216.73.216.197

CVE-2025-62364

· Published 13/10/2025 21:15 · Modified 13/10/2025 21:15

Labels: CVE-2025-62364 2025-10-13CVE-2025-62364CWE-59[email protected]

Essential information

Published
13/10/2025 21:15
Modified
13/10/2025 21:15
Author
Creator
CVSS
6.2 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS metrics

Description

text-generation-webui is an open-source web interface for running Large Language Models. In versions through 3.13, a Local File Inclusion vulnerability exists in the character picture upload feature. An attacker can upload a text file containing a symbolic link to an arbitrary file path. When the application processes the upload, it follows the symbolic link and serves the contents of the targeted file through the web interface. This allows an unauthenticated attacker to read sensitive files on the server, potentially exposing system configurations, credentials, and other confidential information. This vulnerability is fixed in 3.14. No known workarounds exist.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
text-generation-webui / text-generation-webui cpe:2.3:a:text-generation-webui:text-generation-webui:*:*:*:*:*:*:*:*

References