Security Advisories · vllm-project/vllm · GitHub

Security Advisories

View known security vulnerabilities and report new vulnerabilities privately to maintainers.

Report a vulnerability

vLLM: incomplete CVE-2026-22778 fix leaks PIL repr addresses via Anthropic router (CWE-532)
GHSA-hgg8-fqqc-vfmw published Jun 11, 2026 by jperezdealgaba

Moderate
Dependency Confusion Vulnerability in vLLM Dockerfile
GHSA-jrf6-vqxq-pjv2 published Jun 9, 2026 by russellb

High
Artifact Pin Decay in vLLM allows pinned deployments to load unpinned code, weights, and processors
GHSA-3ww4-5jv9-j5gm published Jun 10, 2026 by jperezdealgaba

Moderate
extract_hidden_states speculative decoding crashes server on any request with penalty parameters
GHSA-83vm-p52w-f9pw published Apr 28, 2026 by russellb

Moderate
temperature=NaN and temperature=Infinity bypass validation and propagate to GPU kernels
GHSA-7h4p-rffg-7823 published Jun 11, 2026 by jperezdealgaba

Moderate
OOM Denial of Service via Audio Decompression Bomb
GHSA-6pr9-rp53-2pmc published Jun 11, 2026 by jperezdealgaba

Moderate
Security Check Bypass via assert Statement in Activation Function Loading Allows Arbitrary Code Execution
GHSA-q8gq-377p-jq3r published Jun 14, 2026 by jperezdealgaba

High
GGUF dequantize kernel int truncation exposes uninitialized GPU memory in multi-tenant serving
GHSA-5jv2-g5wq-cmr4 published Jun 11, 2026 by jperezdealgaba

Moderate
Denial of Service via Unbounded Frame Count in video/jpeg Base64 Processing
GHSA-pq5c-rjhq-qp7p published Apr 3, 2026 by russellb

Moderate
Server-Side Request Forgery (SSRF) in `download_bytes_from_url `
GHSA-pf3h-qjgv-vcpr published Apr 3, 2026 by russellb

Moderate

⚡