Kotaemon
by Cinnamon
Source repositories
CVEs (4)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-53358 | Med | 0.35 | 6.5 | 0.00 | Jul 2, 2025 | kotaemon is an open-source RAG-based tool for document comprehension. From versions 0.10.6 and prior, in libs/ktem/ktem/index/file/ui.py, the index_fn method accepts both URLs and local file paths without validation. The pipeline streams these paths directly and stores them,… | ||
| CVE-2025-63914 | 0.00 | — | 0.00 | Nov 24, 2025 | An issue was discovered in Cinnamon kotaemon 0.11.0. The _may_extract_zip function in the \libs\ktem\ktem\index\file\ui.py file does not check the contents of uploaded ZIP files. Although the contents are extracted into a temporary folder that is cleared before each extraction,… | |||
| CVE-2025-56526 | 0.00 | — | 0.00 | Nov 18, 2025 | Cross site scripting (XSS) vulnerability in Kotaemon 0.11.0 allowing attackers to execute arbitrary code via a crafted PDF. | |||
| CVE-2025-56527 | 0.00 | — | 0.00 | Nov 18, 2025 | Plaintext password storage in Kotaemon 0.11.0 in the client's localStorage. |
- risk 0.35cvss 6.5epss 0.00
kotaemon is an open-source RAG-based tool for document comprehension. From versions 0.10.6 and prior, in libs/ktem/ktem/index/file/ui.py, the index_fn method accepts both URLs and local file paths without validation. The pipeline streams these paths directly and stores them,…
- CVE-2025-63914Nov 24, 2025risk 0.00cvss —epss 0.00
An issue was discovered in Cinnamon kotaemon 0.11.0. The _may_extract_zip function in the \libs\ktem\ktem\index\file\ui.py file does not check the contents of uploaded ZIP files. Although the contents are extracted into a temporary folder that is cleared before each extraction,…
- CVE-2025-56526Nov 18, 2025risk 0.00cvss —epss 0.00
Cross site scripting (XSS) vulnerability in Kotaemon 0.11.0 allowing attackers to execute arbitrary code via a crafted PDF.
- CVE-2025-56527Nov 18, 2025risk 0.00cvss —epss 0.00
Plaintext password storage in Kotaemon 0.11.0 in the client's localStorage.