Bounties
Partners
Community
Info
run-llama / llama_index
Project repository
LlamaIndex is a data framework for your LLM applications
Submit a report
FIRST INTERACTION
WITHIN
16 DAYS
REVIEW
WITHIN
16 DAYS
FIX
WITHIN
N/A DAYS
SSRF via unvalidated image URL fetching in core schema classes
Mar 29th 2026
pulkit7070
•
duplicate
High
Sandbox Escape via Shallow AST Import Check in PandasQueryEngine exec_utils.py
Mar 29th 2026
hacnho
•
duplicate
High
SSRF via unvalidated image_url in multi-modal LLM generic_utils and schema
Mar 29th 2026
tranhoangtu-it
•
duplicate
Critical
Unauthenticated RCE via Path Traversal in download_dataset_and_source_files
Mar 27th 2026
jdp-security
•
not applicable
Arbitrary Code Execution (RCE) via Sandbox Bypass in LlamaIndex (PandasQueryEngi...
Mar 26th 2026
catalyzer9867
•
duplicate
Critical
Supply Chain RCE via Unsanitized pip install in download_integration()
Mar 26th 2026
jdhart81
•
duplicate
Critical
SSRF in llama_index: ImageNode.resolve_image() and 5 other code paths fetch arbi...
Mar 26th 2026
caoxuyang
•
duplicate
High
SSRF via Unvalidated Image URLs in Multi-Modal Document Schema and LLM Utils
Mar 26th 2026
nhomyk
•
duplicate
High
SQL Injection in llama-index-vector-stores-db2 and llama-index-vector-stores-cou...
Mar 19th 2026
ar03
•
duplicate
Critical
Arbitrary code execution via unsanitized llama_hub_url in download_llama_module(...
Mar 19th 2026
rishavkumarthapa01-sketch
•
duplicate
High
Sandbox Escape via Nested Import Bypass and Missing __builtins__ Restriction in...
Mar 17th 2026
phenggeler
•
duplicate
None
Arbitrary Code Execution via Pickle Deserialization in EmbeddedTablesUnstructure...
Mar 17th 2026
manja316
•
duplicate
Critical
Unsafe pickle.load() in BGEM3Index.load_from_disk() Enables RCE via Malicious In...
Mar 18th 2026
odysseypro25-project
•
self closed
Unsafe pickle deserialization in EmbeddedTablesUnstructuredRetrieverPack leads t...
Mar 17th 2026
narrator3333-hash
•
duplicate
Critical
SQL Injection via Unparameterized f-string Query Construction in Multiple Vector...
Mar 19th 2026
elucidator-hky
•
duplicate
High
Server-Side Request Forgery (SSRF) in Core Schema and Multiple Web Readers Due t...
Mar 16th 2026
elucidator-hky
•
self closed
Arbitrary code execution via unsafe pickle.load() and torch.load() in multiple L...
Mar 16th 2026
elucidator-hky
•
self closed
LlamaIndex: exec() Code Execution with Bypassable Sandbox in Evaporate Extractor
Mar 9th 2026
iamveene
•
self closed
LlamaIndex: SSRF via SimpleWebPageReader -- No URL Validation or Private IP Bloc...
Mar 9th 2026
iamveene
•
self closed
LlamaIndex: RAG Indirect Prompt Injection via Unsanitized Document Context Inser...
Mar 9th 2026
iamveene
•
self closed
LlamaIndex: Supply Chain RCE via download_llama_module Without Integrity Verific...
Mar 26th 2026
iamveene
•
duplicate
High
Unprotected pickle.load() in 5 Locations Across 4 LlamaIndex Integration Package...
Mar 9th 2026
iamveene
•
self closed
Sandbox escape in exec_utils allows arbitrary command execution
Mar 8th 2026
vnykmshr
•
duplicate
Critical
Sandbox Bypass in safe_exec / safe_eval leading to Remote Code Execution (RCE) v...
Mar 7th 2026
amitzalman
•
duplicate
Critical
Sandbox Escape via AST Bypass and __builtins__ Injection in safe_exec leads to R...
Mar 6th 2026
uchiha100x
•
self closed
SQL Injection via MetadataFilter key/value in 7 Vector Store query() Paths (Mari...
Mar 5th 2026
d3banjan
•
self closed
NoSQL Injection in AzureCosmosDBNoSqlVectorSearch `delete()` and `_query()` Meth...
Mar 6th 2026
hiyokosauna37
•
self closed
Sandbox Escape in Evaporate Extractor via chr()+operator.attrgetter — Remote Cod...
Mar 5th 2026
apeiria-zero
•
duplicate
Critical
AST Sandbox Bypass via eval/exec string literals in _validate_generated_code() l...
Mar 4th 2026
erc840902
•
duplicate
Critical
Unsafe pickle.load() in SimpleObjectNodeMapping.from_persist_dir() enables arbit...
Mar 3rd 2026
sinhsinhan
•
duplicate
Critical
LlamaIndex SSRF via Unvalidated Image URL Fetching in LanceDB Integration - Acce...
Mar 3rd 2026
avienma007
•
duplicate
Critical
Unsafe Pickle Deserialization in Object Node Mapping Achieves RCE
Feb 27th 2026
jeremysommerfeld8910-cpu
•
duplicate
High
Sandbox Escape via operator.attrgetter in Evaporate Extractor Achieves RCE
Mar 5th 2026
jeremysommerfeld8910-cpu
•
duplicate
Critical
Sandbox Bypass in "safe_exec/safe_eval" Leads to Remote Code Execution
Feb 24th 2026
nakosec
•
duplicate
Critical
SSRF via Unvalidated URL in `LanceDBRetriever` Multimodal Query Functions (`quer...
Mar 3rd 2026
soze-ki
•
duplicate
High
PandasQueryEngine Sandbox Escape via pd.io.common.os Module Attribute Traversal
Feb 21st 2026
wernerina
•
duplicate
Critical
Server-Side Request Forgery (SSRF) via Unvalidated URL in SimpleWebPageReader
Feb 20th 2026
invisiblemonsters
•
duplicate
High
Insecure Deserialization in SimpleObjectNodeMapping.from_persist_dir()
Feb 19th 2026
loris4py
•
duplicate
Critical
SQL Injection in Alibaba Cloud MySQL Vector Store via Unsanitized Metadata Filte...
Feb 19th 2026
mehmedbesim
•
duplicate
Critical
Sandbox Escape via operator.attrgetter in EvaporateExtractor
Apr 7th 2026
optimus-fulcria
•
informative
High
SQL Injection in PGVectorStore _build_filter_clause via unsanitized MetadataFilt...
Apr 7th 2026
shima-coder
•
informative
Critical
Incomplete Fix for CVE-2025-5302: Uncontrolled Recursion in JSONNodeParser
Mar 30th 2026
gigafyde
•
informative
Medium
Arbitrary Credential Leakage via SSRF in JiraReader (`llama-index-readers-jira`)
Mar 28th 2026
catalyzer9867
•
informative
Critical
Server-Side Request Forgery (SSRF) via ChatMessage legacy image validation
Mar 28th 2026
edferr
•
informative
High
Server-Side Request Forgery (SSRF) in Multiple Web Reader Components
Feb 20th 2026
galanzi2580-wq
•
duplicate
High
Remote Code Execution (RCE) via Prompt Injection in LlamaIndex Tool Call Executi...
Mar 28th 2026
sebas5207418
•
informative
Critical
Remote Code Execution via Insecure Integration in `UnstructuredReader`
Mar 28th 2026
edferr
•
informative
Critical
Arbitrary Code Execution via Unsafe Pickle Deserialization in SimpleObjectNodeMa...
Feb 19th 2026
l1iith
•
duplicate
High
Sandbox Bypass → Remote Code Execution in `safe_eval`/`safe_exec` via `pd.io.com...
Feb 21st 2026
l1iith
•
duplicate
Critical
SQL Injection in DB2 Vector Store `delete()`, `query()`, and metadata filter met...
Mar 19th 2026
l1iith
•
duplicate
Critical
NoSQL Injection in Azure CosmosDB NoSQL Vector Store delete() and query() method...
Mar 28th 2026
l1iith
•
informative
Critical
FaissMapVectorStore.from_persist_path() uses eval() on data file enabling arbitr...
Mar 28th 2026
jeremylaratro
•
duplicate
High
Sandbox Bypass
Feb 24th 2026
jeremylaratro
•
duplicate
Critical
SQL++ Injection in CouchbaseQueryVectorStore via Unescaped MetadataFilter Values...
Mar 28th 2026
edferr
•
informative
Critical
SQL Injection in Additional Vector Stores Not Resolved by CVE-2025-1793
Feb 19th 2026
responsiblereport10
•
duplicate
Critical
Improper Link Resolution Before File Access in llama-index-readers-file class `...
Mar 27th 2026
shangzhixu
•
informative
High
SQL Injection in DB2 Vector Store via `delete()`, `query()`, and `_append_meta_f...
Feb 8th 2026
maniketabchi
•
duplicate
Critical
Remote Code Execution via Documentation-Recommended PickleSerializer in Workflow...
Feb 8th 2026
edferr
•
duplicate
Critical
ML Model Exfiltration via Confused Deputy Deserialization in Workflows
Mar 27th 2026
edferr
•
informative
High
Path Traversal + Pickle Deserialization RCE in llama-index-packs-panel-chatbot
Mar 27th 2026
vulnhunter505
•
not applicable
DocugamiReader XXE via lxml.etree.parse() without secure parser
Mar 27th 2026
responsiblereport10
•
not applicable
Bypass of CVE-2024-003 Sandbox Logic in safe_eval
Mar 3rd 2026
anandppatil
•
duplicate
Critical
Critical Indirect Prompt Injection in MultiStepQueryEngine via Metadata Hijackin...
Mar 27th 2026
dascreed2
•
not applicable
Remote Code Execution via eval() in FaissMapVectorStore.from_persist_path()
Mar 27th 2026
222n5
•
not applicable
PandasQueryEngine safe_exec sandbox bypass via whitelisted imports (pandas/numpy...
Feb 24th 2026
theagentknownasren-gif
•
duplicate
Critical
PandasQueryEngine safe_exec sandbox bypass via whitelisted imports (pandas/numpy...
Feb 21st 2026
theagentknownasren-gif
•
duplicate
Critical
Systemic SQL Injection in 10+ Vector Store Integrations via Unsanitized Metadata...
Feb 8th 2026
jhacksman
•
duplicate
High
LlamaIndex TextToCypherRetriever Prompt Injection leads to Cypher Injection and...
Feb 1st 2026
mia-718ai
•
duplicate
Critical
Arbitrary Code Execution in download_llama_module() via Unverified Remote Code D...
Mar 11th 2026
mia-718ai
•
informative
High
JSONReader.load_data() Arbitrary File Read via Path Traversal (CWE-22)
Mar 11th 2026
mia-718ai
•
informative
High
Server-Side Request Forgery (SSRF) in llama_index Download Module Allows Access...
Feb 1st 2026
mia-718ai
•
duplicate
Critical
SQL Injection in SQLRetriever.retrieve_with_metadata() allows arbitrary database...
Mar 6th 2026
mia-718ai
•
informative
Critical
Server Side Request Forgery in ImageNode.resolve_image() method
Mar 6th 2026
yashvardhantrip
•
informative
High
Sandbox Bypass via pandas.read_pickle() leads to Remote Code Execution
Mar 3rd 2026
yashvardhantrip
•
informative
High
Server Side Request Forgery in ImageNode.resolve_image() method
Jan 28th 2026
yashvardhantrip
•
duplicate
High
Show more...
CRITICAL
$1500
HIGH
$750
MEDIUM
$125
LOW
$20
