CVE-2024-9900
MEDIUMmudler/localai < 2.22.0 - Cross-Site Scripting in Search Functionality
Title source: llmDescription
mudler/localai version v2.21.1 contains a Cross-Site Scripting (XSS) vulnerability in its search functionality. The vulnerability arises due to improper sanitization of user input, allowing the injection and execution of arbitrary JavaScript code. This can lead to the execution of malicious scripts in the context of the victim's browser, potentially compromising user sessions, stealing session cookies, redirecting users to malicious websites, or manipulating the DOM.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/b39cd230-db66-471b-89b9-24afaa078e68
Scores
CVSS v3
6.1
EPSS
0.0049
EPSS Percentile
38.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
mudler/localai
2.21.1
mudler/LocalAI
0 - 2.22.0Go
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026