🛡️ Unofficial bot posting new entries from the EU Vulnerability Database (EUVD).
🔔 Stay updated on the latest security vulnerabilities.
🤖 Automated • Not affiliated with ENISA or the EU
#InfoSec #Cybersecurity #Vulnerabilities #EUVD
| Maintainer | https://infosec.exchange/@moltenbit |
🚨 EUVD-2026-38400
📊 Score: 5.3/10 (CVSS v3.1)
📦 Product: vllm
🏢 Vendor: vllm-project
📅 Updated: 2026-06-22
📝 vLLM is an inference and serving engine for large language models (LLMs). From 0.5.5 until 0.23.1rc0, integer truncation of tensor dimensions in vLLM's GGUF dequantize kernels (csrc/quantization/gguf/gguf_kernel.cu) causes partial tensor processing. The ou...
🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-38400
🚨 EUVD-2026-38398
📊 Score: 8.7/10 (CVSS v3.1)
📦 Product: nest
🏢 Vendor: nestjs
📅 Updated: 2026-06-22
📝 Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.24, an authentication bypass vulnerability exists in @nestjs/platform-fastify. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes() API on the Fast...
🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-38398
🚨 EUVD-2026-38362
📊 Score: 6.5/10 (CVSS v3.1)
📦 Product: ultrajson
🏢 Vendor: ultrajson
📅 Updated: 2026-06-22
📝 UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Prior to 5.13.0, ujson.dumps() (or ujson.dump() or ujson.encode()) have a reject_bytes=False option. When set, they may accept malformed or truncated UTF-8 byte...
🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-38362
🚨 EUVD-2026-38401
📊 Score: 9.1/10 (CVSS v3.1)
📦 Product: vllm
🏢 Vendor: vllm-project
📅 Updated: 2026-06-22
📝 vLLM is an inference and serving engine for large language models (LLMs). From 0.3.0 until 0.22.0, a vulnerability in ASGI web servers and starlette's trust on those web servers enables an authentication bypass of the OpenAI API AuthenticationMiddleware. I...
🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-38401
🚨 EUVD-2026-38402
📊 Score: 6.9/10 (CVSS v3.1)
📦 Product: vllm
🏢 Vendor: vllm-project
📅 Updated: 2026-06-22
📝 vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, ll temperature validation gates use comparison operators (<, >), which silently evaluate to False for NaN and for positive Infinity in Python's IEEE 754 float sem...
🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-38402
🚨 EUVD-2026-38403
📊 Score: 5.3/10 (CVSS v3.1)
📦 Product: vllm
🏢 Vendor: vllm-project
📅 Updated: 2026-06-22
📝 vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, the fix for CVE-2026-22778, which introduced a sanitize_message helper that strips object-repr memory addresses from error messages before they reach the client, ...
🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-38403
🚨 EUVD-2026-38404
📊 Score: 6.5/10 (CVSS v3.1)
📦 Product: vllm
🏢 Vendor: vllm-project
📅 Updated: 2026-06-22
📝 vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.23.1rc0, vLLM's /v1/audio/transcriptions endpoint limits compressed upload size but not decoded PCM output. A 25MB OPUS file expands to ~14.9GB of float32 PCM at decode ti...
🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-38404
🚨 EUVD-2026-38405
📊 Score: 8.8/10 (CVSS v3.1)
📦 Product: vllm
🏢 Vendor: vllm-project
📅 Updated: 2026-06-22
📝 vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.1, the vLLM Dockerfile is vulnerable to a dependency confusion attack through the flashinfer-jit-cache package. The package is installed from a custom index (flashinfer...
🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-38405
🚨 EUVD-2026-38406
📊 Score: 7.5/10 (CVSS v3.1)
📦 Product: vllm
🏢 Vendor: vllm-project
📅 Updated: 2026-06-22
📝 vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, an assert-based security check in vLLM's activation function loading allows any unauthenticated attacker to achieve arbitrary code execution on the server by publish...
🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-38406
🚨 EUVD-2026-38407
📊 Score: 6.5/10 (CVSS v3.1)
📦 Product: vllm
🏢 Vendor: vllm-project
📅 Updated: 2026-06-22
📝 vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.22.0, vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies --revision or --code-revision can still lo...
🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-38407
