CVE-2026-25211
LOWllama-stack < 0.4.0rc3 - Sensitive Information Exposure in Initialization Log
Title source: llmExploitation Summary
EIP tracks 2 public exploits for CVE-2026-25211. PoCs published by XiaomingX, mbanyamer.
AI-analyzed exploit summary This repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The PoC includes automated data extraction for admin credentials and hashes.
Description
Llama Stack (aka llama-stack) before 0.4.0rc3 does not censor the pgvector password in the initialization log.
Exploits (2)
This repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The PoC includes automated data extraction for admin credentials and hashes.
This PoC demonstrates a local information leak vulnerability (CVE-2026-25211) in llama-stack versions < 0.4.0rc3, where PostgreSQL database passwords are logged in plaintext during initialization. The script scans common log file locations for exposed credentials using regex patterns.
References (2)
Scores
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N