VYPR

PyPI package

lightrag-hku

pkg:pypi/lightrag-hku

Vulnerabilities (3)

  • CVE-2026-39413MedApr 8, 2026
    affected < 1.4.14fixed 1.4.14

    LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode() call does not explicitly

  • CVE-2026-30762higApr 4, 2026
    affected < 1.4.13fixed 1.4.13

    Subject: Security Vulnerability Report Hardcoded JWT Secret (CVE-2026-30762) Hi HKUDS team, I'm writing to report a security vulnerability I discovered in LightRAG v1.4.10. This has been assigned CVE-2026-30762 by MITRE. Vulnerability: Hardcoded JWT signing secret Type: Improp

  • CVE-2025-6773MedJun 27, 2025
    affected < 1.3.8fixed 1.3.8

    A vulnerability was found in HKUDS LightRAG up to 1.3.8. It has been declared as critical. Affected by this vulnerability is the function upload_to_input_dir of the file lightrag/api/routers/document_routes.py of the component File Upload. The manipulation of the argument file.fi