Khoi-Nguyen Nguyen-Ngoc

3 exploits Active since Jul 2025
CVE-2025-56526 WRITEUP MEDIUM WRITEUP
Cinnamon Kotaemon < 0.11.0 - XSS
Cross site scripting (XSS) vulnerability in Kotaemon 0.11.0 allowing attackers to execute arbitrary code via a crafted PDF.
CVSS 6.1
CVE-2025-56527 WRITEUP HIGH WRITEUP
Kotaemon 0.11.0 - Info Disclosure
Plaintext password storage in Kotaemon 0.11.0 in the client's localStorage.
CVSS 7.5
CVE-2025-53358 WRITEUP MEDIUM WRITEUP
kotaemon <0.10.6 - Path Traversal
kotaemon is an open-source RAG-based tool for document comprehension. From versions 0.10.6 and prior, in libs/ktem/ktem/index/file/ui.py, the index_fn method accepts both URLs and local file paths without validation. The pipeline streams these paths directly and stores them, enabling attackers to traverse directories (e.g. ../../../../../.env) and exfiltrate sensitive files. This issue has been patched via commit 37cdc28, in version 0.10.7 which has not been made public at time of publication.
CVSS 6.5