Bounties
Partners
Community
Info
run-llama / llama_index
Project repository
LlamaIndex is a data framework for your LLM applications
Submit a report
FIRST INTERACTION
WITHIN
12 DAYS
REVIEW
WITHIN
12 DAYS
FIX
WITHIN
90 DAYS
SQL Injection in llama-index-vector-stores-db2 and llama-index-vector-stores-cou...
Mar 19th 2026
ar03
•
duplicate
Critical
Arbitrary code execution via unsanitized llama_hub_url in download_llama_module(...
Mar 19th 2026
rishavkumarthapa01-sketch
•
duplicate
High
Sandbox Escape via Nested Import Bypass and Missing __builtins__ Restriction in...
Mar 17th 2026
phenggeler
•
duplicate
None
Arbitrary Code Execution via Pickle Deserialization in EmbeddedTablesUnstructure...
Mar 17th 2026
manja316
•
duplicate
Critical
Unsafe pickle.load() in BGEM3Index.load_from_disk() Enables RCE via Malicious In...
Mar 18th 2026
odysseypro25-project
•
self closed
Unsafe pickle deserialization in EmbeddedTablesUnstructuredRetrieverPack leads t...
Mar 17th 2026
narrator3333-hash
•
duplicate
Critical
SQL Injection via Unparameterized f-string Query Construction in Multiple Vector...
Mar 19th 2026
elucidator-hky
•
duplicate
High
Server-Side Request Forgery (SSRF) in Core Schema and Multiple Web Readers Due t...
Mar 16th 2026
elucidator-hky
•
self closed
Arbitrary code execution via unsafe pickle.load() and torch.load() in multiple L...
Mar 16th 2026
elucidator-hky
•
self closed
LlamaIndex: exec() Code Execution with Bypassable Sandbox in Evaporate Extractor
Mar 9th 2026
iamveene
•
self closed
LlamaIndex: SSRF via SimpleWebPageReader -- No URL Validation or Private IP Bloc...
Mar 9th 2026
iamveene
•
self closed
LlamaIndex: RAG Indirect Prompt Injection via Unsanitized Document Context Inser...
Mar 9th 2026
iamveene
•
self closed
Unprotected pickle.load() in 5 Locations Across 4 LlamaIndex Integration Package...
Mar 9th 2026
iamveene
•
self closed
Sandbox escape in exec_utils allows arbitrary command execution
Mar 8th 2026
vnykmshr
•
duplicate
Critical
Sandbox Bypass in safe_exec / safe_eval leading to Remote Code Execution (RCE) v...
Mar 7th 2026
amitzalman
•
duplicate
Critical
Sandbox Escape via AST Bypass and __builtins__ Injection in safe_exec leads to R...
Mar 6th 2026
uchiha100x
•
self closed
SQL Injection via MetadataFilter key/value in 7 Vector Store query() Paths (Mari...
Mar 5th 2026
d3banjan
•
self closed
NoSQL Injection in AzureCosmosDBNoSqlVectorSearch `delete()` and `_query()` Meth...
Mar 6th 2026
hiyokosauna37
•
self closed
Sandbox Escape in Evaporate Extractor via chr()+operator.attrgetter — Remote Cod...
Mar 5th 2026
apeiria-zero
•
duplicate
Critical
AST Sandbox Bypass via eval/exec string literals in _validate_generated_code() l...
Mar 4th 2026
erc840902
•
duplicate
Critical
Unsafe pickle.load() in SimpleObjectNodeMapping.from_persist_dir() enables arbit...
Mar 3rd 2026
sinhsinhan
•
duplicate
Critical
LlamaIndex SSRF via Unvalidated Image URL Fetching in LanceDB Integration - Acce...
Mar 3rd 2026
avienma007
•
duplicate
Critical
Unsafe Pickle Deserialization in Object Node Mapping Achieves RCE
Feb 27th 2026
jeremysommerfeld8910-cpu
•
duplicate
High
Sandbox Escape via operator.attrgetter in Evaporate Extractor Achieves RCE
Mar 5th 2026
jeremysommerfeld8910-cpu
•
duplicate
Critical
Sandbox Bypass in "safe_exec/safe_eval" Leads to Remote Code Execution
Feb 24th 2026
nakosec
•
duplicate
Critical
SSRF via Unvalidated URL in `LanceDBRetriever` Multimodal Query Functions (`quer...
Mar 3rd 2026
soze-ki
•
duplicate
High
PandasQueryEngine Sandbox Escape via pd.io.common.os Module Attribute Traversal
Feb 21st 2026
wernerina
•
duplicate
Critical
Server-Side Request Forgery (SSRF) via Unvalidated URL in SimpleWebPageReader
Feb 20th 2026
invisiblemonsters
•
duplicate
High
Insecure Deserialization in SimpleObjectNodeMapping.from_persist_dir()
Feb 19th 2026
loris4py
•
duplicate
Critical
SQL Injection in Alibaba Cloud MySQL Vector Store via Unsanitized Metadata Filte...
Feb 19th 2026
mehmedbesim
•
duplicate
Critical
Server-Side Request Forgery (SSRF) in Multiple Web Reader Components
Feb 20th 2026
galanzi2580-wq
•
duplicate
High
Arbitrary Code Execution via Unsafe Pickle Deserialization in SimpleObjectNodeMa...
Feb 19th 2026
l1iith
•
duplicate
High
Sandbox Bypass → Remote Code Execution in `safe_eval`/`safe_exec` via `pd.io.com...
Feb 21st 2026
l1iith
•
duplicate
Critical
SQL Injection in DB2 Vector Store `delete()`, `query()`, and metadata filter met...
Mar 19th 2026
l1iith
•
duplicate
Critical
Sandbox Bypass
Feb 24th 2026
jeremylaratro
•
duplicate
Critical
SQL Injection in Additional Vector Stores Not Resolved by CVE-2025-1793
Feb 19th 2026
responsiblereport10
•
duplicate
Critical
SQL Injection in DB2 Vector Store via `delete()`, `query()`, and `_append_meta_f...
Feb 8th 2026
maniketabchi
•
duplicate
Critical
Remote Code Execution via Documentation-Recommended PickleSerializer in Workflow...
Feb 8th 2026
edferr
•
duplicate
Critical
Bypass of CVE-2024-003 Sandbox Logic in safe_eval
Mar 3rd 2026
anandppatil
•
duplicate
Critical
PandasQueryEngine safe_exec sandbox bypass via whitelisted imports (pandas/numpy...
Feb 24th 2026
theagentknownasren-gif
•
duplicate
Critical
PandasQueryEngine safe_exec sandbox bypass via whitelisted imports (pandas/numpy...
Feb 21st 2026
theagentknownasren-gif
•
duplicate
Critical
Systemic SQL Injection in 10+ Vector Store Integrations via Unsanitized Metadata...
Feb 8th 2026
jhacksman
•
duplicate
High
LlamaIndex TextToCypherRetriever Prompt Injection leads to Cypher Injection and...
Feb 1st 2026
mia-718ai
•
duplicate
Critical
Arbitrary Code Execution in download_llama_module() via Unverified Remote Code D...
Mar 11th 2026
mia-718ai
•
informative
High
JSONReader.load_data() Arbitrary File Read via Path Traversal (CWE-22)
Mar 11th 2026
mia-718ai
•
informative
High
Server-Side Request Forgery (SSRF) in llama_index Download Module Allows Access...
Feb 1st 2026
mia-718ai
•
duplicate
Critical
SQL Injection in SQLRetriever.retrieve_with_metadata() allows arbitrary database...
Mar 6th 2026
mia-718ai
•
informative
Critical
Server Side Request Forgery in ImageNode.resolve_image() method
Mar 6th 2026
yashvardhantrip
•
informative
High
Sandbox Bypass via pandas.read_pickle() leads to Remote Code Execution
Mar 3rd 2026
yashvardhantrip
•
informative
High
Server Side Request Forgery in ImageNode.resolve_image() method
Jan 28th 2026
yashvardhantrip
•
duplicate
High
RCE via Pickle Deserialization in SimpleObjectNodeMapping.from_persist_dir()
Jan 28th 2026
yashvardhantrip
•
duplicate
High
Unsafe Pickle Deserialization in SimpleObjectNodeMapping Enables Remote Code Exe...
Jan 28th 2026
sanu1999
•
duplicate
High
Path Traversal via Symbolic Links in SimpleDirectoryReader Allows Arbitrary File...
Jan 28th 2026
sanu1999
•
duplicate
Medium
DatabaseReader SQL Injection Vulnerability Report
Mar 3rd 2026
fhkkmd637
•
informative
Critical
Remote Code Execution in SimpleObjectNodeMapping via Unsafe Pickle Deserializati...
Jan 28th 2026
mr-neutr0n
•
duplicate
Critical
Arbitrary Code Execution via Unsafe pickle.load() and torch.load() in Index/Adap...
Mar 3rd 2026
sermikr0
•
not applicable
Sandbox Bypass via str.format() Allows Information Disclosure of __globals__ and...
Mar 3rd 2026
alan-tiger
•
informative
Medium
Arbitrary File Write via Sandbox Bypass in PandasQueryEngine (Prompt Injection)
Feb 5th 2026
unicuervo16
•
informative
Critical
XML External Entity (XXE) Injection in DocugamiReader via Unsafe XML Parsing
Feb 5th 2026
bademeischta
•
informative
Critical
Uncontrolled Recursion in `JSONNodeParser` Leads to Stack Overflow DoS in run-ll...
Jan 9th 2026
nova-aryan
•
duplicate
High
Blind SQL Injection in NLSQLTableQueryEngine via Prompt Injection allows Databas...
Feb 5th 2026
bademeischta
•
informative
Critical
Arbitrary Argument Injection in download_integration leading to potential RCE
Feb 5th 2026
espanda666
•
informative
High
Remote Code Execution (RCE) via Indirect Prompt Injection in EvaporateExtractor
Jan 4th 2026
espanda666
•
duplicate
Critical
Remote code execution vulnerability in that bypasses code checks
Jan 4th 2026
ka7arotto
•
duplicate
Critical
Unsafe Sandbox Bypass in llama_index's safe_exec and safe_eval Functions Allows...
Dec 31st 2025
to-be-w1th0ut
•
duplicate
Critical
LlamaIndex Remote Code Execution via safe_exec + Malicious Pickle
Dec 31st 2025
to-be-w1th0ut
•
duplicate
Critical
Authorization Boundary Bypass in NLSQLTableQueryEngine allowing Unauthorized Acc...
Feb 5th 2026
aldorizona10-glitch
•
not applicable
Denial of Service via Malformed GGUF Model Causing Memory Allocation Failure in...
Feb 5th 2026
aldorizona10-glitch
•
spam
Unbounded Image Metadata Forwarded to Pillow Causes Remote Denial-of-Service via...
Dec 28th 2025
hyperps
•
informative
High
SQL Injection via MetadataFilter.key in PGVectorStore (_build_filter_clause)
Dec 28th 2025
vitalysim
•
informative
Critical
Arbitrary File Read in llama_index via ImageDocument Setter (Bypass of CVE-2025-...
Dec 17th 2025
nigh7c0r3
•
duplicate
High
HWP Reader Decompression Bomb (Memory Exhaustion DoS)
Dec 15th 2025
bilisheep
•
informative
High
Critical RCE in LlamaIndex FAISS Vector Store via Unsafe Deserialization
Dec 9th 2025
skypher
•
duplicate
Critical
Arbitrary Code Execution (RCE) via Unsafe Pickle Deserialization in SimpleObject...
Dec 9th 2025
pygmalionsimon
•
duplicate
Critical
SQL Injection in ref_doc_id parameter
Dec 1st 2025
maticmindsecurityresearchteam
•
duplicate
Critical
LlamaIndex Repository Deserialization Vulnerabilities
Nov 23rd 2025
7908837174
•
duplicate
Critical
vector Database Poisoning via Unvalidated Embeddings
Dec 28th 2025
daridor9
•
not applicable
Remote Code Execution (RCE) via Unsafe Argument Introspection in LlamaIndex Inst...
Dec 28th 2025
hyperps1
•
informative
Critical
SQL Injection in NebulaGraph Store Allowing Complete Database Compromise
Nov 17th 2025
shawkatabdelhaq
•
self closed
Critical XXE and XML Injection Vulnerabilities in llama-index Agent Utils
Nov 17th 2025
shawkatabdelhaq
•
spam
Remote Code Execution via Unsafe Pickle Deserialization
Nov 13th 2025
mufeedvh
•
not applicable
Remote Code Execution via NumPy ctypes in PolarsInstructionParser.parse
Nov 13th 2025
mufeedvh
•
not applicable
Remote Code Execution via Unsafe Pickle Deserialization in SimpleObjectNodeMappi...
Oct 17th 2025
itsbalvant
•
not applicable
Remote Code Execution via Unsafe Pickle Deserialization in BGEM3Index (multi_emb...
Oct 17th 2025
itsbalvant
•
not applicable
Remote Code Execution via Unsafe Pickle Deserialization in 'TxtaiVectorStore'
Oct 17th 2025
itsbalvant
•
not applicable
Arbitrary Code Execution via eval() in FaissMapVectorStore id_map Loader
Oct 17th 2025
itsbalvant
•
not applicable
Insecure File Persistence in SimpleVectorStore Exposes Sensitive Data
Oct 17th 2025
0xmrniko
•
not applicable
SQL Injection in ClickHouse Vector Store Metadata Filtering
Sep 25th 2025
mysterious75
•
informative
Critical
Server-Side Request Forgery (SSRF) in LlamaIndex SimpleWebPageReader allows acce...
Sep 14th 2025
gauss-security
•
duplicate
Critical
Critical Template Injection in GitHub Actions Workflows
Sep 25th 2025
anasboulbali
•
not applicable
Path Traversal via SimpleDirectoryReader
Sep 11th 2025
choocs
•
not applicable
SQL Injection in Vector Search via Bigquery
Aug 21st 2025
faizann24
•
informative
Critical
JSON Injection Vulnerability in LlamaIndex Question Generation Module Leading to...
Aug 5th 2025
damcrazy
•
spam
Race Condition in FunctionCallingAgentWorker
Sep 11th 2025
madan301
•
informative
High
Arbitary File Read Through Path Traversal
Jul 23rd 2025
choocs
•
duplicate
High
DoS through image-URL-validation
Sep 11th 2025
patrik-ha
•
informative
High
No Check for Duplicate Entries
Sep 11th 2025
madan301
•
not applicable
No State Rollback on Partial Failure
Sep 11th 2025
madan301
•
not applicable
Command Injection Vulnerability in llama-index-tools-mcp
Aug 21st 2025
bayuncao-bit
•
informative
Critical
Silent Duplicate Dispatcher Registration Vulnerability
Sep 11th 2025
madan301
•
not applicable
Context Reset Workaround Vulnerability in Async Span Management
Sep 11th 2025
madan301
•
not applicable
Shared State Vulnerability in llama_index_instrumentation Dispatcher Due to Muta...
Sep 11th 2025
madan301
•
informative
High
Deepseek API Key Leaked on Repository
Jul 18th 2025
aydinnyunus
•
informative
Medium
SSRF VULNERABILITY REPORT - LLAMA-INDEX
Jul 16th 2025
jplopezy
•
duplicate
High
Backoff Retry Functions in run-llama/llama_index Allow Resource Exhaustion via I...
Jul 16th 2025
madan301
•
informative
Medium
World-Writable NLTK Cache Directory Enables Local Users to Tamper with or Delete...
Oct 13th 2025
madan301
•
High
•
$750
High
•
$750
•
CVE-2025-7707
CVE-2025-7707
OS Command Injection in llama-index-cli RAG Tool
Jul 4th 2025
colemurray
•
informative
High
Insecure Temporary File Handling Vulnerability in llama-index-core
Sep 27th 2025
anwarayoob
•
High
•
$750
High
•
$750
•
CVE-2025-7647
CVE-2025-7647
Pickle Deserialization Remote Code Execution in llama-index-core
Jul 16th 2025
anwarayoob
•
informative
Critical
XML Entity Expansion vulnerability in XMLReader
Jul 16th 2025
anwarayoob
•
informative
Medium
Path Traversal in `ObsidianReader`
Jun 22nd 2025
ouxs-19
•
informative
High
llama_index.readers.file.paged_csv has an arbitrary file read vulnerability
Jun 22nd 2025
chy4412312
•
informative
High
Denial of Service via UnstructuredReader split document path
Jun 22nd 2025
0xmanan
•
informative
Medium
access key leaks in [Alibaba Cloud]
Jun 22nd 2025
rashidkhanpathan
•
informative
Medium
SQL Injection in Multiple Vector Stores via Unsanitized Input in delete Method D...
Jun 22nd 2025
kunstnicht
•
informative
Critical
CQL Injection in LlamaIndex Cassandra Integration
Jun 22nd 2025
mohit121312
•
informative
Critical
XML Entity Expansion vulnerability in XMLReader
Jun 22nd 2025
makerdd
•
duplicate
High
SQL Injection in RelytVectorStore#init_index() can lead to RCE
Jun 22nd 2025
liankee
•
informative
Critical
Show more...
CRITICAL
$1500
HIGH
$750
MEDIUM
$125
LOW
$20
