Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/vllm@0.10.0
Typepypi
Namespace
Namevllm
Version0.10.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version0.20.0
Latest_non_vulnerable_version0.20.0
Affected_by_vulnerabilities
0
url VCID-nctw-rz8h-f3af
vulnerability_id VCID-nctw-rz8h-f3af
summary vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users can crash the vLLM engine serving multimodal models that use the Idefics3 vision model implementation by sending a specially crafted 1x1 pixel image. This causes a tensor dimension mismatch that results in an unhandled runtime error, leading to complete server termination. This issue has been patched in version 0.12.0.
references
0
reference_url https://github.com/vllm-project/vllm
reference_id
reference_type
scores
url https://github.com/vllm-project/vllm
1
reference_url https://github.com/vllm-project/vllm/commit/0ec84221718d920c3f46da879cc354f94b8fb59e
reference_id
reference_type
scores
url https://github.com/vllm-project/vllm/commit/0ec84221718d920c3f46da879cc354f94b8fb59e
2
reference_url https://github.com/vllm-project/vllm/pull/29881
reference_id
reference_type
scores
url https://github.com/vllm-project/vllm/pull/29881
3
reference_url https://github.com/vllm-project/vllm/security/advisories/GHSA-grg2-63fw-f2qr
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://github.com/vllm-project/vllm/security/advisories/GHSA-grg2-63fw-f2qr
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-22773
reference_id CVE-2026-22773
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-22773
5
reference_url https://github.com/advisories/GHSA-grg2-63fw-f2qr
reference_id GHSA-grg2-63fw-f2qr
reference_type
scores
url https://github.com/advisories/GHSA-grg2-63fw-f2qr
fixed_packages
0
url pkg:pypi/vllm@0.12.0
purl pkg:pypi/vllm@0.12.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-za3a-c9m1-jqgz
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/vllm@0.12.0
aliases CVE-2026-22773, GHSA-grg2-63fw-f2qr, PYSEC-2026-143
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nctw-rz8h-f3af
1
url VCID-za3a-c9m1-jqgz
vulnerability_id VCID-za3a-c9m1-jqgz
summary vLLM is an inference and serving engine for large language models (LLMs). From 0.7.0 to before 0.19.0, the VideoMediaIO.load_base64() method at vllm/multimodal/media/video.py splits video/jpeg data URLs by comma to extract individual JPEG frames, but does not enforce a frame count limit. The num_frames parameter (default: 32), which is enforced by the load_bytes() code path, is completely bypassed in the video/jpeg base64 path. An attacker can send a single API request containing thousands of comma-separated base64-encoded JPEG frames, causing the server to decode all frames into memory and crash with OOM. This vulnerability is fixed in 0.19.0.
references
0
reference_url https://github.com/vllm-project/vllm/security/advisories/GHSA-pq5c-rjhq-qp7p
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
url https://github.com/vllm-project/vllm/security/advisories/GHSA-pq5c-rjhq-qp7p
fixed_packages
0
url pkg:pypi/vllm@0.19.0
purl pkg:pypi/vllm@0.19.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jzjy-kj6h-4bas
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/vllm@0.19.0
aliases CVE-2026-34755, GHSA-pq5c-rjhq-qp7p, PYSEC-2026-144
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-za3a-c9m1-jqgz
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/vllm@0.10.0