VYPR
High severity7.5NVD Advisory· Published Apr 20, 2026· Updated Apr 23, 2026

CVE-2026-33626

CVE-2026-33626

Description

LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's vision-language module. The load_image() function in lmdeploy/vl/utils.py fetches arbitrary URLs without validating internal/private IP addresses, allowing attackers to access cloud metadata services, internal networks, and sensitive resources. Version 0.12.3 patches the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
lmdeployPyPI
<= 0.12.2

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

4