repository icon
run-llama / llama_index Project repository

LlamaIndex is a data framework for your LLM applications

Submit a report

FIRST INTERACTION

WITHIN14 DAYS

REVIEW

WITHIN14 DAYS

FIX

WITHINN/A DAYS

Arbitrary code execution via unsafe pickle.load in txtai and bge-m3 integrations
bersechub
self closed
Sandbox escape to arbitrary code execution via operator.attrgetter in EvaporateE...
bersechub
self closed
SSRF in ChatGPTPluginToolSpec and OpenAPIToolSpec via Unvalidated URLs
jd-admrl-ai
self closed
SQL Injection in PostgresChatStore via Unsanitized schema_name Parameter
jd-admrl-ai
self closed
SQL injection via f-string interpolation in DB2 vector store delete(), query(),...
snakeyworm
duplicate
None
Sandbox escape in Evaporate extractor via operator.attrgetter bypassing AST dund...
snakeyworm
duplicate
Critical
NoSQL injection via f-string interpolation in Azure Cosmos DB NoSQL vector store...
snakeyworm
duplicate
Critical
Complete Sandbox Escape in EvaporateExtractor via operator.attrgetter Dunder Byp...
skillwager
duplicate
Critical
LLM-Generated SQL Executed Without Sanitization in NLSQLRetriever (Text-to-SQL)
gauravbhatia1211
duplicate
High
Sandbox Escape via operator.attrgetter in Evaporate Extractor — Arbitrary Code E...
sam8k
duplicate
Critical
Sandbox Escape in EvaporateExtractor via operator.attrgetter Bypassing AST Dunde...
py4y6
duplicate
Critical
Sandbox escape RCE via operator.attrgetter in EvaporateExtractor
ryan-fanpierlabs-security-finder
duplicate
Critical
Sandbox escape in Evaporate extractor via operator.attrgetter bypassing AST dund...
wormysnake
duplicate
Critical
Sandbox Escape via operator.attrgetter in Evaporate LLM Code Execution
lihfdgjr
duplicate
High
Indirect prompt injection enables arbitrary SQL execution in NLSQLTableQueryEngi...
n1neman
duplicate
None
SSRF via unvalidated image URL fetching in core schema classes
pulkit7070
duplicate
High
Sandbox Escape via Shallow AST Import Check in PandasQueryEngine exec_utils.py
hacnho
duplicate
High
SSRF via unvalidated image_url in multi-modal LLM generic_utils and schema
tranhoangtu-it
duplicate
Critical
Unauthenticated RCE via Path Traversal in download_dataset_and_source_files
jdp-security
not applicable
SQL Injection via LLM-Generated Queries in Text-to-SQL Pipeline
tkenaz
duplicate
Critical
Arbitrary Code Execution (RCE) via Sandbox Bypass in LlamaIndex (PandasQueryEngi...
catalyzer9867
duplicate
Critical
Supply Chain RCE via Unsanitized pip install in download_integration()
jdhart81
duplicate
Critical
SSRF in llama_index: ImageNode.resolve_image() and 5 other code paths fetch arbi...
caoxuyang
duplicate
High
SQL Injection in llama-index-vector-stores-db2 via delete(), query filters, and...
romain-deperne
duplicate
Critical
Incomplete Fix for CVE-2025-1793: SQL Injection via ref_doc_id in DB2 Vector Sto...
th3-j0k3r
duplicate
Critical
SSRF via Unvalidated Image URLs in Multi-Modal Document Schema and LLM Utils
nhomyk
duplicate
High
SQL Injection in llama-index-vector-stores-db2 and llama-index-vector-stores-cou...
ar03
duplicate
Critical
Arbitrary code execution via unsanitized llama_hub_url in download_llama_module(...
rishavkumarthapa01-sketch
duplicate
High
Sandbox Escape via Nested Import Bypass and Missing __builtins__ Restriction in...
phenggeler
duplicate
None
Arbitrary Code Execution via Pickle Deserialization in EmbeddedTablesUnstructure...
manja316
duplicate
Critical
SQL Injection via unsanitized db_schema in SQLAlchemyChatStore — DDL injection o...
mscgo
duplicate
None
Unsafe pickle.load() in BGEM3Index.load_from_disk() Enables RCE via Malicious In...
odysseypro25-project
self closed
Sandbox escape in EvaporateExtractor via operator.attrgetter bypasses AST dunder...
eistee82
duplicate
Critical
Unsafe pickle deserialization in EmbeddedTablesUnstructuredRetrieverPack leads t...
narrator3333-hash
duplicate
Critical
Sandbox Escape via operator.attrgetter Bypasses AST Validation in EvaporateExtra...
elucidator-hky
duplicate
High
SQL Injection via Unparameterized f-string Query Construction in Multiple Vector...
elucidator-hky
duplicate
High
Server-Side Request Forgery (SSRF) in Core Schema and Multiple Web Readers Due t...
elucidator-hky
self closed
Arbitrary code execution via unsafe pickle.load() and torch.load() in multiple L...
elucidator-hky
self closed
SQL injection in DuckDB vector store via f-string interpolation in DELETE and SE...
odysseypro25-project
not applicable
Arbitrary SQL Execution via NL2SQL LLM Output
odysseypro25-project
not applicable
SQL Injection via db_schema Parameter in SQLAlchemyChatStore
odysseypro25-project
duplicate
High
SimpleDirectoryReader Symlink Traversal → Arbitrary File Read
rhyk7
informative
Medium
Sandbox Escape - RCE in llama-index-program-evaporate
richorama
duplicate
Critical
LlamaIndex: exec() Code Execution with Bypassable Sandbox in Evaporate Extractor
iamveene
self closed
LlamaIndex: SSRF via SimpleWebPageReader -- No URL Validation or Private IP Bloc...
iamveene
self closed
LlamaIndex: RAG Indirect Prompt Injection via Unsanitized Document Context Inser...
iamveene
self closed
LlamaIndex: Supply Chain RCE via download_llama_module Without Integrity Verific...
iamveene
duplicate
High
LlamaIndex: Dynamic Import from Serialized Ray Pipeline Config Leading to Arbitr...
iamveene
not applicable
SQL++ Injection in CouchbaseQueryVectorStore via unsanitized MetadataFilter keys...
richorama
informative
Critical
World-readable persist() artifacts expose sensitive data
amadhan882
not applicable
Unprotected pickle.load() in 5 Locations Across 4 LlamaIndex Integration Package...
iamveene
self closed
NoSQL Injection via F-String Interpolation in Azure Cosmos DB Vector Store
iamveene
duplicate
High
Root RCE Patch Bypass in LlamaIndex v0.14.15 via Persistent Insecure Deserializa...
amadhan882
not applicable
ReDoS via User-Supplied Regex in SEC Filings FastAPI Endpoint
abhiabhi2306
informative
Medium
Sandbox escape in exec_utils allows arbitrary command execution
vnykmshr
duplicate
Critical
External Control of File Name or Path in llamaindex-cli new-package allows direc...
cardosource
not applicable
Unsafe deserialization via pickle in LlamaIndex storage and index persistence
etwithin
spam
Sandbox Bypass in safe_exec / safe_eval leading to Remote Code Execution (RCE) v...
amitzalman
duplicate
Critical
Sandbox Escape via AST Bypass and __builtins__ Injection in safe_exec leads to R...
sendorrr
self closed
SQL Injection via MetadataFilter key/value in 7 Vector Store query() Paths (Mari...
d3banjan
self closed
NoSQL Injection in AzureCosmosDBNoSqlVectorSearch `delete()` and `_query()` Meth...
hiyokosauna37
self closed
SQL Injection in PGVectorStore metadata filtering via `_build_filter_clause()`
directbuilds
informative
Critical
EdgeQL Injection in LlamaIndex Gel VectorStore — Cross-Table Data Exfiltration a...
apeiria-zero
informative
High
Sandbox Escape in Evaporate Extractor via chr()+operator.attrgetter — Remote Cod...
apeiria-zero
duplicate
Critical
AST Sandbox Bypass via eval/exec string literals in _validate_generated_code() l...
erc840902
duplicate
Critical
API Key Leak via Incomplete Callback Filtering in LLM Callback Decorators
2201029-cyber
duplicate
Medium
Unsafe pickle.load() in SimpleObjectNodeMapping.from_persist_dir() enables arbit...
sinhsinhan
duplicate
Critical
LlamaIndex SSRF via Unvalidated Image URL Fetching in LanceDB Integration - Acce...
avienma007
duplicate
Critical
Arbitrary Code Execution via Code Interpreter Tool Without Sandboxing
avienma007
informative
Critical