Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/llama-index@0.11.11

Type pypi

Namespace

Name llama-index

Version 0.11.11

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 0.13.0

Latest_non_vulnerable_version 0.13.0

Affected_by_vulnerabilities

url VCID-42vx-wn51-qyhn

vulnerability_id VCID-42vx-wn51-qyhn

summary A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for SQL injection in the `run_sql_query` function of the `database_agent`. This vulnerability can be exploited by an attacker to inject arbitrary SQL queries, leading to remote code execution (RCE) through the use of PostgreSQL's large object functionality. The issue is fixed in version 0.3.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-12909

reference_id

reference_type

scores

value	0.0413
scoring_system	epss
scoring_elements	0.88891
published_at	2026-06-11T12:55:00Z

value	0.0413
scoring_system	epss
scoring_elements	0.88929
published_at	2026-06-12T12:55:00Z

value	0.0413
scoring_system	epss
scoring_elements	0.88935
published_at	2026-06-14T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-12909

reference_url

https://github.com/run-llama/llama_index/tree/stale_packages/llama-index-packs/llama-index-packs-finchat

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/run-llama/llama_index/tree/stale_packages/llama-index-packs/llama-index-packs-finchat

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-12909

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-12909

reference_url

https://huntr.com/bounties/44e8177f-200a-4ba3-a12c-8bc21e313a3f

reference_id

44e8177f-200a-4ba3-a12c-8bc21e313a3f

reference_type

scores

value	10
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-20T17:51:29Z/

url

https://huntr.com/bounties/44e8177f-200a-4ba3-a12c-8bc21e313a3f

reference_url

https://github.com/run-llama/llama_index/commit/5d03c175476452db9b8abcdb7d5767dd7b310a75

reference_id

5d03c175476452db9b8abcdb7d5767dd7b310a75

reference_type

scores

value	10
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-20T17:51:29Z/

url

https://github.com/run-llama/llama_index/commit/5d03c175476452db9b8abcdb7d5767dd7b310a75

reference_url

https://github.com/advisories/GHSA-x48g-hm9c-ww42

reference_id

GHSA-x48g-hm9c-ww42

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-x48g-hm9c-ww42

fixed_packages

url pkg:pypi/llama-index@0.12.4

purl pkg:pypi/llama-index@0.12.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ceq2-zgaf-4khp

vulnerability	VCID-kdxg-cepu-k7c6

vulnerability	VCID-kef8-9x8x-7qbf

vulnerability	VCID-kuwz-n7tn-v3f6

vulnerability	VCID-uxre-3rx7-1ffw

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.4

aliases CVE-2024-12909, GHSA-x48g-hm9c-ww42

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-42vx-wn51-qyhn

url VCID-4gnz-yvuj-j7b9

vulnerability_id VCID-4gnz-yvuj-j7b9

summary LlamaIndex (run-llama/llama_index) versions up to and including 0.12.2 contain an uncontrolled resource consumption vulnerability in the VannaPack VannaQueryEngine implementation. The custom_query() logic generates SQL statements from a user-supplied prompt and executes them via vn.run_sql() without enforcing query execution limits In downstream deployments where untrusted users can supply prompts, an attacker can trigger expensive or unbounded SQL operations that exhaust CPU or memory resources, resulting in a denial-of-service condition. The vulnerable execution path occurs in llama_index/packs/vanna/base.py within custom_query().

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-58339

reference_id

reference_type

scores

value	0.00144
scoring_system	epss
scoring_elements	0.3444
published_at	2026-06-11T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34621
published_at	2026-06-14T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34641
published_at	2026-06-13T12:55:00Z

value	0.00144
scoring_system	epss
scoring_elements	0.34617
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-58339

reference_url

https://huntr.com/bounties/a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f

reference_id

a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-13T17:18:23Z/

url

https://huntr.com/bounties/a1d6c30d-fce0-412a-bd22-14e0d4c1fa1f

reference_url

https://github.com/run-llama/llama_index

reference_id

llama_index

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-13T17:18:23Z/

url

https://github.com/run-llama/llama_index

reference_url

https://www.vulncheck.com/advisories/llamaindex-vannaqueryengine-sql-execution-allows-resource-exhaustion

reference_id

llamaindex-vannaqueryengine-sql-execution-allows-resource-exhaustion

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-13T17:18:23Z/

url

https://www.vulncheck.com/advisories/llamaindex-vannaqueryengine-sql-execution-allows-resource-exhaustion

reference_url

https://www.llamaindex.ai/

reference_id

www.llamaindex.ai

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-13T17:18:23Z/

url

https://www.llamaindex.ai/

fixed_packages

url pkg:pypi/llama-index@0.12.3

purl pkg:pypi/llama-index@0.12.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-42vx-wn51-qyhn

vulnerability	VCID-ceq2-zgaf-4khp

vulnerability	VCID-kdxg-cepu-k7c6

vulnerability	VCID-kef8-9x8x-7qbf

vulnerability	VCID-kuwz-n7tn-v3f6

vulnerability	VCID-uxre-3rx7-1ffw

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.3

aliases CVE-2024-58339, PYSEC-2026-86

risk_score 3.9

exploitability 0.5

weighted_severity 7.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4gnz-yvuj-j7b9

url VCID-ceq2-zgaf-4khp

vulnerability_id VCID-ceq2-zgaf-4khp

summary The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, data tampering, or privilege escalation. The vulnerability arises from the use of a shared cache directory instead of a user-specific one, making it susceptible to local data tampering and denial of service.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-7707.json

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-7707.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-7707

reference_id

reference_type

scores

value	0.00027
scoring_system	epss
scoring_elements	0.08331
published_at	2026-06-14T12:55:00Z

value	0.00027
scoring_system	epss
scoring_elements	0.08333
published_at	2026-06-13T12:55:00Z

value	0.00027
scoring_system	epss
scoring_elements	0.08293
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-7707

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2403577
reference_id	2403577
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2403577

reference_url

https://huntr.com/bounties/3fe2c8ab-6727-4aef-a0ef-4d2818e48803

reference_id

3fe2c8ab-6727-4aef-a0ef-4d2818e48803

reference_type

scores

value	7.1
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-14T14:32:21Z/

url

https://huntr.com/bounties/3fe2c8ab-6727-4aef-a0ef-4d2818e48803

reference_url

https://github.com/run-llama/llama_index/commit/98816394d57c7f53f847ed7b60725e69d0e7aae4

reference_id

98816394d57c7f53f847ed7b60725e69d0e7aae4

reference_type

scores

value	7.1
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-14T14:32:21Z/

url

https://github.com/run-llama/llama_index/commit/98816394d57c7f53f847ed7b60725e69d0e7aae4

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-7707

reference_id

CVE-2025-7707

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-7707

reference_url

https://github.com/advisories/GHSA-rg9h-vx28-xxp5

reference_id

GHSA-rg9h-vx28-xxp5

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-rg9h-vx28-xxp5

fixed_packages

url	pkg:pypi/llama-index@0.13.0
purl	pkg:pypi/llama-index@0.13.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.13.0

aliases CVE-2025-7707, GHSA-rg9h-vx28-xxp5

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ceq2-zgaf-4khp

url VCID-kdxg-cepu-k7c6

vulnerability_id VCID-kdxg-cepu-k7c6

summary Multiple vector store integrations in run-llama/llama_index version v0.12.21 have SQL injection vulnerabilities. These vulnerabilities allow an attacker to read and write data using SQL, potentially leading to unauthorized access to data of other users depending on the usage of the llama-index library in a web application.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1793.json

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-1793.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-1793

reference_id

reference_type

scores

value	0.00057
scoring_system	epss
scoring_elements	0.18283
published_at	2026-06-12T12:55:00Z

value	0.00057
scoring_system	epss
scoring_elements	0.18279
published_at	2026-06-14T12:55:00Z

value	0.00057
scoring_system	epss
scoring_elements	0.18304
published_at	2026-06-13T12:55:00Z

value	0.00057
scoring_system	epss
scoring_elements	0.18121
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-1793

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-1793

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-1793

reference_url

https://github.com/run-llama/llama_index/commit/0008041e8dde8e519621388e5d6f558bde6ef42e

reference_id

0008041e8dde8e519621388e5d6f558bde6ef42e

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-06-05T13:28:44Z/

url

https://github.com/run-llama/llama_index/commit/0008041e8dde8e519621388e5d6f558bde6ef42e

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2370381
reference_id	2370381
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2370381

reference_url

https://huntr.com/bounties/8cb1555a-9655-4122-b0d6-60059e79183c

reference_id

8cb1555a-9655-4122-b0d6-60059e79183c

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-06-05T13:28:44Z/

url

https://huntr.com/bounties/8cb1555a-9655-4122-b0d6-60059e79183c

reference_url

https://github.com/advisories/GHSA-v3c8-3pr6-gr7p

reference_id

GHSA-v3c8-3pr6-gr7p

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-v3c8-3pr6-gr7p

fixed_packages

url pkg:pypi/llama-index@0.12.28

purl pkg:pypi/llama-index@0.12.28

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9nry-wte8-3fbf

vulnerability	VCID-ceq2-zgaf-4khp

vulnerability	VCID-kuwz-n7tn-v3f6

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.28

aliases CVE-2025-1793, GHSA-v3c8-3pr6-gr7p

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kdxg-cepu-k7c6

url VCID-kef8-9x8x-7qbf

vulnerability_id VCID-kef8-9x8x-7qbf

summary A vulnerability in the LangChainLLM class of the run-llama/llama_index repository, version v0.12.5, allows for a Denial of Service (DoS) attack. The stream_complete method executes the llm using a thread and retrieves the result via the get_response_gen method of the StreamingGeneratorCallbackHandler class. If the thread terminates abnormally before the _llm.predict is executed, there is no exception handling for this case, leading to an infinite loop in the get_response_gen function. This can be triggered by providing an input of an incorrect type, causing the thread to terminate and the process to continue running indefinitely.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12704.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12704.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-12704

reference_id

reference_type

scores

value	0.00351
scoring_system	epss
scoring_elements	0.58047
published_at	2026-06-14T12:55:00Z

value	0.00351
scoring_system	epss
scoring_elements	0.58042
published_at	2026-06-12T12:55:00Z

value	0.00351
scoring_system	epss
scoring_elements	0.5793
published_at	2026-06-11T12:55:00Z

value	0.00351
scoring_system	epss
scoring_elements	0.58058
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-12704

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-12704

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-12704

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2353770
reference_id	2353770
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2353770

reference_url

https://huntr.com/bounties/a0b638fd-21c6-4ba7-b381-6ab98472a02a

reference_id

a0b638fd-21c6-4ba7-b381-6ab98472a02a

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:54:16Z/

url

https://huntr.com/bounties/a0b638fd-21c6-4ba7-b381-6ab98472a02a

reference_url

https://github.com/run-llama/llama_index/commit/d1ecfb77578d089cbe66728f18f635c09aa32a05

reference_id

d1ecfb77578d089cbe66728f18f635c09aa32a05

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:54:16Z/

url

https://github.com/run-llama/llama_index/commit/d1ecfb77578d089cbe66728f18f635c09aa32a05

reference_url

https://github.com/advisories/GHSA-j3wr-m6xh-64hg

reference_id

GHSA-j3wr-m6xh-64hg

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-j3wr-m6xh-64hg

fixed_packages

url pkg:pypi/llama-index@0.12.6

purl pkg:pypi/llama-index@0.12.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ceq2-zgaf-4khp

vulnerability	VCID-kdxg-cepu-k7c6

vulnerability	VCID-kuwz-n7tn-v3f6

vulnerability	VCID-uxre-3rx7-1ffw

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.6

aliases CVE-2024-12704, GHSA-j3wr-m6xh-64hg

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kef8-9x8x-7qbf

url VCID-kuwz-n7tn-v3f6

vulnerability_id VCID-kuwz-n7tn-v3f6

summary A vulnerability in the DocugamiReader class of the run-llama/llama_index repository, up to version 0.12.28, involves the use of MD5 hashing to generate IDs for document chunks. This approach leads to hash collisions when structurally distinct chunks contain identical text, resulting in one chunk overwriting another. This can cause loss of semantically or legally important document content, breakage of parent-child chunk hierarchies, and inaccurate or hallucinated responses in AI outputs. The issue is resolved in version 0.3.1.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6211.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-6211.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-6211

reference_id

reference_type

scores

value	0.00301
scoring_system	epss
scoring_elements	0.53944
published_at	2026-06-14T12:55:00Z

value	0.00301
scoring_system	epss
scoring_elements	0.53941
published_at	2026-06-12T12:55:00Z

value	0.00301
scoring_system	epss
scoring_elements	0.53815
published_at	2026-06-11T12:55:00Z

value	0.00301
scoring_system	epss
scoring_elements	0.53958
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-6211

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-6211

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-6211

reference_url

https://huntr.com/bounties/1a48a011-a3c5-4979-9ffc-9652280bc389

reference_id

1a48a011-a3c5-4979-9ffc-9652280bc389

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-10T15:13:09Z/

url

https://huntr.com/bounties/1a48a011-a3c5-4979-9ffc-9652280bc389

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2379311
reference_id	2379311
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2379311

reference_url

https://github.com/run-llama/llama_index/commit/29b2e07e64ed7d302b1cc058185560b28eaa1352

reference_id

29b2e07e64ed7d302b1cc058185560b28eaa1352

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-10T15:13:09Z/

url

https://github.com/run-llama/llama_index/commit/29b2e07e64ed7d302b1cc058185560b28eaa1352

reference_url

https://github.com/advisories/GHSA-5hq9-5r78-2gjh

reference_id

GHSA-5hq9-5r78-2gjh

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-5hq9-5r78-2gjh

fixed_packages

url pkg:pypi/llama-index@0.12.41

purl pkg:pypi/llama-index@0.12.41

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ceq2-zgaf-4khp

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.41

aliases CVE-2025-6211, GHSA-5hq9-5r78-2gjh

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kuwz-n7tn-v3f6

url VCID-m1xa-bext-83bg

vulnerability_id VCID-m1xa-bext-83bg

summary A vulnerability in the `default_jsonalyzer` function of the `JSONalyzeQueryEngine` in the run-llama/llama_index repository allows for SQL injection via prompt injection. This can lead to arbitrary file creation and Denial-of-Service (DoS) attacks. The vulnerability affects the latest version and is fixed in version 0.5.1.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12911.json

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12911.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-12911

reference_id

reference_type

scores

value	0.00272
scoring_system	epss
scoring_elements	0.51091
published_at	2026-06-14T12:55:00Z

value	0.00272
scoring_system	epss
scoring_elements	0.5109
published_at	2026-06-12T12:55:00Z

value	0.00272
scoring_system	epss
scoring_elements	0.50959
published_at	2026-06-11T12:55:00Z

value	0.00272
scoring_system	epss
scoring_elements	0.51103
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-12911

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-12911

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-12911

reference_url

https://huntr.com/bounties/095f9e67-311d-494c-99c5-5e61a0adb8f3

reference_id

095f9e67-311d-494c-99c5-5e61a0adb8f3

reference_type

scores

value	7.1
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:50:15Z/

url

https://huntr.com/bounties/095f9e67-311d-494c-99c5-5e61a0adb8f3

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2353719
reference_id	2353719
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2353719

reference_url

https://github.com/run-llama/llama_index/commit/bf282074e20e7dafd5e2066137dcd4cd17c3fb9e

reference_id

bf282074e20e7dafd5e2066137dcd4cd17c3fb9e

reference_type

scores

value	7.1
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:50:15Z/

url

https://github.com/run-llama/llama_index/commit/bf282074e20e7dafd5e2066137dcd4cd17c3fb9e

reference_url

https://github.com/advisories/GHSA-jmgm-gx32-vp4w

reference_id

GHSA-jmgm-gx32-vp4w

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jmgm-gx32-vp4w

fixed_packages

url pkg:pypi/llama-index@0.12.3

purl pkg:pypi/llama-index@0.12.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-42vx-wn51-qyhn

vulnerability	VCID-ceq2-zgaf-4khp

vulnerability	VCID-kdxg-cepu-k7c6

vulnerability	VCID-kef8-9x8x-7qbf

vulnerability	VCID-kuwz-n7tn-v3f6

vulnerability	VCID-uxre-3rx7-1ffw

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.3

aliases CVE-2024-12911, GHSA-jmgm-gx32-vp4w

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m1xa-bext-83bg

url VCID-uxre-3rx7-1ffw

vulnerability_id VCID-uxre-3rx7-1ffw

summary A vulnerability in the `KnowledgeBaseWebReader` class of the run-llama/llama_index repository, version latest, allows an attacker to cause a Denial of Service (DoS) by controlling a URL variable to contain the root URL. This leads to infinite recursive calls to the `get_article_urls` method, exhausting system resources and potentially crashing the application.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12910.json

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12910.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-12910

reference_id

reference_type

scores

value	0.00351
scoring_system	epss
scoring_elements	0.58047
published_at	2026-06-14T12:55:00Z

value	0.00351
scoring_system	epss
scoring_elements	0.58042
published_at	2026-06-12T12:55:00Z

value	0.00351
scoring_system	epss
scoring_elements	0.5793
published_at	2026-06-11T12:55:00Z

value	0.00351
scoring_system	epss
scoring_elements	0.58058
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-12910

reference_url

https://github.com/advisories/GHSA-jvpf-xf32-2w4q

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jvpf-xf32-2w4q

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2025-11.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/llama-index/PYSEC-2025-11.yaml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-12910

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-12910

reference_url

https://github.com/run-llama/llama_index/commit/159ce485a1168100bb219dc1b93133f1121579d9

reference_id

159ce485a1168100bb219dc1b93133f1121579d9

reference_type

scores

value	4.2
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-20T13:55:55Z/

url

https://github.com/run-llama/llama_index/commit/159ce485a1168100bb219dc1b93133f1121579d9

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2353537
reference_id	2353537
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2353537

reference_url

https://huntr.com/bounties/27883f22-35ff-49df-aaa5-05031c7d6ad8

reference_id

27883f22-35ff-49df-aaa5-05031c7d6ad8

reference_type

scores

value	4.2
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-20T13:55:55Z/

url

https://huntr.com/bounties/27883f22-35ff-49df-aaa5-05031c7d6ad8

fixed_packages

url pkg:pypi/llama-index@0.12.9

purl pkg:pypi/llama-index@0.12.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-ceq2-zgaf-4khp

vulnerability	VCID-kdxg-cepu-k7c6

vulnerability	VCID-kuwz-n7tn-v3f6

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.12.9

aliases CVE-2024-12910, GHSA-jvpf-xf32-2w4q, PYSEC-2025-11

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uxre-3rx7-1ffw

Fixing_vulnerabilities

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/llama-index@0.11.11

Package Instance