πŸ›‘
CIPHER INTEL
LLM & AI-Tooling Vulnerability Intelligence
Compiled: β€”
100% Sourced CVE Data
β€”
Tracked CVEs (this registry)
β€”
Critical Severity
β€”
High Severity
β€”
Lead to Remote Code Execution
Data Methodology Every entry in this registry is a real, publicly disclosed CVE affecting LLM tooling, inference infrastructure, or agentic-AI frameworks β€” sourced from NVD, GitHub Security Advisories, and named security research teams (Wiz, Check Point, Cato Networks, Datadog, SentinelOne, CERT Polska, Cymulate, Unit 42, Keysight, Imperva, OX Security). No composite risk scores, compliance percentages, or synthetic benchmarks are used anywhere on this page β€” hosted models like GPT-4o or Claude don't carry CVE numbers themselves; the real exposure lives in the frameworks, connectors, and inference servers built around them, which is what this registry tracks.
Notable Findings
CRITICAL — LANGCHAIN GRAPHCYPHERQACHAIN PROMPT→SQL INJECTION
Two related CVEs (Python and JavaScript builds) allow prompt injection to escalate into arbitrary Cypher/SQL execution against a connected graph database, enabling data exfiltration, unauthorized writes, and denial of service in multi-tenant deployments.
CVE-2024-7042 / CVE-2024-8309 CRITICAL
CRITICAL β€” OLLAMA "PROBLLAMA" PATH TRAVERSAL β†’ RCE
An unauthenticated path traversal in Ollama's API server allowed arbitrary file writes, escalating to full remote code execution on self-hosted inference servers β€” including root-privileged Docker deployments exposed to the internet.
CVE-2024-37032 CRITICAL
HIGH β€” OPEN WEBUI DIRECT CONNECTIONS CODE INJECTION
A malicious external model server could inject executable JavaScript via Server-Sent Events, leading to auth-token theft, account takeover, and β€” when the victim held tool-execution permissions β€” full backend remote code execution.
CVE-2025-64496 HIGH
CRITICAL β€” GITHUB COPILOT CHAT "CAMOLEAK" EXFILTRATION
Chaining a CSP bypass with remote prompt injection via hidden pull-request comments let attackers covertly exfiltrate secrets and private source code, and take control of Copilot Chat's responses to a victim developer.
CVE-2025-59145 CRITICAL
Severity Distribution
CVSS Severity Band β€” All Tracked CVEs
Computed directly from the 20-CVE registry below
Vulnerability Class Breakdown
Computed directly from the 20-CVE registry below
Vulnerability Registry β€” Real, Sourced CVEs
All Tracked CVEs β€” LLM Frameworks, Inference Servers & Agentic Tooling
CVE ID Vulnerability Affected Product Category Severity CVSS Status
Click any CVE ID for full detail, description, and primary source link. All IDs link directly to NVD.
Affected Products β€” Real CVE Counts by Software
Hosted frontier models (GPT-4o, Claude, Gemini, etc.) are not directly CVE-tracked β€” vulnerabilities are assigned to the surrounding open-source frameworks, connectors, and inference infrastructure. That's the real attack surface, and it's what's counted here.
CVE Count by Affected Product
Regulatory Relevance β€” Qualitative, Sourced
No numeric compliance scores are published for these products against these frameworks β€” this is a qualitative mapping of which real CVEs raise which regulatory concerns, based on what each vulnerability actually exposes.
Where These CVEs Intersect With Regulatory Obligations
Disclosure Timeline
Chronological Disclosure Log