Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

vllm — Vulnerabilities & Security Advisories 31

All 31 CVE vulnerabilities found in vllm, with AI-generated Chinese analysis, references, and POCs.

Vendor: vllm-project

CVE IDTitleCVSSSeverityPublished
CVE-2026-34756 vLLM Affected by Unauthenticated OOM Denial of Service via Unbounded `n` Parameter in OpenAI API Server CWE-770 6.5 Medium2026-04-06
CVE-2026-34755 vLLM Affected by Denial of Service via Unbounded Frame Count in video/jpeg Base64 Processing CWE-770 6.5 Medium2026-04-06
CVE-2026-34753 vLLM affected by Server-Side Request Forgery (SSRF) in `download_bytes_from_url ` CWE-918 5.4 Medium2026-04-06
CVE-2026-34760 vLLM: Downmix Implementation Differences as Attack Vectors Against Audio AI Models CWE-20 5.9 Medium2026-04-02
CVE-2026-27893 vLLM's hardcoded trust_remote_code=True in NemotronVL and KimiK25 bypasses user security opt-out CWE-693 8.8 High2026-03-26
CVE-2026-25960 SSRF Protection Bypass in vLLM CWE-918 7.1 High2026-03-09
CVE-2026-22778 vLLM leaks a heap address when PIL throws an error CWE-532 9.8 Critical2026-02-02
CVE-2026-24779 vLLM vulnerable to Server-Side Request Forgery (SSRF) in `MediaConnector` CWE-918 7.1 High2026-01-27
CVE-2026-22807 vLLM affected by RCE via auto_map dynamic module loading during model initialization CWE-94 8.8 High2026-01-21
CVE-2026-22773 vLLM is vulnerable to DoS in Idefics3 vision models via image payload with ambiguous dimensions CWE-770 6.5 Medium2026-01-10
CVE-2025-66448 vLLM vulnerable to remote code execution via transformers_utils/get_config CWE-94 7.1 High2025-12-01
CVE-2025-62372 vLLM vulnerable to DoS with incorrect shape of multimodal embedding inputs CWE-129 7.5 -2025-11-21
CVE-2025-62426 vLLM vulnerable to DoS via large Chat Completion or Tokenization requests with specially crafted `chat_template_kwargs` CWE-770 6.5 Medium2025-11-21
CVE-2025-62164 VLLM deserialization vulnerability leading to DoS and potential RCE CWE-20 8.8 High2025-11-21
CVE-2025-59425 vLLM vulnerable to timing attack at bearer auth CWE-385 7.5 High2025-10-07
CVE-2025-48956 vLLM API endpoints vulnerable to Denial of Service Attacks CWE-400 7.5 High2025-08-21
CVE-2025-48944 vLLM Tool Schema allows DoS via Malformed pattern and type Fields CWE-20 6.5 Medium2025-05-30
CVE-2025-48943 vLLM allows clients to crash the openai server with invalid regex CWE-248 6.5 Medium2025-05-30
CVE-2025-48942 vLLM DOS: Remotely kill vllm over http with invalid JSON schema CWE-248 6.5 Medium2025-05-30
CVE-2025-48887 vLLM has a Regular Expression Denial of Service (ReDoS, Exponential Complexity) Vulnerability in `pythonic_tool_parser.py` CWE-1333 6.5 Medium2025-05-30
CVE-2025-46722 vLLM has a Weakness in MultiModalHasher Image Hashing Implementation CWE-1288 4.2 Medium2025-05-29
CVE-2025-46570 vLLM’s Chunk-Based Prefix Caching Vulnerable to Potential Timing Side-Channel CWE-208 2.6 Low2025-05-29
CVE-2025-47277 vLLM Allows Remote Code Execution via PyNcclPipe Communication Service CWE-502 9.8 Critical2025-05-20
CVE-2025-30165 Remote Code Execution Vulnerability in vLLM Multi-Node Cluster Configuration CWE-502 8.0 High2025-05-06
CVE-2025-32444 vLLM Vulnerable to Remote Code Execution via Mooncake Integration CWE-502 10.0 Critical2025-04-30
CVE-2025-46560 vLLM phi4mm: Quadratic Time Complexity in Input Token Processing​ leads to denial of service CWE-1333 6.5 Medium2025-04-30
CVE-2025-30202 Data exposure via ZeroMQ on multi-node vLLM deployment CWE-770 7.5 High2025-04-30
CVE-2025-29783 vLLM Allows Remote Code Execution via Mooncake Integration CWE-502 9.1 Critical2025-03-19
CVE-2025-29770 vLLM denial of service via outlines unbounded cache on disk CWE-770 6.5 Medium2025-03-19
CVE-2025-25183 vLLM using built-in hash() from Python 3.12 leads to predictable hash collisions in vLLM prefix cache CWE-354 2.6 Low2025-02-07

All 31 known CVE vulnerabilities affecting vllm with full Chinese analysis, references, and POCs where available.