VYPR

Kotaemon

by Cinnamon

Source repositories

CVEs (4)

  • CVE-2025-53358MedJul 2, 2025
    risk 0.35cvss 6.5epss 0.00

    kotaemon is an open-source RAG-based tool for document comprehension. From versions 0.10.6 and prior, in libs/ktem/ktem/index/file/ui.py, the index_fn method accepts both URLs and local file paths without validation. The pipeline streams these paths directly and stores them,…

  • CVE-2025-63914Nov 24, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in Cinnamon kotaemon 0.11.0. The _may_extract_zip function in the \libs\ktem\ktem\index\file\ui.py file does not check the contents of uploaded ZIP files. Although the contents are extracted into a temporary folder that is cleared before each extraction,…

  • CVE-2025-56526Nov 18, 2025
    risk 0.00cvss epss 0.00

    Cross site scripting (XSS) vulnerability in Kotaemon 0.11.0 allowing attackers to execute arbitrary code via a crafted PDF.

  • CVE-2025-56527Nov 18, 2025
    risk 0.00cvss epss 0.00

    Plaintext password storage in Kotaemon 0.11.0 in the client's localStorage.