ZEROPATH WALL OF FAME

Securing the world's code,
one vulnerability at a time

Every vulnerability listed here has been discovered and responsibly disclosed by ZeroPath. This represents just a fraction of our ongoing mission to make open source software more secure.

20

Vulnerabilities Fixed

+25

In Disclosure Process

3

CVEs Assigned

Discovered Vulnerabilities

Each finding represents hours of research and responsible disclosure to protect users worldwide

CVE Pending2025-01-22
Insecure Direct Object Reference (IDOR)

IDOR Security Vulnerability in SuperAGI

Broken authentication flaw enabling access to tens of thousands of customers' files including secrets, business documents, and health information via /api/resources/get/{resource_id}.

TransformerOptimus/SuperAGI
View on GitHub
CVE-2024-430352024-07-21
Local File Inclusion

Local File Inclusion in Fonoster

A Local File Inclusion vulnerability was discovered in the Fonoster Voice Server, allowing access to system files via voice file paths due to incomplete path validation.

fonoster/fonoster
View CVE Details
CVE Pending2024-09-05
Unauthorized Access

Unauthorized Access to Any User's Jobs in LibrePhotos

Access to other users' processing jobs due to missing authorization in job queue.

LibrePhotos/librephotos
View on GitHub
CVE Pending2024-09-05
Authentication Bypass

Token Refresh Vulnerability in LibrePhotos

Complete authentication bypass via improper token validation in the LibrePhotos project.

LibrePhotos/librephotos
View on GitHub
CVE Pending2024-09-02
Unauthorized Access

Unauthorized Conversation Deletion in RagFlow

Complete deletion of other users' chat history due to missing object-level authorization checks.

infiniflow/ragflow
View on GitHub
CVE Pending2024-09-02
Unauthorized Access

Unauthorized Canvas Deletion in RagFlow

Deletion of other users' visualization canvases due to insufficient IDOR protection on API endpoint.

infiniflow/ragflow
View on GitHub
CVE Pending2024-09-02
Information Disclosure

Unauthorized Knowledge Base Access in RagFlow

Read access to other users' private knowledge bases due to missing tenant isolation in KB queries.

infiniflow/ragflow
View on GitHub
CVE Pending2024-09-02
Unauthorized Access

Unauthorized File Movement in RagFlow

Moving/deleting other users' uploaded files due to missing ACL checks in file operations.

infiniflow/ragflow
View on GitHub
CVE Pending2024-09-02
Information Disclosure

Unauthorized Conversation Access in RagFlow

Reading other users' private conversations due to broken access control in chat retrieval.

infiniflow/ragflow
View on GitHub
CVE Pending2024-09-02
Unauthorized Access

Unauthorized API Key Removal in RagFlow

Removal of other users' API keys due to IDOR in key management endpoint.

infiniflow/ragflow
View on GitHub
CVE Pending2024-09-02
Information Disclosure

Unauthorized Knowledge Base Enumeration in RagFlow

Enumeration of all private knowledge bases due to missing authentication in list endpoint.

infiniflow/ragflow
View on GitHub
CVE Pending2024-09-02
Unauthorized Access

Unauthorized Dialog Deletion in RagFlow

Mass deletion of other users' dialogs due to race condition in deletion endpoint.

infiniflow/ragflow
View on GitHub
CVE-2024-93012024-09-03
Local File Inclusion

Local File Inclusion in E2nest

A Local File Inclusion vulnerability was discovered in the E2nest project, allowing arbitrary file read via path traversal in model loading due to insufficient path normalization in config loading.

Netflix/e2nest
View CVE Details
CVE Pending2024-07-22
Remote Code Execution

Remote Code Execution in Uptrain

A Remote Code Execution vulnerability via eval during project creation.

uptrain-ai/uptrain
View on GitHub
CVE Pending2024-08-22
Command Injection

Command Injection in Clone-voice

System command execution via voice file metadata due to unescaped input in ffmpeg command.

jianchang512/clone-voice
View on GitHub
CVE Pending2024-08-22
File Upload / Path Traversal

File Upload and Path Traversal in LibrePhotos

Arbitrary file write via photo upload due to insufficient path sanitization.

LibrePhotos/librephotos
View on GitHub
CVE-2024-489462024-09-20
Remote Code Execution

Remote Code Execution in Monaco

A Remote Code Execution vulnerability was discovered in Hulu's Monaco project, allowing code execution via deserialization due to unsanitized data being passed into pickle.loads.

hulu/monaco
View CVE Details
CVE Pending2024-09-20
Unauthorized Access

Unauthorized Redis Access in Monaco

Access to all Redis clusters administered by Monaco due to missing authentication in app_redis_api endpoint.

hulu/monaco
View on GitHub
CVE Pending2024-10-01
Directory Traversal

Directory Traversal in LogAI

Access to sensitive files via log paths due to broken path traversal protection in the Salesforce LogAI project.

salesforce/logai
View on GitHub
CVE Pending2024-10-24
Directory Traversal

Directory Traversal in DB-GPT

Access to database files via backup paths due to missing path normalization in the DB-GPT project.

eosphoros-ai/DB-GPT
View on GitHub

Detect & fix
what others miss