Security: vllm-project/vllm
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
OOM Denial of Service via Unbounded `n` Parameter in OpenAI API ServerGHSA-3mwp-wvh9-7528 published
Apr 3, 2026 by russellbModerate -
Hardcoded trust_remote_code=True in NemotronVL and KimiK25 bypasses user security opt-outGHSA-7972-pg2x-xr59 published
Mar 26, 2026 by russellbHigh -
SSRF Protection Bypass in vLLMGHSA-v359-jj2v-j536 published
Mar 9, 2026 by russellbModerate -
OpenAI API Auth BypassGHSA-94f4-hr76-p5j6 published
Jun 2, 2026 by russellbCritical -
Server-Side Request Forgery (SSRF) in `MediaConnector`GHSA-qh4c-xf7m-gxfc published
Jan 27, 2026 by russellbHigh -
vLLM RCE In Video ProcessingGHSA-4r2x-xpjr-7cvv published
Feb 2, 2026 by russellbCritical -
RCE via auto_map dynamic module loading during model initializationGHSA-2pc9-4j83-qjmr published
Jan 21, 2026 by russellbHigh -
DoS via incorrect shape of multimodal embedding inputsGHSA-wv77-2vpf-vmmg published
Jan 21, 2026 by russellbModerate -
Missing validation of multimodal embeddings leading to DoS and potential RCEGHSA-mcmc-2m55-j8jj published
Jan 8, 2026 by russellbHigh -
DoS in Idefics3 vision models via image payload with ambiguous dimensionsGHSA-grg2-63fw-f2qr published
Jan 9, 2026 by russellbModerate