{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T22:32:41.359","vulnerabilities":[{"cve":{"id":"CVE-2024-9311","sourceIdentifier":"security@huntr.dev","published":"2025-03-20T10:15:47.980","lastModified":"2025-04-07T14:54:12.453","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A Cross-Site Request Forgery (CSRF) vulnerability in haotian-liu/llava v1.2.0 (LLaVA-1.6) allows an attacker to upload files with malicious content without authentication or user interaction. The uploaded file is stored in a predictable path, enabling the attacker to execute arbitrary JavaScript code in the context of the victim's browser by visiting the crafted file URL. This can lead to theft of sensitive information, session hijacking, or other actions compromising the security and privacy of the victim."},{"lang":"es","value":"Una vulnerabilidad de Cross-Site Request Forgery (CSRF) en haotian-liu/llava v1.2.0 (LLaVA-1.6) permite a un atacante cargar archivos con contenido malicioso sin autenticación ni interacción del usuario. El archivo cargado se almacena en una ruta predecible, lo que permite al atacante ejecutar código JavaScript arbitrario en el navegador de la víctima al visitar la URL del archivo manipulado. Esto puede provocar el robo de información confidencial, el secuestro de sesión u otras acciones que comprometan la seguridad y la privacidad de la víctima."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}],"cvssMetricV30":[{"source":"security@huntr.dev","type":"Secondary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}]},"weaknesses":[{"source":"security@huntr.dev","type":"Secondary","description":[{"lang":"en","value":"CWE-352"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-352"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:hliu:large_language_and_vision_assistant:1.2.0:*:*:*:*:*:*:*","matchCriteriaId":"16359AF7-BEEE-464E-9B76-3D47F6635EE8"}]}]}],"references":[{"url":"https://huntr.com/bounties/15b18b85-5a6b-43e7-bc65-6b4772871e98","source":"security@huntr.dev","tags":["Exploit","Third Party Advisory"]}]}}]}