Yu Sun

**Name of the Vulnerable Software and Affected Versions** Mem0 versions prior to 0.2.8 **Description** The self-hosted server component contains a missing authorization flaw. The 'POST /configure' endpoint allows the modification of global LLM provider and embedder configurations. While the system verifies authentication via JWT or `X-API-Key`, it fails to validate the caller's role. Consequently, any authenticated user with a distributed API key can redirect all LLM and embedder traffic to a server controlled by an attacker. This malicious configuration is persisted in PostgreSQL and remains active after server restarts, affecting all users and API keys on the instance. **Recommendations** Update to the version containing commit ae7f406. As a temporary workaround, restrict access to the 'POST /configure' endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MoviePilot (affected versions not specified) **Description** Path traversal exists in the AliPan, U115, and Rclone cloud storage download handlers. The issue occurs because the local destination path is created by concatenating the configured download directory with a filename retrieved from remote cloud API metadata without performing path validation or basename normalization. An attacker controlling a filename returned by a remote cloud storage API can use traversal sequences such as `../` to write downloaded content outside the intended directory, which may lead to the overwriting of arbitrary configuration or plugin files accessible by the application process. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

F5-TTS through version 1.1.20 contains a path traversal vulnerability in the finetune Gradio handlers that allows unauthenticated attackers to write arbitrary files by passing unsanitized user-supplied project names directly to os.path.join() without validating the resulting path stays within the intended base directory. Attackers can supply absolute path arguments such as /tmp/EVIL to override the base directory entirely and create arbitrary directories with attacker-controlled JSON content at any filesystem path writable by the server process.

Banana Slides through 0.4.0, patched in commit e8bc490, contains a path traversal vulnerability in the generate image() function within the AI service backend that allows unauthenticated attackers to read arbitrary image-format files outside the intended uploads directory by exploiting an incomplete path prefix check using os.path.startswith() without a trailing separator. Attackers can supply crafted markdown image references in user-controlled page descriptions that resolve to sibling directories whose names share the uploads folder prefix, bypassing the directory confinement check and causing the application to read files from unintended locations via PIL Image.open().

**Name of the Vulnerable Software and Affected Versions** AI Tensor Engine for ROCm (AITER) versions prior to 0.1.15 **Description** An unauthenticated remote code execution issue exists in the `MessageQueue.recv()` function within `shm broadcast.py`. This occurs because a ZMQ SUB socket lacks authentication, HMAC, or format validation, allowing remote attackers to execute arbitrary code by sending a malicious pickle payload. Attackers can achieve this by reaching the writer XPUB endpoint on the cluster network or by providing a forged Handle containing an attacker-controlled `remote subscribe addr`. This allows the delivery of a crafted pickle payload that executes code as the inference worker process across every remote reader worker. **Recommendations** Update to a version later than 0.1.14.

**Name of the Vulnerable Software and Affected Versions** XX-Net version 5.16.6 **Description** A WebSocket frame parsing issue exists in the `WebSocket receive worker` routine of `simple http server.py`. The server unconditionally reads 4 bytes as a masking key, even if the MASK bit is not set in the frame header. This causes the first 4 bytes of the payload to be consumed as a mask key and the remaining payload to be incorrectly XOR-decoded, leading to corrupted application data. Additionally, the system fails to validate the RSV bit, opcode, and FIN fragmentation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** manga-image-translator (affected versions not specified) **Description** Remote code execution is possible in the shared API server mode due to unsafe deserialization of untrusted pickle data within the `share.py` module. The endpoints '/execute/{method name}' and '/simple execute/{method name}' use `pickle.loads()` to deserialize HTTP request bodies controlled by an attacker. A remote attacker can provide a crafted pickle payload to these endpoints to execute arbitrary code in the server process, which can lead to full container compromise when the software is running as root in the default Docker deployment. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** agno version 2.6.5 **Description** A SQL injection issue exists in the ClickHouse vector database backend. Attackers can inject arbitrary SQL expressions by providing malicious metadata keys and values to the `delete by metadata()` function. This is possible due to unsafe f-string interpolation within the `clickhousedb.py` file, which could allow the deletion of all rows, targeting of specific rows, or information extraction using blind or error-based SQL injection techniques. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MoviePilot version v2 **Description** An issue exists in the image proxy endpoint '/api/v1/system/img/{proxy}' that allows authenticated attackers to request arbitrary URLs. By providing a `resource token` cookie and a URL with a domain that matches the allowlist, attackers can bypass internal network protections. This occurs because the `is safe url()` function in `SecurityUtils` only verifies domain membership and fails to block private, loopback, or link-local addresses. This can lead to the enumeration of internal services, such as Jellyfin, Emby, or Plex, and the exfiltration of data from internal network resources. Server-side request forgery (SSRF) is a flaw where an attacker can force a server to make requests to an unintended location. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** xiaomusic version 0.5.7 **Description** An unauthenticated path traversal issue exists in the 'GET /music/{file path:path}' endpoint. This occurs due to an incomplete path prefix check and a missing trailing separator in the comparison logic. Unauthenticated attackers can bypass path restrictions by crafting traversal sequences to request files from sibling directories that share the `music path` prefix, allowing the retrieval of arbitrary files from the server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ai-goofish-monitor (affected versions not specified) **Description** An unauthenticated arbitrary file read issue exists in Windows deployments. Remote attackers can read arbitrary files by supplying absolute Windows paths or backslash-based traversal sequences to the 'GET /api/prompts/{filename}' endpoint. The flaw stems from an incomplete path traversal guard that only blocks forward slashes and '..', allowing the `os.path.join` function to discard the intended prompts directory prefix when absolute paths are provided, thereby exposing files accessible to the application process. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DeepCode versions prior to commit c991dc2 **Description** A path traversal issue exists in the SPA catch-all route within `new ui/backend/main.py`. Unauthenticated attackers can read arbitrary files by providing percent-encoded path segments to the 'GET /{full path:path}' endpoint. By encoding slashes as %2F and dots as %2E%2E, the Starlette path normalization is bypassed, allowing the joined path to move outside the `FRONTEND DIST` directory. This can expose sensitive data, including SSH private keys, TLS certificates, and application secrets, via a single HTTP request. **Recommendations** Update to a version containing commit c991dc2 or later.

**Name of the Vulnerable Software and Affected Versions** Gradio versions prior to 6.15.0 **Description** A cookie injection issue exists due to a shared module-level HTTP client used across all users in the reverse proxy endpoint. This allows remote attackers who control any HF Space to return a parent-domain cookie. The shared client stores this cookie and automatically replays it into subsequent proxy requests to other legitimate Spaces, enabling cross-Space session fixation for all users of the same Gradio deployment. **Recommendations** Update to version 6.15.0 or later.

Agent Zero before version 1.15 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary JavaScript in the application origin by serving SVG files through the image get API endpoint without Content-Security-Policy, X-Content-Type-Options, or Content-Disposition headers. Attackers can place a crafted SVG file containing script tags in any path readable by the agent-zero process and lure an authenticated user to the image get endpoint, causing the browser to execute the malicious script, steal the csrf token cookie, and perform unauthorized API calls on behalf of the victim.

Agent Zero before version 1.15 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by supplying crafted paths to the image file serving endpoint, which relies solely on an extension allowlist while the path containment check is explicitly disabled. Attackers can request any file with an image extension readable by the process, including files outside the agent workspace, user home directories, and mounted volumes, and can also leverage symlink-based escapes due to the lack of path canonicalization in the path resolution logic.

Taipy 4.1.1, fixed in commit 129fd40, contains a path traversal vulnerability in the ElementLibrary.get resource() method in taipy/gui/extension/library.py that allows unauthenticated attackers to escape the intended module directory by exploiting an incomplete path containment check using str.startswith() without a trailing path separator. Attackers can send crafted GET requests with path traversal segments targeting a prefix-matching sibling directory on disk, bypassing the directory containment check because Flask's path converter and Werkzeug's WSGI layer preserve the traversal segments while the resolved path still satisfies the flawed startswith comparison, enabling unauthorized file access outside the intended library directory.

**Name of the Vulnerable Software and Affected Versions** PingCAP TiDB version 7.5.1 **Description** A buffer overflow issue was discovered, which could lead to database crashes and denial of service attacks. **Recommendations** For PingCAP TiDB version 7.5.1, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TiDB version 7.5.1 **Description** A NULL pointer dereference issue was discovered in the SortedRowContainer component of TiDB. **Recommendations** For version 7.5.1, at the moment, there is no information about a newer version that contains a fix for this vulnerability.