Security Research
Vulnerabilities discovered by Gecko's Scanner.
Each finding was responsibly disclosed to the vendor.
Assigned CVEs
Disclosure Process
Vulnerabilities Fixed
Featured post
Latest security research finding
Discoveries
Security vulnerabilities discovered and responsibly disclosed
Previously, there were entire classes of business logic and multi-step vulnerabilities that have long been invisible to SAST. Today, that changes.
Arbitrary file copy vulnerability in Gradio's flagging feature allows unauthenticated attackers to copy any readable file from the server's filesystem.
SQL injection vulnerability in DB-GPT 0.7.0 despite fixes for prior CVEs, affecting multiple database endpoints.
Remote code execution vulnerability in DB-GPT's plugin upload functionality through unsafe Python code execution.
Stored cross-site scripting vulnerability in Ragflow's dialog configuration functionality allowing malicious HTML/JavaScript execution.
A path traversal vulnerability was found in AIM server. This vulnerability allows remote attackers to write arbitrary files on the server's filesystem via a malicious tar file extraction.
Stored cross-site scripting vulnerability in AIM Reports allowing malicious Python code to execute arbitrary JavaScript in users' browsers.
Authentication flow vulnerability in Ollama's model pulling mechanism allowing cross-domain token redirection and theft.
Remote code execution vulnerability in SuperAGI through unsafe eval() usage in agent template configuration processing.
Arbitrary file overwrite vulnerability in SuperAGI's file upload functionality due to insufficient path sanitization.
Authorization bypass vulnerability in ONYX Enterprise Edition allowing curators to manipulate groups outside their authorized scope.
Arbitrary file overwrite vulnerability in ONNX library's save_external_data function through path traversal attacks.
Local file inclusion vulnerability in Dagster's gRPC server allowing arbitrary file reading through path traversal in notebook data endpoint.
Remote code execution vulnerability in Letta's tool execution endpoint through unsafe Python code execution in inadequate sandbox.
Authorization bypass vulnerability in AutoGPT's external API allowing authenticated users to access execution results from other users' graph executions.
Server-side request forgery vulnerability in BentoML's file upload processing system allowing arbitrary HTTP requests from the server.