Bounties
Partners
Community
Info
run-llama / llama_index
Project repository
LlamaIndex is a data framework for your LLM applications
Submit a report
FIRST INTERACTION
WITHIN
19 DAYS
REVIEW
WITHIN
19 DAYS
FIX
WITHIN
93 DAYS
Sandbox Bypass in "safe_exec/safe_eval" Leads to Remote Code Execution
Feb 24th 2026
nakosec
•
duplicate
Critical
PandasQueryEngine Sandbox Escape via pd.io.common.os Module Attribute Traversal
Feb 21st 2026
wernerina
•
duplicate
Critical
Server-Side Request Forgery (SSRF) via Unvalidated URL in SimpleWebPageReader
Feb 20th 2026
invisiblemonsters
•
duplicate
High
Insecure Deserialization in SimpleObjectNodeMapping.from_persist_dir()
Feb 19th 2026
loris4py
•
duplicate
Critical
SQL Injection in Alibaba Cloud MySQL Vector Store via Unsanitized Metadata Filte...
Feb 19th 2026
mehmedbesim
•
duplicate
Critical
Server-Side Request Forgery (SSRF) in Multiple Web Reader Components
Feb 20th 2026
galanzi2580-wq
•
duplicate
High
Arbitrary Code Execution via Unsafe Pickle Deserialization in SimpleObjectNodeMa...
Feb 19th 2026
l1iith
•
duplicate
High
Sandbox Bypass → Remote Code Execution in `safe_eval`/`safe_exec` via `pd.io.com...
Feb 21st 2026
l1iith
•
duplicate
Critical
Sandbox Bypass
Feb 24th 2026
jeremylaratro
•
duplicate
Critical
SQL Injection in Additional Vector Stores Not Resolved by CVE-2025-1793
Feb 19th 2026
responsiblereport10
•
duplicate
Critical
SQL Injection in DB2 Vector Store via `delete()`, `query()`, and `_append_meta_f...
Feb 8th 2026
maniketabchi
•
duplicate
Critical
Remote Code Execution via Documentation-Recommended PickleSerializer in Workflow...
Feb 8th 2026
edferr
•
duplicate
Critical
PandasQueryEngine safe_exec sandbox bypass via whitelisted imports (pandas/numpy...
Feb 24th 2026
theagentknownasren-gif
•
duplicate
Critical
PandasQueryEngine safe_exec sandbox bypass via whitelisted imports (pandas/numpy...
Feb 21st 2026
theagentknownasren-gif
•
duplicate
Critical
Systemic SQL Injection in 10+ Vector Store Integrations via Unsanitized Metadata...
Feb 8th 2026
jhacksman
•
duplicate
High
LlamaIndex TextToCypherRetriever Prompt Injection leads to Cypher Injection and...
Feb 1st 2026
mia-718ai
•
duplicate
Critical
Server-Side Request Forgery (SSRF) in llama_index Download Module Allows Access...
Feb 1st 2026
mia-718ai
•
duplicate
Critical
Server Side Request Forgery in ImageNode.resolve_image() method
Jan 28th 2026
yashvardhantrip
•
duplicate
High
RCE via Pickle Deserialization in SimpleObjectNodeMapping.from_persist_dir()
Jan 28th 2026
yashvardhantrip
•
duplicate
High
Unsafe Pickle Deserialization in SimpleObjectNodeMapping Enables Remote Code Exe...
Jan 28th 2026
sanu1999
•
duplicate
High
Path Traversal via Symbolic Links in SimpleDirectoryReader Allows Arbitrary File...
Jan 28th 2026
sanu1999
•
duplicate
Medium
Remote Code Execution in SimpleObjectNodeMapping via Unsafe Pickle Deserializati...
Jan 28th 2026
mr-neutr0n
•
duplicate
Critical
Arbitrary File Write via Sandbox Bypass in PandasQueryEngine (Prompt Injection)
Feb 5th 2026
unicuervo16
•
informative
Critical
XML External Entity (XXE) Injection in DocugamiReader via Unsafe XML Parsing
Feb 5th 2026
bademeischta
•
informative
Critical
Uncontrolled Recursion in `JSONNodeParser` Leads to Stack Overflow DoS in run-ll...
Jan 9th 2026
nova-aryan
•
duplicate
High
Blind SQL Injection in NLSQLTableQueryEngine via Prompt Injection allows Databas...
Feb 5th 2026
bademeischta
•
informative
Critical
Arbitrary Argument Injection in download_integration leading to potential RCE
Feb 5th 2026
espanda666
•
informative
High
Remote Code Execution (RCE) via Indirect Prompt Injection in EvaporateExtractor
Jan 4th 2026
espanda666
•
duplicate
Critical
Remote code execution vulnerability in that bypasses code checks
Jan 4th 2026
ka7arotto
•
duplicate
Critical
Unsafe Sandbox Bypass in llama_index's safe_exec and safe_eval Functions Allows...
Dec 31st 2025
to-be-w1th0ut
•
duplicate
Critical
LlamaIndex Remote Code Execution via safe_exec + Malicious Pickle
Dec 31st 2025
to-be-w1th0ut
•
duplicate
Critical
Authorization Boundary Bypass in NLSQLTableQueryEngine allowing Unauthorized Acc...
Feb 5th 2026
aldorizona10-glitch
•
not applicable
Denial of Service via Malformed GGUF Model Causing Memory Allocation Failure in...
Feb 5th 2026
aldorizona10-glitch
•
spam
Unbounded Image Metadata Forwarded to Pillow Causes Remote Denial-of-Service via...
Dec 28th 2025
hyperps
•
informative
High
SQL Injection via MetadataFilter.key in PGVectorStore (_build_filter_clause)
Dec 28th 2025
vitalysim
•
informative
Critical
Arbitrary File Read in llama_index via ImageDocument Setter (Bypass of CVE-2025-...
Dec 17th 2025
nigh7c0r3
•
duplicate
High
HWP Reader Decompression Bomb (Memory Exhaustion DoS)
Dec 15th 2025
bilisheep
•
informative
High
Critical RCE in LlamaIndex FAISS Vector Store via Unsafe Deserialization
Dec 9th 2025
skypher
•
duplicate
Critical
Arbitrary Code Execution (RCE) via Unsafe Pickle Deserialization in SimpleObject...
Dec 9th 2025
pygmalionsimon
•
duplicate
Critical
SQL Injection in ref_doc_id parameter
Dec 1st 2025
maticmindsecurityresearchteam
•
duplicate
Critical
LlamaIndex Repository Deserialization Vulnerabilities
Nov 23rd 2025
7908837174
•
duplicate
Critical
vector Database Poisoning via Unvalidated Embeddings
Dec 28th 2025
daridor9
•
not applicable
Remote Code Execution (RCE) via Unsafe Argument Introspection in LlamaIndex Inst...
Dec 28th 2025
hyperps1
•
informative
Critical
SQL Injection in NebulaGraph Store Allowing Complete Database Compromise
Nov 17th 2025
shawkatabdelhaq
•
self closed
Critical XXE and XML Injection Vulnerabilities in llama-index Agent Utils
Nov 17th 2025
shawkatabdelhaq
•
spam
Remote Code Execution via Unsafe Pickle Deserialization
Nov 13th 2025
mufeedvh
•
not applicable
Remote Code Execution via NumPy ctypes in PolarsInstructionParser.parse
Nov 13th 2025
mufeedvh
•
not applicable
Remote Code Execution via Unsafe Pickle Deserialization in SimpleObjectNodeMappi...
Oct 17th 2025
itsbalvant
•
not applicable
Remote Code Execution via Unsafe Pickle Deserialization in BGEM3Index (multi_emb...
Oct 17th 2025
itsbalvant
•
not applicable
Remote Code Execution via Unsafe Pickle Deserialization in 'TxtaiVectorStore'
Oct 17th 2025
itsbalvant
•
not applicable
Arbitrary Code Execution via eval() in FaissMapVectorStore id_map Loader
Oct 17th 2025
itsbalvant
•
not applicable
Insecure File Persistence in SimpleVectorStore Exposes Sensitive Data
Oct 17th 2025
0xmrniko
•
not applicable
SQL Injection in ClickHouse Vector Store Metadata Filtering
Sep 25th 2025
mysterious75
•
informative
Critical
Server-Side Request Forgery (SSRF) in LlamaIndex SimpleWebPageReader allows acce...
Sep 14th 2025
gauss-security
•
duplicate
Critical
Critical Template Injection in GitHub Actions Workflows
Sep 25th 2025
anasboulbali
•
not applicable
Path Traversal via SimpleDirectoryReader
Sep 11th 2025
choocs
•
not applicable
SQL Injection in Vector Search via Bigquery
Aug 21st 2025
faizann24
•
informative
Critical
JSON Injection Vulnerability in LlamaIndex Question Generation Module Leading to...
Aug 5th 2025
damcrazy
•
spam
Race Condition in FunctionCallingAgentWorker
Sep 11th 2025
madan301
•
informative
High
Arbitary File Read Through Path Traversal
Jul 23rd 2025
choocs
•
duplicate
High
DoS through image-URL-validation
Sep 11th 2025
patrik-ha
•
informative
High
No Check for Duplicate Entries
Sep 11th 2025
madan301
•
not applicable
No State Rollback on Partial Failure
Sep 11th 2025
madan301
•
not applicable
Command Injection Vulnerability in llama-index-tools-mcp
Aug 21st 2025
bayuncao-bit
•
informative
Critical
Silent Duplicate Dispatcher Registration Vulnerability
Sep 11th 2025
madan301
•
not applicable
Context Reset Workaround Vulnerability in Async Span Management
Sep 11th 2025
madan301
•
not applicable
Shared State Vulnerability in llama_index_instrumentation Dispatcher Due to Muta...
Sep 11th 2025
madan301
•
informative
High
Deepseek API Key Leaked on Repository
Jul 18th 2025
aydinnyunus
•
informative
Medium
SSRF VULNERABILITY REPORT - LLAMA-INDEX
Jul 16th 2025
jplopezy
•
duplicate
High
Backoff Retry Functions in run-llama/llama_index Allow Resource Exhaustion via I...
Jul 16th 2025
madan301
•
informative
Medium
World-Writable NLTK Cache Directory Enables Local Users to Tamper with or Delete...
Oct 13th 2025
madan301
•
High
•
$750
High
•
$750
•
CVE-2025-7707
CVE-2025-7707
OS Command Injection in llama-index-cli RAG Tool
Jul 4th 2025
colemurray
•
informative
High
Insecure Temporary File Handling Vulnerability in llama-index-core
Sep 27th 2025
anwarayoob
•
High
•
$750
High
•
$750
•
CVE-2025-7647
CVE-2025-7647
Pickle Deserialization Remote Code Execution in llama-index-core
Jul 16th 2025
anwarayoob
•
informative
Critical
XML Entity Expansion vulnerability in XMLReader
Jul 16th 2025
anwarayoob
•
informative
Medium
Path Traversal in `ObsidianReader`
Jun 22nd 2025
ouxs-19
•
informative
High
llama_index.readers.file.paged_csv has an arbitrary file read vulnerability
Jun 22nd 2025
chy4412312
•
informative
High
Denial of Service via UnstructuredReader split document path
Jun 22nd 2025
0xmanan
•
informative
Medium
access key leaks in [Alibaba Cloud]
Jun 22nd 2025
rashidkhanpathan
•
informative
Medium
SQL Injection in Multiple Vector Stores via Unsanitized Input in delete Method D...
Jun 22nd 2025
kunstnicht
•
informative
Critical
CQL Injection in LlamaIndex Cassandra Integration
Jun 22nd 2025
mohit121312
•
informative
Critical
XML Entity Expansion vulnerability in XMLReader
Jun 22nd 2025
makerdd
•
duplicate
High
SQL Injection in RelytVectorStore#init_index() can lead to RCE
Jun 22nd 2025
liankee
•
informative
Critical
llama-index-readers-file has a billion-laugh vulnerability
Jun 22nd 2025
chy4412312
•
duplicate
High
File URI Access in LlamaIndex `StripeDocsReader`
Jun 22nd 2025
ready-research
•
informative
High
Path Traversal via Symbolic Links in `MarkItDownReader` in run-llama/llama_index
Jun 22nd 2025
ready-research
•
informative
High
XML Entity Expansion vulnerability in XMLReader load_data
Jun 22nd 2025
meme-dm
•
duplicate
High
SQL Injection in OceanBaseVectorStore via delete()
Jun 22nd 2025
cyjhhh
•
informative
Critical
SSRF via AsyncWebPageReader with Unvalidated Sitemap Input
Jun 22nd 2025
sandeepl337
•
informative
High
XML Entity Expansion vulnerability in XMLReader parser in run-llama/llama_index
Jun 22nd 2025
ready-research
•
duplicate
Critical
Arbitrary File Read via Crated Node in JaguarVectorStore add
Jun 22nd 2025
pricx
•
informative
Critical
Arbitrary Code Execution via Malicious Module Resolution in LlamaIndex Workflow...
Jun 22nd 2025
0xmrniko
•
informative
Critical
SQL Cypher Injection in graphstore and potential RCE via prompt injection
Jun 22nd 2025
pricx
•
informative
Critical
File Bomb / CPU Exhaust
Jun 22nd 2025
pricx
•
informative
High
SSRF in llama_index.core.schema.ImageDocument
Jun 9th 2025
lonelyuan
•
not applicable
Cypher Injection via llama_index.tools.neo4j
Jun 22nd 2025
zpbrent
•
informative
High
SQL Injection via load_data(query: str) in llama_index.tools.database
Jun 22nd 2025
zpbrent
•
informative
Critical
Browser-based SSRF via llama-index-tools-playwright
Jun 22nd 2025
zpbrent
•
informative
Critical
Vulnerability Report: Arbitrary Code Execution
Jun 22nd 2025
mohit121312
•
informative
Critical
Cypher Injection in FalkorDBPropertyGraphStore via get_triplets can lead to LFI,...
Jun 22nd 2025
polaris-snowfall
•
informative
High
Denial of Service(DOS) in SimpleFileNodeParser(llama_index_core)
Jun 22nd 2025
winters0x64
•
informative
High
Denial of Service(DOS) in XMLReader
Jun 22nd 2025
winters0x64
•
informative
High
Denial of Service(DOS) in SitemapReader while parsing nested html elements
Jun 22nd 2025
winters0x64
•
informative
High
Uncontrolled recursion which leads to Denial Of Service
Aug 28th 2025
winters0x64
•
duplicate
High
llama-index-readers-pandas-ai can trigger RCE through conversation
Jun 5th 2025
bacmiao
•
not applicable
Denial of Service(DOS) in JSONReader
Aug 25th 2025
winters0x64
•
High
•
$750
High
•
$750
•
CVE-2025-5302
CVE-2025-5302
Denial of Service(DOS) in KnowledgeBaseWebReader in run-llama/llama_index
Jun 22nd 2025
ready-research
•
informative
High
Bypass lastest patched: Extract all data from OracleDB via SQL injection
Jun 22nd 2025
m4dn355
•
informative
High
SQL Injection in SingleStoreReader
Jun 22nd 2025
hatlesswizard
•
informative
Critical
Prompt Injection trought Metadata leads to Arbitrary file read
Jun 5th 2025
hatlesswizard
•
informative
High
Arbitrary Code Execution via Unsafe pickle.load() in SimpleObjectNodeMapping.fro...
Jun 22nd 2025
michaelpierre
•
duplicate
High
Arbitrary Code Execution via Unsafe Pickle Deserialization in `TxtaiVectorStore`
Jun 22nd 2025
0xmanan
•
informative
High
Unsafe Deserialization in `SimpleObjectNodeMapping` Enables Arbitrary Code Execu...
Jun 22nd 2025
0xmrniko
•
informative
Critical
Missing Query Validation in Hive – Enables Data Deletion, Insertion, RCE and Mor...
Jun 17th 2025
freedom-of-the-mind
•
informative
Critical
Code injection in safe_exec
Jun 5th 2025
ehtec
•
informative
Critical
Hash Collision in `SimpleObjectNodeMapping` via Python `hash()` Causing Silent D...
Jun 5th 2025
0xmrniko
•
not applicable
MD5 Hash Collision in DocugamiReader Overwrites Structurally Distinct Chunks wit...
Jul 10th 2025
freedom-of-the-mind
•
Medium
•
$125
Medium
•
$125
•
CVE-2025-6211
CVE-2025-6211
Denial of Service via `Uncontrolled Recursive` JSON Parsing in `JSONReader`
Jul 2nd 2025
0xmrniko
•
Medium
•
$125
Medium
•
$125
•
CVE-2025-5472
CVE-2025-5472
Hardlink-Based Path Traversal in ObsidianReader
Jun 30th 2025
0xmanan
•
Medium
•
$125
Medium
•
$125
•
CVE-2025-6210
CVE-2025-6210
Arbitary file read through path traversal
Jul 7th 2025
0xmanan
•
High
•
$750
High
•
$750
•
CVE-2025-6209
CVE-2025-6209
Unsafe `Deserialization` in `JsonPickleSerializer` Enables Remote Code Execution
Jul 6th 2025
0xmrniko
•
Medium
•
$125
Medium
•
$125
•
CVE-2025-3108
CVE-2025-3108
Code Execution via Untrusted Query Transform
Mar 28th 2025
cyfra07
•
not applicable
LlamaIndex Core - RCE via CustomQueryEngine subclass abuse
Mar 28th 2025
cyfra07
•
not applicable
SSRF via `unvalidated webhook_url`
Mar 31st 2025
0xmanan
•
not applicable
Path Traversal via Symbolic Links in `ObsidianReader`
Jun 10th 2025
0xmrniko
•
High
•
$750
High
•
$750
•
CVE-2025-3046
CVE-2025-3046
Uncontrolled Memory Consumption in `SimpleDirectoryReader` Due to Post-Limit Fil...
Jun 16th 2025
0xmrniko
•
Medium
•
$125
Medium
•
$125
•
CVE-2025-6208
CVE-2025-6208
SQL Injection Vulnerability in Jaguar Database Leading to Complete Data Deletion
Jun 6th 2025
khanhd192
•
duplicate
High
MD5 Hash Collision Causes Overwriting of Papers with the Same Title, Leading to...
Jun 5th 2025
freedom-of-the-mind
•
Medium
•
$125
Medium
•
$125
•
CVE-2025-3044
CVE-2025-3044
SSRF via Simple Web scraper in llama_index.readers.web
Mar 31st 2025
khanhd192
•
not applicable
SQL injection in OracleDB via drop_table_purge function can extract all data fro...
Jun 3rd 2025
m4dn355
•
duplicate
High
Show more...
CRITICAL
$1500
HIGH
$750
MEDIUM
$125
LOW
$20