Jackfromeast

**Name of the Vulnerable Software and Affected Versions** AnythingLLM versions 1.11.1 and earlier **Description** AnythingLLM is an application designed to enhance Large Language Models (LLMs) by providing contextual information from content. A Streaming Phase Cross-Site Scripting (XSS) issue exists in the chat rendering pipeline, potentially leading to Remote Code Execution (RCE) on the host operating system. This is due to an insecure Electron configuration, specifically the combination of `nodeIntegration: true` and `contextIsolation: false`. The vulnerability arises from the interpolation of token content directly into the `alt` attribute within the custom markdown-it image renderer located in `frontend/src/utils/chat/markdown.js` without proper HTML entity escaping. The `PromptReply` component then renders this output using `dangerouslySetInnerHTML` without DOMPurify sanitization, unlike the `HistoricalMessage` component which correctly applies DOMPurify.sanitize(). An attacker can exploit this by influencing the content generated by the LLM, such as through poisoned Retrieval-Augmented Generation (RAG) documents or compromised LLM endpoints, to achieve full host compromise. **Recommendations** Update to version 1.11.2 or later.

**Name of the Vulnerable Software and Affected Versions** AFFiNE versions prior to 0.25.4 **Description** AFFiNE is an open-source workspace and operating system. Versions prior to 0.25.4 contain a one-click remote code execution issue. An attacker can exploit this by embedding a specially crafted `affine:` URL on a website. Exploitation occurs when a victim visits a malicious website that redirects to the URL, or clicks a crafted link on a legitimate website. This triggers the AFFiNE custom URL handler, launching the application and processing the URL, resulting in arbitrary code execution on the victim’s machine without further interaction. **Recommendations** Update to version 0.25.4 or later.

**Name of the Vulnerable Software and Affected Versions** Agenta-API versions prior to 0.48.1 **Description** Agenta is an open-source LLMOps platform. In Agenta-API versions prior to 0.48.1, a Python sandbox escape existed in Agenta's custom code evaluator. The platform used RestrictedPython as a sandboxing mechanism for user-supplied evaluator code, but incorrectly whitelisted the `numpy` package as safe within the sandbox. This allowed authenticated users to bypass the sandbox and achieve arbitrary code execution on the API server. The escape path was through `numpy.ma.core.inspect`, which exposes Python's introspection utilities – including `sys.modules` – thereby providing access to unfiltered system-level functionality like `os.system`. The custom code evaluator runs server-side within the API process. **Recommendations** Update to version 0.48.1 or later to resolve the issue. Versions 0.60 and later have removed the RestrictedPython sandbox entirely and replaced it with a different execution model.

**Name of the Vulnerable Software and Affected Versions** Lobe Chat versions prior to 1.129.4 **Description** Lobe Chat, an open-source artificial intelligence chat framework, contains a cross-site scripting (XSS) issue in how it handles chat messages. Specifically, when a server response includes a `lobeArtifact` of type `image/svg+xml`, the application renders it using `dangerouslySetInnerHTML`, which can lead to XSS attacks. Parties capable of injecting content into chat messages – including malicious pages, compromised MCP servers, or tool integrations – can exploit this issue. This can potentially escalate to remote code execution on the user’s machine. **Recommendations** Update Lobe Chat to version 1.129.4 or later.

**Name of the Vulnerable Software and Affected Versions** Dyad versions prior to 0.20.0 **Description** Dyad is a local AI app builder susceptible to arbitrary code execution on users' systems. The issue affects the application’s preview window functionality and can bypass Docker container protections. An attacker can craft web content that automatically executes when the preview loads, potentially gaining control of the system. **Recommendations** Update to Dyad version 0.20.0 or later.

**Name of the Vulnerable Software and Affected Versions** 5ire versions prior to 0.14.0 **Description** 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. A flaw in the chat page's script gadgets allows content injection attacks. This can be achieved through several vectors, including malicious prompt injection pages, compromised MCP servers, and exploited tool integrations. **Recommendations** Update to version 0.14.0.

**Name of the Vulnerable Software and Affected Versions** Dive versions 0.9.0 through 0.9.3 **Description** Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Versions 0.9.0 through 0.9.3 contain a Remote Code Execution (RCE) vulnerability triggered by a crafted URL value, `transport`, within a JSON object. An attacker can exploit this issue by redirecting a victim to a malicious website or embedding a crafted link in legitimate content. When a victim interacts with the crafted link, the browser invokes Dive’s custom URL handler (dive:), launching the application and executing arbitrary code on the victim’s machine due to improper processing of the custom URL. **Recommendations** Update to version 0.9.4 or later.

Name of the Vulnerable Software and Affected Versions: DeepChat versions prior to 0.3.1 Description: DeepChat is a smart assistant that connects powerful AI to a user’s personal world. A remote code execution flaw exists in versions prior to 0.3.1. An attacker can exploit this issue by embedding a specially crafted `deepchat:` URL on a website. When a victim visits the site or clicks the link, the browser triggers the application’s custom URL handler, causing DeepChat to launch and process the URL, leading to remote code execution on the victim’s machine. Recommendations: Update DeepChat to version 0.3.1 or later.

Name of the Vulnerable Software and Affected Versions: Cherry Studio versions 1.4.8 through 1.5.0 Description: Cherry Studio is a desktop client supporting multiple LLM providers. A one-click remote code execution issue exists due to improper custom URL handling. An attacker can exploit this by hosting a malicious website or embedding a specially crafted URL. Clicking the exploit link in a browser triggers the app’s custom URL handler, resulting in remote code execution on the victim’s machine. Recommendations: Update to version 1.5.1 or later.

**Name of the Vulnerable Software and Affected Versions** umeditor version 1.2.3 **Description** A DOM Clobbering issue allows attackers to execute arbitrary code by supplying a crafted HTML element. **Recommendations** For umeditor version 1.2.3, update to a version that fixes this issue, as no specific workaround is provided for this version.

**Name of the Vulnerable Software and Affected Versions** tsup version 8.3.4 **Description** A DOM Clobbering issue allows attackers to execute arbitrary code via a crafted script in the `import.meta.url` to `document.currentScript` in `cjs shims.js` components. **Recommendations** For tsup version 8.3.4, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** seajs version 2.2.3 **Description** A Cross Site Scripting issue allows a remote attacker to execute arbitrary code via the seajs package. **Recommendations** For seajs version 2.2.3, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** mavo version 0.3.2 **Description** A DOM Clobbering issue allows attackers to execute arbitrary code by supplying a crafted HTML element. **Recommendations** For mavo version 0.3.2, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Stage.js versions 0.8.10 and earlier **Description** The issue allows DOM Clobbering, which can result in XSS for untrusted input that contains HTML but does not directly contain JavaScript. This is because the document.currentScript lookup can be shadowed by attacker-injected HTML elements. **Recommendations** For Stage.js versions 0.8.10 and earlier, as a temporary workaround, consider restricting the use of document.currentScript until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Prism (aka PrismJS) versions prior to 1.29.0 **Description** The issue allows DOM Clobbering, which can result in XSS for untrusted input that contains HTML but does not directly contain JavaScript. This occurs because the `document.currentScript` lookup can be shadowed by attacker-injected HTML elements. **Recommendations** For Prism (aka PrismJS) versions prior to 1.29.0, update to version 1.29.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Django-Unicorn versions prior to 0.62.0 **Description** The vulnerability arises from the core functionality `set property value`, which can be remotely triggered by users by crafting appropriate component requests and feeding in values of the second and third parameters to the vulnerable function, leading to arbitrary changes to the python runtime status. This issue can result in Cross-Site Scripting (XSS), Denial of Service (DoS), and Authentication Bypass attacks in almost every Django-Unicorn-based application. At least five ways of vulnerability exploitation have been observed. **Recommendations** To resolve the issue, upgrade to version 0.62.0 or later. As a temporary workaround, consider blocking paths that start with ` ` to prevent access to **double under (dunder)** or **magic variables/methods**. Additionally, setting a blacklist for restricted paths, such as `RESTRICTED KEYS = (" globals ", " builtins ")`, can help mitigate the vulnerability.

**Name of the Vulnerable Software and Affected Versions** Gradio versions prior to 5.6.0 **Description** Gradio's Access Control List (ACL) for file paths can be bypassed by altering the letter case of a blocked file or directory path due to the lack of case normalization in the file path validation logic. This issue can lead to unauthorized data access, exposing sensitive information and undermining the integrity of Gradio's security model. On case-insensitive file systems, such as those used by Windows and macOS, this flaw enables attackers to circumvent security restrictions and access sensitive files that should be protected. **Recommendations** For Gradio versions prior to 5.6.0, upgrade to version 5.6.0 or later to address the vulnerability. As a temporary workaround, consider normalizing the case of both the requested path and the blocked paths (e.g., convert all paths to lowercase) before evaluating them against the ACL. Restrict access to sensitive files and directories until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Joplin-desktop (affected versions not specified) **Description** The issue arises due to insufficient sanitization of `<a>` tag attributes introduced by the Mermaid, allowing the execution of untrusted HTML content within the Electron window. This enables arbitrary shell command execution when a user clicks on an `<a>` link within untrusted notes. The markdown preview iframe shares the same origin as its parent and lacks the `sandbox` attribute, allowing scripts running in the iframe to call Node.js APIs through `window.parent`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Astro versions 3.0.0 through 4.16.0 **Description** The Astro web framework has a DOM Clobbering gadget in the client-side router. This issue can lead to cross-site scripting (XSS) in websites that enable Astro's client-side routing and have stored attacker-controlled scriptless HTML elements, such as `iframe` tags with unsanitized `name` attributes, on the destination pages. The vulnerability can result in XSS attacks on websites built with Astro that enable client-side routing with `ViewTransitions` and store user-inserted scriptless HTML tags without properly sanitizing the `name` attributes on the page. **Recommendations** For Astro versions 3.0.0 through 4.16.0, update to version 4.16.1 or later to resolve the issue. As a temporary workaround, consider disabling the client-side routing feature until a patch is applied. Restrict access to the client-side router module to minimize the risk of exploitation. Avoid using unsanitized `name` attributes in `iframe` tags within the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** LayUI versions prior to 2.9.17 **Description** The issue is related to a DOM Clobbering vulnerability that can lead to Cross-site Scripting (XSS) on web pages where attacker-controlled HTML elements, such as `img` tags with unsanitized `name` attributes, are present. This vulnerability can be exploited due to the presence of unsanitized attributes in HTML elements. **Recommendations** For versions prior to 2.9.17, update to version 2.9.17 to fix the issue. As a temporary workaround, consider sanitizing user-controlled input, especially attributes of HTML elements like `name` in `img` tags, to minimize the risk of exploitation.