PYSEC-2026-1579

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/lmdeploy/PYSEC-2026-1579.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1579
Aliases
Published
2026-07-07T16:02:50.709898Z
Modified
2026-07-07T17:46:55.091570381Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
  • 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
InternLM LMDeploy code injection vulnerability
Details

A vulnerability was found in InternLM LMDeploy up to 0.7.1. It has been declared as critical. Affected by this vulnerability is the function Open of the file lmdeploy/docs/en/conf.py. The manipulation leads to code injection. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used.

References

Affected packages

PyPI / lmdeploy

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.7.1

Affected versions

0.*
0.0.10
0.0.11
0.0.12
0.0.13
0.0.14
0.1.0
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.5
0.2.6
0.3.0
0.4.0
0.4.1
0.4.2
0.5.0
0.5.1
0.5.2
0.5.2.post1
0.5.3
0.6.0a0
0.6.0
0.6.1
0.6.2
0.6.2.post1
0.6.3
0.6.4
0.6.5
0.7.0
0.7.0.post1
0.7.0.post2
0.7.0.post3
0.7.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/lmdeploy/PYSEC-2026-1579.yaml"