CVE-2025-14116
MEDIUMYuxi-Know < 0.4.0 - Server-Side Request Forgery via OtherEmbedding.aencode Health URL Parameter
Title source: llmDescription
A vulnerability was detected in xerrors Yuxi-Know up to 0.4.0. This vulnerability affects the function OtherEmbedding.aencode of the file /src/models/embed.py. Performing manipulation of the argument health_url results in server-side request forgery. The attack can be initiated remotely. The exploit is now public and may be used. The patch is named 0ff771dc1933d5a6b78f804115e78a7d8625c3f3. To fix this issue, it is recommended to deploy a patch. The vendor responded with a vulnerability confirmation and a list of security measures they have established already (e.g. disabled URL parsing, disabled URL upload mode, removed URL-to-markdown conversion).
References (5)
Core 5
Core References
Permissions Required, VDB Entry vdb-entry
technical-description
https://vuldb.com/?id.334492
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.334492
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.697380
Scores
CVSS v3
4.7
EPSS
0.0022
EPSS Percentile
12.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (4)
xerrors/Yuxi-Know
0.1
xerrors/Yuxi-Know
0.2
xerrors/Yuxi-Know
0.3
xerrors/Yuxi-Know
0.4.0
Published
Dec 05, 2025
Tracked Since
Feb 18, 2026