Onyx
by Onyx Dot App
Source repositories
CVEs (9)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-32881 | Cri | 0.57 | 9.8 | 0.01 | Apr 26, 2024 | Danswer is the AI Assistant connected to company's docs, apps, and people. Danswer is vulnerable to unauthorized access to GET/SET of Slack Bot Tokens. Anyone with network access can steal slack bot tokens and set them. This implies full compromise of the customer's slack bot,… | ||
| CVE-2025-7894 | Med | 0.41 | 6.3 | 0.00 | Jul 20, 2025 | A vulnerability, which was classified as critical, has been found in Onyx up to 0.29.1. This issue affects the function generate_simple_sql of the file backend/onyx/agents/agent_search/kb_search/nodes/a3_generate_simple_sql.py of the component Chat Interface. The manipulation… | ||
| CVE-2026-42277 | Med | 0.35 | 6.5 | 0.00 | May 8, 2026 | Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/{file_id} endpoint allows any authenticated user to download any other user's uploaded files by providing the file UUID. The endpoint verifies the caller is authenticated but never… | ||
| CVE-2026-42276 | Med | 0.21 | 4.3 | 0.00 | May 8, 2026 | Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the POST /chat/stop-chat-session/{chat_session_id} endpoint lets any authenticated user stop any other user's active chat session. The endpoint checks authentication but never verifies the session… | ||
| CVE-2024-0113 | 0.00 | — | 0.01 | Aug 9, 2024 | NVIDIA Mellanox OS, ONYX, Skyway, and MetroX-3 XCC contain a vulnerability in the web support, where an attacker can cause a CGI path traversal by a specially crafted URI. A successful exploit of this vulnerability might lead to escalation of privileges and information… | |||
| CVE-2024-0104 | 0.00 | — | 0.00 | Aug 8, 2024 | NVIDIA Mellanox OS, ONYX, Skyway, MetroX-2 and MetroX-3 XC contain a vulnerability in the LDAP AAA component, where a user can cause improper access. A successful exploit of this vulnerability might lead to information disclosure, data tampering, and escalation of privileges. | |||
| CVE-2024-0101 | 0.00 | — | 0.01 | Aug 8, 2024 | NVIDIA Mellanox OS, ONYX, Skyway, MetroX-2 and MetroX-3 XC contain a vulnerability in ipfilter, where improper ipfilter definitions could enable an attacker to cause a failure by attacking the switch. A successful exploit of this vulnerability might lead to denial of service. | |||
| CVE-2023-43784 | 0.00 | — | 0.00 | Sep 22, 2023 | Plesk Onyx 17.8.11 has accessKeyId and secretAccessKey fields that are related to an Amazon AWS Firehose component. NOTE: the vendor's position is that there is no security threat. | |||
| CVE-2020-11584 | 0.00 | — | 0.01 | Aug 3, 2020 | A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter. |
- risk 0.57cvss 9.8epss 0.01
Danswer is the AI Assistant connected to company's docs, apps, and people. Danswer is vulnerable to unauthorized access to GET/SET of Slack Bot Tokens. Anyone with network access can steal slack bot tokens and set them. This implies full compromise of the customer's slack bot,…
- risk 0.41cvss 6.3epss 0.00
A vulnerability, which was classified as critical, has been found in Onyx up to 0.29.1. This issue affects the function generate_simple_sql of the file backend/onyx/agents/agent_search/kb_search/nodes/a3_generate_simple_sql.py of the component Chat Interface. The manipulation…
- risk 0.35cvss 6.5epss 0.00
Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the GET /chat/file/{file_id} endpoint allows any authenticated user to download any other user's uploaded files by providing the file UUID. The endpoint verifies the caller is authenticated but never…
- risk 0.21cvss 4.3epss 0.00
Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the POST /chat/stop-chat-session/{chat_session_id} endpoint lets any authenticated user stop any other user's active chat session. The endpoint checks authentication but never verifies the session…
- CVE-2024-0113Aug 9, 2024risk 0.00cvss —epss 0.01
NVIDIA Mellanox OS, ONYX, Skyway, and MetroX-3 XCC contain a vulnerability in the web support, where an attacker can cause a CGI path traversal by a specially crafted URI. A successful exploit of this vulnerability might lead to escalation of privileges and information…
- CVE-2024-0104Aug 8, 2024risk 0.00cvss —epss 0.00
NVIDIA Mellanox OS, ONYX, Skyway, MetroX-2 and MetroX-3 XC contain a vulnerability in the LDAP AAA component, where a user can cause improper access. A successful exploit of this vulnerability might lead to information disclosure, data tampering, and escalation of privileges.
- CVE-2024-0101Aug 8, 2024risk 0.00cvss —epss 0.01
NVIDIA Mellanox OS, ONYX, Skyway, MetroX-2 and MetroX-3 XC contain a vulnerability in ipfilter, where improper ipfilter definitions could enable an attacker to cause a failure by attacking the switch. A successful exploit of this vulnerability might lead to denial of service.
- CVE-2023-43784Sep 22, 2023risk 0.00cvss —epss 0.00
Plesk Onyx 17.8.11 has accessKeyId and secretAccessKey fields that are related to an Amazon AWS Firehose component. NOTE: the vendor's position is that there is no security threat.
- CVE-2020-11584Aug 3, 2020risk 0.00cvss —epss 0.01
A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.