Security: vllm-project/vllm
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
- Denial of Service via Unbounded Frame Count in video/jpeg Base64 ProcessingGHSA-pq5c-rjhq-qp7p published
Apr 3, 2026 by russellbModerate - Server-Side Request Forgery (SSRF) in `download_bytes_from_url `GHSA-pf3h-qjgv-vcpr published
Apr 3, 2026 by russellbModerate - OOM Denial of Service via Unbounded `n` Parameter in OpenAI API ServerGHSA-3mwp-wvh9-7528 published
Apr 3, 2026 by russellbModerate - Hardcoded trust_remote_code=True in NemotronVL and KimiK25 bypasses user security opt-outGHSA-7972-pg2x-xr59 published
Mar 26, 2026 by russellbHigh - SSRF Protection Bypass in vLLMGHSA-v359-jj2v-j536 published
Mar 9, 2026 by russellbModerate - Server-Side Request Forgery (SSRF) in `MediaConnector`GHSA-qh4c-xf7m-gxfc published
Jan 27, 2026 by russellbHigh - vLLM RCE In Video ProcessingGHSA-4r2x-xpjr-7cvv published
Feb 2, 2026 by russellbCritical - RCE via auto_map dynamic module loading during model initializationGHSA-2pc9-4j83-qjmr published
Jan 21, 2026 by russellbHigh - DoS via incorrect shape of multimodal embedding inputsGHSA-wv77-2vpf-vmmg published
Jan 21, 2026 by russellbModerate - Missing validation of multimodal embeddings leading to DoS and potential RCEGHSA-mcmc-2m55-j8jj published
Jan 8, 2026 by russellbHigh