Threat Intelligence

Live CVE feed

299 threats tracked across 7 launch stacks — sourced from NVD, GHSA, CISA KEV, OSV, npm Audit, and EPSS.

44threats · Critical· page 2/3
Get guardrails →
2 rules

transformers has a Deserialization of Untrusted Data vulnerability

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.0.

OWASP A08LLM05 · Supply ChainOWASP LLM
Get guardrail →
2 rules

Gradio Exposure of Sensitive Information to an Unauthorized Actor vulnerability

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository gradio-app/gradio prior to main.

OWASP A03LLM01 · Prompt InjectionLLM02 · Insecure OutputOWASP LLM
Get guardrail →
2 rules

Langchain SQL Injection vulnerability

In Langchain before 0.0.247, prompt injection allows execution of arbitrary code against the SQL service provided by the chain.

OWASP A03OWASP LLM
Get guardrail →
2 rules

Langchain vulnerable to arbitrary code execution via the evaluate function in the numexpr library

An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library. Patches: Released in v.0.0.308. numexpr dependency is optional for langchain.

OWASP A03LLM01 · Prompt InjectionOWASP LLM
Get guardrail →
2 rules

langchain vulnerable to arbitrary code execution

An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via the via the a json file to the load_prompt parameter. This is related to __subclasses__ or a template.

OWASP A03LLM01 · Prompt InjectionOWASP LLM
Get guardrail →
2 rules

llama-index vulnerable to arbitrary code execution

An issue in llama_index v.0.7.13 and before allows a remote attacker to execute arbitrary code via the exec parameter in PandasQueryEngine function.

OWASP A03LLM01 · Prompt InjectionOWASP LLM
Get guardrail →
2 rules

LangChain vulnerable to arbitrary code execution

An issue in langchain langchain-ai before version 0.0.325 allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component.

OWASP A03OWASP LLM
Get guardrail →
2 rules

LangChain vulnerable to arbitrary code execution

An issue in Harrison Chase langchain before version 0.0.236 allows a remote attacker to execute arbitrary code via the from_math_prompt and from_colored_object_prompt functions.

OWASP A03LLM01 · Prompt InjectionOWASP LLM
Get guardrail →
2 rules

LangChain vulnerable to arbitrary code execution

An issue in LangChain prior to v.0.0.247 allows a remote attacker to execute arbitrary code via the prompt parameter.

OWASP A03LLM01 · Prompt InjectionOWASP LLM
Get guardrail →
2 rules

langchain Code Injection vulnerability

An issue in Harrison Chase langchain allows an attacker to execute arbitrary code via the PALChain,from_math_prompt(llm).run in the python exec method.

OWASP A03LLM01 · Prompt InjectionOWASP LLM
Get guardrail →
2 rules

langchain vulnerable to arbitrary code execution

An issue in langchain allows a remote attacker to execute arbitrary code via the PALChain parameter in the Python exec method.

OWASP A03OWASP LLM
Get guardrail →
2 rules

langchain arbitrary code execution vulnerability

An issue in langchain allows an attacker to execute arbitrary code via the PALChain in the python exec method.

OWASP A03LLM01 · Prompt InjectionOWASP LLM
Get guardrail →
2 rules

Langchain OS Command Injection vulnerability

Langchain before v0.0.225 was discovered to contain a remote code execution (RCE) vulnerability in the component JiraAPIWrapper (aka the JIRA API wrapper). This vulnerability allows attackers to execute arbitrary code via crafted input. As noted in the "releases/tag" reference, a fix is available.

OWASP A03LLM01 · Prompt InjectionOWASP LLM
Get guardrail →
2 rules

nuxt Code Injection vulnerability

he Nuxt dev server between versions 3.4.0 and 3.4.3 is vulnerable to code injection when it is exposed publicly.

OWASP A03OWASP Web
Get guardrail →
2 rules

LangChain vulnerable to code injection

In LangChain through 0.0.131, the LLMMathChain chain allows prompt injection attacks that can execute arbitrary code via the Python exec() method.

OWASP A03LLM01 · Prompt InjectionOWASP LLM
Get guardrail →
2 rules

FastAPI unauthenticated RCE via code eval endpoint (Langflow)

FastAPI app executed arbitrary Python via /api/v1/validate/code without authentication. Actively exploited in wild.

OWASP A03OWASP A07OWASP Web
Get guardrail →
2 rules

Authorization Bypass in Next.js Middleware

Impact It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. Patches For Next.js 15.x, this issue is fixed in 15.2.3 For Next.js 14.x, this issue is fixed in 14.2.25 For Next.js 13.x, this issue is fixed in 13.5.9 For Next.js 12.x, this issue is fixed in 12.3.5 For Next.js 11.x, consult the below workaround. _Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

OWASP A01LLM06 · Sensitive Info DisclosureOWASP Web
Get guardrail →
2 rules

Mongoose search injection vulnerability

Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

OWASP A03OWASP Web
Get guardrail →
2 rules

Mongoose Prototype Pollution vulnerability

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

OWASP A03OWASP Web
Get guardrail →

Showing 2140 of 44 threats