Description
A Local File Inclusion (LFI) vulnerability in OpenLLM version 0.6.10 allows attackers to include files from the local server through the web application. This flaw could expose internal server files and potentially sensitive information such as configuration files, passwords, and other critical data. Unauthorized access to critical server files, such as configuration files, user credentials (/etc/passwd), and private keys, can lead to a complete compromise of the system's security. Attackers could leverage the exposed information to further penetrate the network, exfiltrate data, or escalate privileges within the environment.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/b7bdc9a1-51ac-402a-8e6e-0d977699aca6
Scores
CVSS v3
6.2
EPSS
0.0070
EPSS Percentile
48.0%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-29
Status
published
Products (1)
bentoml/bentoml/openllm
unspecified - latest
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026