number parameter is greater than 1, leading to automatic deserialization and arbitrary code execution.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2024-9095 - Lunary-ai Lunary Unauthenticated Data Exfiltration Vulnerability

CVE ID : CVE-2024-9095 Published : March 20, 2025, 10:15 a.m. | 1 day, 4 hours ago Description : In lunary-ai/lunary version v1.4.28, the /bigquery API route lacks proper access control, allowing any logged-in user to create a Datastream to Google BigQuery and export the entire database. This includes sensitive data such as

CVE ID : CVE-2024-9095
Published : March 20, 2025, 10:15 a.m. | 1 day, 4 hours ago
Description : In lunary-ai/lunary version v1.4.28, the /bigquery API route lacks proper access control, allowing any logged-in user to create a Datastream to Google BigQuery and export the entire database. This includes sensitive data such as password hashes and secret API keys. The route is protected by a config check (`config.DATA_WAREHOUSE_EXPORTS_ALLOWED`), but it does not verify the user’s access level or implement any access control middleware. This vulnerability can lead to the extraction of sensitive data, disruption of services, credential compromise, and service integrity breaches.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…