cbcvebase.
CVE-2024-11042
published 2025-03-20

CVE-2024-11042: In invoke-ai/invokeai version v5.0.2, the web API `POST /api/v1/images/delete` is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized…

PriorityP358critical9.1CVSS 3.0
AVNACLPRNUINSUCNIHAH
EPSS
1.35%
68.0th percentile
In invoke-ai/invokeai version v5.0.2, the web API `POST /api/v1/images/delete` is vulnerable to Arbitrary File Deletion. This vulnerability allows unauthorized attackers to delete arbitrary files on the server, potentially including critical or sensitive system files such as SSH keys, SQLite databases, and configuration files. This can impact the integrity and availability of applications relying on these files.

Affected

2 ranges
VendorProductVersion rangeFixed in
invoke-aiinvoke-ai_invokeai>= 0 < 5.3.0rc15.3.0rc1
invoke-aiinvoke-ai_invokeai>= unspecified < 5.3.05.3.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.