Taneem Ibrahim

2 exploits Active since Aug 2025
CVE-2026-41523 WRITEUP HIGH WRITEUP
vLLM < 0.22.0 Activation Function Loading - Unauthenticated Code Execution
vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, an assert-based security check in vLLM's activation function loading allows any unauthenticated attacker to achieve arbitrary code execution on the server by publishing a malicious HuggingFace model, when vLLM runs in Python optimized mode (python -O or PYTHONOPTIMIZE=1). This vulnerability is fixed in 0.22.0.
CVSS 7.5
CVE-2025-48956 WRITEUP HIGH WRITEUP
vLLM 0.1.0-0.10.1.0 - Unauthenticated Denial of Service via Large HTTP Header
vLLM is an inference and serving engine for large language models (LLMs). From 0.1.0 to before 0.10.1.1, a Denial of Service (DoS) vulnerability can be triggered by sending a single HTTP GET request with an extremely large header to an HTTP endpoint. This results in server memory exhaustion, potentially leading to a crash or unresponsiveness. The attack does not require authentication, making it exploitable by any remote user. This vulnerability is fixed in 0.10.1.1.
CVSS 7.5