Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/llama-index@0.10.9
Typepypi
Namespace
Namellama-index
Version0.10.9
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version0.12.9
Latest_non_vulnerable_version0.13.0
Affected_by_vulnerabilities
0
url VCID-87xp-zjvx-h3gz
vulnerability_id VCID-87xp-zjvx-h3gz
summary LlamaIndex (run-llama/llama_index) versions up to and including 0.11.6 contain an unsafe deserialization vulnerability in BGEM3Index.load_from_disk() in llama_index/indices/managed/bge_m3/base.py. The function uses pickle.load() to deserialize multi_embed_store.pkl from a user-supplied persist_dir without validation. An attacker who can provide a crafted persist directory containing a malicious pickle file can trigger arbitrary code execution when the victim loads the index from disk.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-14021
reference_id
reference_type
scores
0
value 0.00171
scoring_system epss
scoring_elements 0.38043
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-14021
1
reference_url https://github.com/run-llama/llama_index
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://github.com/run-llama/llama_index
2
reference_url https://huntr.com/bounties/ab4ceeb4-aa85-4d1c-aaca-4eda1b71fc12
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://huntr.com/bounties/ab4ceeb4-aa85-4d1c-aaca-4eda1b71fc12
3
reference_url https://www.llamaindex.ai/
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://www.llamaindex.ai/
4
reference_url https://www.vulncheck.com/advisories/llamaindex-bgem3index-unsafe-deserialization
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://www.vulncheck.com/advisories/llamaindex-bgem3index-unsafe-deserialization
fixed_packages
0
url pkg:pypi/llama-index@0.11.7
purl pkg:pypi/llama-index@0.11.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9wyc-qhrw-jugv
1
vulnerability VCID-s83c-jsfw-nfg5
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.11.7
aliases CVE-2024-14021, PYSEC-2026-85
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-87xp-zjvx-h3gz
1
url VCID-9wyc-qhrw-jugv
vulnerability_id VCID-9wyc-qhrw-jugv
summary LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query().
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-58339
reference_id
reference_type
scores
0
value 0.00159
scoring_system epss
scoring_elements 0.36464
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-58339
1
reference_url https://github.com/run-llama/llama_index
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://github.com/run-llama/llama_index
2
reference_url https://huntr.com/bounties/a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://huntr.com/bounties/a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f
3
reference_url https://www.llamaindex.ai/
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://www.llamaindex.ai/
4
reference_url https://www.vulncheck.com/advisories/llamaindex-vannaqueryengine-sql-execution-allows-resource-exhaustion
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://www.vulncheck.com/advisories/llamaindex-vannaqueryengine-sql-execution-allows-resource-exhaustion
fixed_packages
0
url pkg:pypi/llama-index@0.12.3
purl pkg:pypi/llama-index@0.12.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-s83c-jsfw-nfg5
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.3
aliases CVE-2024-58339, PYSEC-2026-86
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9wyc-qhrw-jugv
2
url VCID-q77g-pdfy-rfdc
vulnerability_id VCID-q77g-pdfy-rfdc
summary An issue was discovered in llama_index before 0.10.38. download/integration.py includes an exec call for import {cls_name}.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-45201
reference_id
reference_type
scores
0
value 0.00212
scoring_system epss
scoring_elements 0.43724
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-45201
1
reference_url https://github.com/run-llama/llama_index/compare/v0.10.37...v0.10.38
reference_id
reference_type
scores
url https://github.com/run-llama/llama_index/compare/v0.10.37...v0.10.38
2
reference_url https://github.com/run-llama/llama_index/pull/13523
reference_id
reference_type
scores
url https://github.com/run-llama/llama_index/pull/13523
fixed_packages
0
url pkg:pypi/llama-index@0.10.38
purl pkg:pypi/llama-index@0.10.38
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-87xp-zjvx-h3gz
1
vulnerability VCID-9wyc-qhrw-jugv
2
vulnerability VCID-s83c-jsfw-nfg5
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.10.38
aliases CVE-2024-45201, PYSEC-2024-192
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q77g-pdfy-rfdc
3
url VCID-s83c-jsfw-nfg5
vulnerability_id VCID-s83c-jsfw-nfg5
summary A vulnerability in the `KnowledgeBaseWebReader` class of the run-llama/llama_index repository, version latest, allows an attacker to cause a Denial of Service (DoS) by controlling a URL variable to contain the root URL. This leads to infinite recursive calls to the `get_article_urls` method, exhausting system resources and potentially crashing the application.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-12910
reference_id
reference_type
scores
0
value 0.00351
scoring_system epss
scoring_elements 0.57788
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-12910
1
reference_url https://github.com/run-llama/llama_index/commit/159ce485a1168100bb219dc1b93133f1121579d9
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://github.com/run-llama/llama_index/commit/159ce485a1168100bb219dc1b93133f1121579d9
2
reference_url https://huntr.com/bounties/27883f22-35ff-49df-aaa5-05031c7d6ad8
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://huntr.com/bounties/27883f22-35ff-49df-aaa5-05031c7d6ad8
fixed_packages
0
url pkg:pypi/llama-index@0.12.9
purl pkg:pypi/llama-index@0.12.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.9
aliases CVE-2024-12910, PYSEC-2025-11
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s83c-jsfw-nfg5
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.10.9