Logan

3 exploits Active since Jun 2025
CVE-2025-1793 WRITEUP CRITICAL WRITEUP
run-llama/llama_index <v0.12.21 - SQL Injection
Multiple vector store integrations in run-llama/llama_index version v0.12.21 have SQL injection vulnerabilities. These vulnerabilities allow an attacker to read and write data using SQL, potentially leading to unauthorized access to data of other users depending on the usage of the llama-index library in a web application.
CVSS 9.8
CVE-2025-3044 WRITEUP MEDIUM WRITEUP
run-llama/llama_index <0.12.22.post1 - Info Disclosure
A vulnerability in the ArxivReader class of the run-llama/llama_index repository, versions up to v0.12.22.post1, allows for MD5 hash collisions when generating filenames for downloaded papers. This can lead to data loss as papers with identical titles but different contents may overwrite each other, preventing some papers from being processed for AI model training. The issue is resolved in version 0.12.28.
CVSS 5.3
CVE-2025-3046 WRITEUP HIGH WRITEUP
Llamaindex < 0.12.28 - Path Traversal
A vulnerability in the `ObsidianReader` class of the run-llama/llama_index repository, versions 0.12.23 to 0.12.28, allows for arbitrary file read through symbolic links. The `ObsidianReader` fails to resolve symlinks to their real paths and does not validate whether the resolved paths lie within the intended directory. This flaw enables attackers to place symlinks pointing to files outside the vault directory, which are then processed as valid Markdown files, potentially exposing sensitive information.
CVSS 7.5