Transformeroptimus Superagi vulnerabilities
8 known vulnerabilities affecting transformeroptimus/transformeroptimus_superagi.
Total CVEs
8
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH6MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2024-9415P2HIGHCVSS 8.8≥ unspecified, ≤ latest2025-03-20
CVE-2024-9415 [HIGH] CWE-22 CVE-2024-9415: A Path Traversal vulnerability exists in the file upload functionality of transformeroptimus/superag
A Path Traversal vulnerability exists in the file upload functionality of transformeroptimus/superagi version 0.0.14. This vulnerability allows an attacker to upload an arbitrary file to the server, potentially leading to remote code execution or overwriting any file on the server.
nvd
CVE-2024-9439P3HIGHCVSS 8.8≥ unspecified, ≤ latest2025-03-20
CVE-2024-9439 [HIGH] CWE-94 CVE-2024-9439: SuperAGI is vulnerable to remote code execution in the latest version. The `agent template update` A
SuperAGI is vulnerable to remote code execution in the latest version. The `agent template update` API allows attackers to control certain parameters, which are then fed to the eval function without any sanitization or checks in place. This vulnerability can lead to full system compromise.
nvd
CVE-2024-12048P3HIGHCVSS 8.8≥ unspecified, ≤ latest2025-03-20
CVE-2024-12048 [HIGH] CWE-304 CVE-2024-12048: An IDOR (Insecure Direct Object Reference) vulnerability exists in transformeroptimus/superagi versi
An IDOR (Insecure Direct Object Reference) vulnerability exists in transformeroptimus/superagi version v0.0.14. The application fails to properly check authorization for multiple API endpoints, allowing attackers to view, edit, and delete other users' information without proper authorization. Affected endpoints include but are not limited to /get/proj
nvd
CVE-2024-9431P3HIGHCVSS 8.8≥ unspecified, ≤ latest2025-03-20
CVE-2024-9431 [HIGH] CWE-620 CVE-2024-9431: In version v0.0.14 of transformeroptimus/superagi, there is an improper privilege management vulnera
In version v0.0.14 of transformeroptimus/superagi, there is an improper privilege management vulnerability. After logging into the system, users can change the passwords of other users, leading to potential account takeover.
nvd
CVE-2024-10267P3HIGHCVSS 7.5≥ unspecified, ≤ latest2025-03-20
CVE-2024-10267 [HIGH] CWE-359 CVE-2024-10267: An information disclosure vulnerability exists in the latest version of transformeroptimus/superagi.
An information disclosure vulnerability exists in the latest version of transformeroptimus/superagi. An attacker can leak sensitive user information, including names, emails, and passwords, by attempting to register a new account with an email that is already in use. The server returns all information associated with the existing account. The vulnerab
nvd
CVE-2024-9437P3HIGHCVSS 7.5≥ unspecified, ≤ latest2025-03-20
CVE-2024-9437 [HIGH] CWE-770 CVE-2024-9437: SuperAGI version v0.0.14 is vulnerable to an unauthenticated Denial of Service (DoS) attack. The vul
SuperAGI version v0.0.14 is vulnerable to an unauthenticated Denial of Service (DoS) attack. The vulnerability exists in the resource upload request, where appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request causes the server to continuously process each character. This leads to excessive resource consumption
nvd
CVE-2024-9418P3MEDIUMCVSS 6.5≥ unspecified, ≤ latest2025-03-20
CVE-2024-9418 [MEDIUM] CWE-256 CVE-2024-9418: In version 0.0.14 of transformeroptimus/superagi, the API endpoint `/api/users/get/{id}` returns the
In version 0.0.14 of transformeroptimus/superagi, the API endpoint `/api/users/get/{id}` returns the user's password in plaintext. This vulnerability allows an attacker to retrieve the password of another user, leading to potential account takeover.
nvd
CVE-2024-9447P3MEDIUMCVSS 6.5≥ unspecified, ≤ latest2025-03-20
CVE-2024-9447 [MEDIUM] CWE-1230 CVE-2024-9447: An information disclosure vulnerability exists in the latest version of transformeroptimus/superagi.
An information disclosure vulnerability exists in the latest version of transformeroptimus/superagi. The `/get/organisation/` endpoint does not verify the user's organization, allowing any authenticated user to retrieve sensitive configuration details, including API keys, of any organization. This could lead to unauthorized access to services and sig
nvd