Filtered by vendor Hliu
                         Subscriptions
                    
                    
                
                        Filtered by product Llava
                         Subscriptions
                    
                    
                
                    Total
                    5 CVE
                
            | CVE | Vendors | Products | Updated | CVSS v3.1 | 
|---|---|---|---|---|
| CVE-2024-12065 | 1 Hliu | 1 Llava | 2025-10-21 | N/A | 
| A local file inclusion vulnerability exists in haotian-liu/llava at commit c121f04. This vulnerability allows an attacker to access any file on the system by sending multiple crafted requests to the server. The issue is due to improper input validation in the gradio web UI component. | ||||
| CVE-2024-12068 | 1 Hliu | 1 Llava | 2025-10-21 | N/A | 
| A Server-Side Request Forgery (SSRF) vulnerability was discovered in haotian-liu/llava, affecting version git c121f04. This vulnerability allows an attacker to make the server perform HTTP requests to arbitrary URLs, potentially accessing sensitive data that is only accessible from the server, such as AWS metadata credentials. | ||||
| CVE-2024-10225 | 1 Hliu | 1 Llava | 2025-10-15 | N/A | 
| A vulnerability in haotian-liu/llava v1.2.0 allows an attacker to cause a Denial of Service (DoS) by appending a large number of characters to the end of a multipart boundary in a file upload request. This causes the server to continuously process each character, rendering the application inaccessible. | ||||
| CVE-2024-9308 | 1 Hliu | 1 Llava | 2025-07-15 | N/A | 
| An open redirect vulnerability in haotian-liu/llava version v1.2.0 (LLaVA-1.6) allows a remote unauthenticated attacker to redirect users to arbitrary websites via a specially crafted URL. This can be exploited for phishing attacks, malware distribution, and credential theft. | ||||
| CVE-2024-9309 | 1 Hliu | 1 Llava | 2025-07-15 | N/A | 
| A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Controller API Server in haotian-liu/llava version v1.2.0 (LLaVA-1.6). This vulnerability allows attackers to exploit the victim Controller API Server's credentials to perform unauthorized web actions or access unauthorized web resources. | ||||
                            
                                
                                
                                    Page 1 of 1.