VYPR
Vendor

Danswer AI

Products
1
CVEs
10
Across products
10
Status
Private

Products

1

Recent CVEs

10
  • CVE-2024-7957CriMar 20, 2025
    risk 0.59cvss 9.1epss 0.01

    An arbitrary file overwrite vulnerability exists in the ZulipConnector of danswer-ai/danswer, affecting the latest version. The vulnerability arises from the load_credentials method, where user-controlled input for realm_name and zuliprc_content is used to construct file paths…

  • CVE-2024-8065HigMar 20, 2025
    risk 0.53cvss 8.1epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability in version v1.4.1 of danswer-ai/danswer allows attackers to perform unauthorized actions in the context of the victim's browser. This includes connecting the victim's application with a malicious Slack Bot, inviting users, and…

  • CVE-2025-0182HigMar 20, 2025
    risk 0.49cvss 7.5epss 0.01

    A vulnerability in danswer-ai/danswer version 0.9.0 allows for denial of service through memory exhaustion. The issue arises from the use of a vulnerable version of the starlette package (<=0.49) via fastapi, which was patched in fastapi version 0.115.3. The vulnerability can be…

  • CVE-2024-8028HigMar 20, 2025
    risk 0.49cvss 7.5epss 0.00

    A vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to cause a Denial of Service (DoS) by uploading a file with a malformed multipart boundary. By appending a large number of characters to the end of the multipart boundary, the server continuously processes each…

  • CVE-2024-7779HigMar 20, 2025
    risk 0.49cvss 7.5epss 0.01

    A vulnerability in danswer-ai/danswer version 1 allows an attacker to perform a Regular Expression Denial of Service (ReDoS) by manipulating regular expressions. This can significantly slow down the application's response time and potentially render it completely unusable.

  • CVE-2024-7819HigMar 20, 2025
    risk 0.48cvss 7.4epss 0.00

    A CORS misconfiguration in danswer-ai/danswer v1.4.1 allows attackers to steal sensitive information such as chat contents, API keys, and other data. This vulnerability occurs due to improper validation of the origin header, enabling malicious web pages to make unauthorized…

  • CVE-2024-9617MedMar 20, 2025
    risk 0.43cvss 6.5epss 0.02

    An IDOR vulnerability in danswer-ai/danswer v0.3.94 allows an attacker to view any files. The application does not verify whether the attacker is the creator of the file, allowing the attacker to directly call the GET /api/chat/file/{file_id} interface to view any user's file.

  • CVE-2024-8057MedMar 20, 2025
    risk 0.28cvss 4.3epss 0.00

    In version 0.4.1 of danswer-ai/danswer, a vulnerability exists where a basic user can create credentials and link them to an existing connector. This issue arises because the system allows an unauthenticated attacker to sign up with a basic account and perform actions that…

  • CVE-2024-7767Mar 20, 2025
    risk 0.00cvss epss 0.01

    An improper access control vulnerability exists in danswer-ai/danswer version v0.3.94. This vulnerability allows the first user created in the system to view, modify, and delete chats created by an Admin. This can lead to unauthorized access to sensitive information, loss of…

  • CVE-2024-9612Mar 20, 2025
    risk 0.00cvss epss 0.01

    In danswer-ai/danswer v0.3.94, administrators can set the visibility of pages within a workspace, including the search page. When the search page is set to be invisible, regular users cannot view the search page or access its functionalities from the front-end interface.…