cbcvebase.

Pribai Privategpt vulnerabilities

10 known vulnerabilities affecting pribai/privategpt.

Total CVEs
10
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH4MEDIUM5

Vulnerabilities

Page 1 of 1
CVE-2024-5936P3MEDIUMCVSS 6.1PoCv0.5.02024-06-27
CVE-2024-5936 [MEDIUM] CWE-601 CVE-2024-5936: An open redirect vulnerability exists in imartinez/privategpt version 0.5.0 due to improper handling An open redirect vulnerability exists in imartinez/privategpt version 0.5.0 due to improper handling of the 'file' parameter. This vulnerability allows attackers to redirect users to a URL specified by user-controlled input without proper validation or sanitization. The impact of this vulnerability includes potential phishing attacks, malware distribu
nvd
CVE-2024-4343P2CRITICALCVSS 9.8fixed in 0.6.02024-11-14
CVE-2024-4343 [CRITICAL] CWE-78 CVE-2024-4343: A Python command injection vulnerability exists in the `SagemakerLLM` class's `complete()` method wi A Python command injection vulnerability exists in the `SagemakerLLM` class's `complete()` method within `./private_gpt/components/llm/custom/sagemaker.py` of the imartinez/privategpt application, versions up to and including 0.3.0. The vulnerability arises due to the use of the `eval()` function to parse a string received from a remote AWS SageMaker
nvd
CVE-2024-3403P3HIGHCVSS 7.5≥ 0.2.0, < 0.6.02024-05-16
CVE-2024-3403 [HIGH] CWE-22 CVE-2024-3403: imartinez/privategpt version 0.2.0 is vulnerable to a local file inclusion vulnerability that allows imartinez/privategpt version 0.2.0 is vulnerable to a local file inclusion vulnerability that allows attackers to read arbitrary files from the filesystem. By manipulating file upload functionality to ingest arbitrary local files, attackers can exploit the 'Search in Docs' feature or query the AI to retrieve or disclose the contents of any file on the sy
nvd
CVE-2024-12063P3HIGHCVSS 7.5v0.6.22025-03-20
CVE-2024-12063 [HIGH] CWE-400 CVE-2024-12063: A Denial of Service (DoS) vulnerability exists in the file upload feature of imartinez/privategpt ve A Denial of Service (DoS) vulnerability exists in the file upload feature of imartinez/privategpt version v0.6.2. The vulnerability is due to improper handling of form-data with a large filename in the file upload request. An attacker can exploit this by sending a payload with an excessively large filename, causing the server to become overwhelmed and
nvd
CVE-2024-5186P3HIGHCVSS 7.2v0.5.02024-06-06
CVE-2024-5186 [HIGH] CWE-918 CVE-2024-5186: A Server-Side Request Forgery (SSRF) vulnerability exists in the file upload section of imartinez/pr A Server-Side Request Forgery (SSRF) vulnerability exists in the file upload section of imartinez/privategpt version 0.5.0. This vulnerability allows attackers to send crafted requests that could result in unauthorized access to the local network and potentially sensitive information. Specifically, by manipulating the 'path' parameter in a file upload r
nvd
CVE-2024-8018P3HIGHCVSS 7.5v0.5.02025-03-20
CVE-2024-8018 [HIGH] CWE-770 CVE-2024-8018: A vulnerability in imartinez/privategpt version 0.5.0 allows for a Denial of Service (DOS) attack. W A vulnerability in imartinez/privategpt version 0.5.0 allows for a Denial of Service (DOS) attack. When uploading a file, if an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process these characters, rendering privateGPT inaccessible. This uncontrolled resource consumption can lead to prol
nvd
CVE-2025-4515P3MEDIUMCVSS 6.5≤ 0.6.22025-05-10
CVE-2025-4515 [MEDIUM] CWE-346 CVE-2025-4515: A vulnerability, which was classified as problematic, was found in Zylon PrivateGPT up to 0.6.2. Thi A vulnerability, which was classified as problematic, was found in Zylon PrivateGPT up to 0.6.2. This affects an unknown part of the file settings.yaml. The manipulation of the argument allow_origins leads to permissive cross-domain policy with untrusted domains. It is possible to initiate the attack remotely. The exploit has been disclosed to the pub
nvd
CVE-2024-8029P4MEDIUMCVSS 6.1v0.5.02025-03-20
CVE-2024-8029 [MEDIUM] CWE-79 CVE-2024-8029: An XSS vulnerability was discovered in the upload file(s) process of imartinez/privategpt v0.5.0. At An XSS vulnerability was discovered in the upload file(s) process of imartinez/privategpt v0.5.0. Attackers can upload malicious SVG files, which execute JavaScript when victims click on the file link. This can lead to user data theft, session hijacking, malware distribution, and phishing attacks.
nvd
CVE-2024-3851P4MEDIUMCVSS 5.4≤ 0.6.22024-05-16
CVE-2024-3851 [MEDIUM] CWE-79 CVE-2024-3851: A stored Cross-Site Scripting (XSS) vulnerability exists in the 'imartinez/privategpt' repository du A stored Cross-Site Scripting (XSS) vulnerability exists in the 'imartinez/privategpt' repository due to improper validation of file uploads. Attackers can exploit this vulnerability by uploading malicious HTML files, such as those containing JavaScript payloads, which are then executed in the context of the victim's session when accessed. This could l
nvd
CVE-2024-5935P4MEDIUMCVSS 5.4v0.5.02024-06-27
CVE-2024-5935 [MEDIUM] CWE-352 CVE-2024-5935: A Cross-Site Request Forgery (CSRF) vulnerability in version 0.5.0 of imartinez/privategpt allows an A Cross-Site Request Forgery (CSRF) vulnerability in version 0.5.0 of imartinez/privategpt allows an attacker to delete all uploaded files on the server. This can lead to data loss and service disruption for the application's users.
nvd
Pribai Privategpt vulnerabilities | cvebase