Quivr: >> Quivr >> 0.0.254 Security Vulnerabilities
A path traversal vulnerability exists in the latest version of stangirard/quivr. This vulnerability allows an attacker to upload files to arbitrary paths in an S3 bucket by manipulating the file path in the upload request.
CVSS Score
4.3
EPSS Score
0.001
Published
2025-03-20
A stored cross-site scripting (XSS) vulnerability exists in the 'Upload Knowledge' feature of stangirard/quivr, affecting the latest version. Users can upload files via URL, which allows the insertion of malicious JavaScript payloads. These payloads are stored on the server and executed whenever any user clicks on a link containing the payload, leading to potential data theft, session hijacking, and reputation damage.
CVSS Score
6.8
EPSS Score
0.001
Published
2024-07-07