A path traversal vulnerability exists in run-llama/llama_index versions 0.12.27 through 0.12.40, specifically within the `encode_image` function in `generic_utils.py`. This vulnerability allows an attacker to manipulate the `image_path` input to read arbitrary files on the server, including sensitive system files. The issue arises due to improper validation or sanitization of the file path, enabling path traversal sequences to access files outside the intended directory. The vulnerability is fixed in version 0.12.41.

CVE-2025-6209 is a path traversal vulnerability identified in the run-llama project's component llama_index, specifically affecting versions 0.12.27 through 0.12.40. The vulnerability resides in the encode_image function within the generic_utils.py file. The root cause is insufficient validation or sanitization of the image_path input parameter, which allows an attacker to craft a path containing traversal sequences such as "\..\filename". This manipulation enables unauthorized reading of arbitrary files on the server, including sensitive system files outside the intended directory scope. The vulnerability does not require any authentication or user interaction and can be exploited remotely over the network. The CVSS v3.0 base score is 7.5, indicating a high severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). The vulnerability has been addressed and fixed in version 0.12.41 of the run-llama/llama_index package. There are no known exploits in the wild at the time of publication, but the ease of exploitation and high confidentiality impact make it a significant risk if left unpatched.

CVE Database V5

Detailed information about CVE-2025-6209: CWE-29 Path Traversal: '\..\filename' in run-llama run-llama/llama_index affecting run-llama run-llama/llama_index. Ge

CVE-2025-6209: CWE-29 Path Traversal: '\..\filename' in run-llama run-llama/llama_index - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-6209: CWE-29 Path Traversal: '\..\filename' in run-llama run-llama/llama_index

A vulnerability, which was classified as critical, was found in itsourcecode Employee Management System up to 1.0. This affects an unknown part of the file /admin/changepassword.php. The manipulation of the argument currentpassword leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-7127 is a SQL Injection vulnerability identified in the itsourcecode Employee Management System version 1.0, specifically within the /admin/changepassword.php file. The vulnerability arises from improper sanitization or validation of the 'currentpassword' parameter, allowing an attacker to inject malicious SQL code. This injection flaw can be exploited remotely without requiring user interaction, but it does require high privileges (as indicated by the CVSS vector's PR:H). The vulnerability impacts the confidentiality, integrity, and availability of the underlying database by potentially allowing unauthorized data access, modification, or deletion. Although the CVSS score is 5.1 (medium severity), the classification as critical in the description suggests that the vulnerability could be more impactful depending on the deployment context. No patches or fixes have been publicly disclosed yet, and no known exploits are currently in the wild, but the exploit details have been made public, increasing the risk of exploitation. The vulnerability does not require user interaction but does require authenticated access, which limits the attack surface to users with elevated privileges. The vulnerability's presence in an employee management system means that sensitive personnel data could be at risk if exploited.

Detailed information about CVE-2025-7127: SQL Injection in itsourcecode Employee Management System affecting itsourcecode Employee Management System. Get real-t

CVE-2025-7127: SQL Injection in itsourcecode Employee Management System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7127: SQL Injection in itsourcecode Employee Management System

A vulnerability, which was classified as critical, has been found in itsourcecode Employee Management System up to 1.0. Affected by this issue is some unknown functionality of the file /admin/adminprofile.php. The manipulation of the argument AdminName leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-7126 is a SQL Injection vulnerability identified in the itsourcecode Employee Management System version 1.0, specifically within the /admin/adminprofile.php file. The vulnerability arises from improper sanitization or validation of the 'AdminName' parameter, which can be manipulated by an attacker to inject malicious SQL code. This flaw allows an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database without requiring user interaction or prior authentication. The vulnerability is classified as medium severity with a CVSS 4.0 base score of 5.3, reflecting its moderate impact and ease of exploitation. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L), and no user interaction needed (UI:N). The impact on confidentiality, integrity, and availability is low (VC:L, VI:L, VA:L), indicating limited but non-negligible potential damage. Although no known exploits are currently active in the wild, the public disclosure of the vulnerability increases the risk of exploitation. SQL Injection vulnerabilities can lead to unauthorized data access, data modification, or even full system compromise depending on the database permissions and the application's architecture. Given that the affected component is part of an employee management system, sensitive employee data and administrative controls could be at risk, potentially leading to data breaches or unauthorized administrative actions.

Detailed information about CVE-2025-7126: SQL Injection in itsourcecode Employee Management System affecting itsourcecode Employee Management System. Get real-t

CVE-2025-7126: SQL Injection in itsourcecode Employee Management System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7126: SQL Injection in itsourcecode Employee Management System

A vulnerability classified as critical was found in itsourcecode Employee Management System up to 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/editempeducation.php. The manipulation of the argument coursepg leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-7125 is a SQL Injection vulnerability identified in the itsourcecode Employee Management System version 1.0, specifically within the /admin/editempeducation.php file. The vulnerability arises from improper sanitization or validation of the 'coursepg' parameter, which can be manipulated by an attacker to inject malicious SQL queries. This injection flaw allows remote attackers to execute arbitrary SQL commands on the backend database without requiring authentication or user interaction. The vulnerability is classified as medium severity with a CVSS 4.0 base score of 5.3, reflecting its moderate impact and ease of exploitation. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L), and no user interaction needed (UI:N). The vulnerability impacts confidentiality, integrity, and availability at a low level (VC:L, VI:L, VA:L), indicating potential for limited data exposure, modification, or disruption. The scope is unchanged (S:U), meaning the exploit affects only the vulnerable component. Although no public exploits are currently known in the wild, the exploit details have been disclosed, increasing the risk of exploitation. The vulnerability affects an administrative function, which may be accessible only to privileged users, but the lack of authentication requirement in the CVSS vector suggests that the attack might be possible without valid credentials, or that the privilege requirement is low. This vulnerability could allow attackers to extract sensitive employee data, modify records, or disrupt employee management operations by leveraging SQL injection techniques.

Detailed information about CVE-2025-7125: SQL Injection in itsourcecode Employee Management System affecting itsourcecode Employee Management System. Get real-t

CVE-2025-7125: SQL Injection in itsourcecode Employee Management System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-7125: SQL Injection in itsourcecode Employee Management System

A vulnerability has been found in Campcodes Payroll Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /ajax.php?action=calculate_payroll. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Detailed information about CVE-2025-7128: SQL Injection in Campcodes Payroll Management System affecting Campcodes Payroll Management System. Get real-time upda

CVE-2025-7128: SQL Injection in Campcodes Payroll Management System

CVE-2025-7128: SQL Injection in Campcodes Payroll Management System

Description

Technical Details

Related Threats

CVE-2025-6209: CWE-29 Path Traversal: '\..\filename' in run-llama run-llama/llama_index

CVE-2025-7127: SQL Injection in itsourcecode Employee Management System

CVE-2025-7126: SQL Injection in itsourcecode Employee Management System

CVE-2025-7125: SQL Injection in itsourcecode Employee Management System

CVE-2025-7124: Unrestricted Upload in code-projects Online Note Sharing

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility