Description
Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to upload image files at attacker-chosen location on the server. This issue can lead to image file uploads to unauthorized or unintended directories, including overwriting of existing images which may be used for defacement. This does not affect `agnai.chat`, installations using S3-compatible storage, or self-hosting that is not publicly exposed. Version 1.0.330 fixes this vulnerability.
References (3)
Scores
CVSS v3
4.3
EPSS
0.0037
EPSS Percentile
58.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
CWE-35
Status
published
Products (2)
agnai/agnai
< 1.0.330
npm/agnai
0 - 1.0.330npm
Published
Sep 26, 2024
Tracked Since
Feb 18, 2026