cvedb.io
CVE-2024-9311
MEDIUM · CVSS 6.1
EPSS exploitation probability: 0%
Published 2025-03-20T10:15:47.980 · Last modified 2026-06-17T08:24:20.030

Summary

A Cross-Site Request Forgery (CSRF) vulnerability in haotian-liu/llava v1.2.0 (LLaVA-1.6) allows an attacker to upload files with malicious content without authentication or user interaction. The uploaded file is stored in a predictable path, enabling the attacker to execute arbitrary JavaScript code in the context of the victim's browser by visiting the crafted file URL. This can lead to theft of sensitive information, session hijacking, or other actions compromising the security and privacy of the victim.

Affected products

hliu — large_language_and_vision_assistant

Does this affect you?

Add your gear to cvedb and we'll alert you only when hliu ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.