OSV - Open Source Vulnerabilities

GHSA-pq5c-rjhq-qp7p

PyPI/vllm

vLLM: Denial of Service via Unbounded Frame Count in video/jpeg Base64 Processing

03 Apr

Fix available
Severity - 6.5 (Medium)

GHSA-pf3h-qjgv-vcpr

PyPI/vllm

vLLM: Server-Side Request Forgery (SSRF) in `download_bytes_from_url `

03 Apr

Fix available
Severity - 5.4 (Medium)

GHSA-3mwp-wvh9-7528

PyPI/vllm

vLLM: Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server

03 Apr

Fix available
Severity - 6.5 (Medium)

GHSA-7972-pg2x-xr59

PyPI/vllm

vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out

27 Mar

Fix available
Severity - 8.8 (High)

GHSA-v359-jj2v-j536

PyPI/vllm

vLLM has SSRF Protection Bypass

09 Mar

Fix available
Severity - 5.4 (Medium)

MAL-2026-844

PyPI/vllm-plugins

Malicious code in vllm-plugins (PyPI)

10 Feb

No fix available

GHSA-4r2x-xpjr-7cvv

PyPI/vllm

vLLM has RCE In Video Processing

02 Feb

Fix available
Severity - 9.8 (Critical)

GHSA-qh4c-xf7m-gxfc

PyPI/vllm

vLLM vulnerable to Server-Side Request Forgery (SSRF) through MediaConnector

28 Jan

Fix available
Severity - 7.1 (High)

GHSA-2pc9-4j83-qjmr

PyPI/vllm

vLLM affected by RCE via auto_map dynamic module loading during model initialization

21 Jan

Fix available
Severity - 8.8 (High)

GHSA-grg2-63fw-f2qr

PyPI/vllm

vLLM is vulnerable to DoS in Idefics3 vision models via image payload with ambiguous dimensions

13 Jan

Fix available
Severity - 6.5 (Medium)

GHSA-mcmc-2m55-j8jj

PyPI/vllm

vLLM introduced enhanced protection for CVE-2025-62164

08 Jan

Fix available
Severity - 8.8 (High)

GHSA-8fr4-5q9j-m8gm

PyPI/vllm

vLLM vulnerable to remote code execution via transformers_utils/get_config

02 Dec 2025

Fix available
Severity - 7.1 (High)

GHSA-69j4-grxj-j64p

PyPI/vllm

vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs`

20 Nov 2025

Fix available
Severity - 6.5 (Medium)

GHSA-pmqf-x6x8-p7qw

PyPI/vllm

vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs

20 Nov 2025

Fix available
Severity - 8.3 (High)

GHSA-mrw7-hf4f-83pf

PyPI/vllm

vLLM deserialization vulnerability leading to DoS and potential RCE

20 Nov 2025

Fix available
Severity - 8.8 (High)

GHSA-3f6c-7fw2-ppm4

PyPI/vllm

vLLM is vulnerable to Server-Side Request Forgery (SSRF) through `MediaConnector` class

07 Oct 2025

Fix available
Severity - 7.1 (High)

Load more...(3 pages left)