PatchSiren

LocalAI CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL LocalAI CVE published 2026-07-07

CVE-2026-59707

A critical server-side request forgery vulnerability exists in LocalAI's POST /models/apply endpoint, enabling attackers to fetch arbitrary internal URLs. The endpoint passes unsanitized gallery URL fields directly to gallery.GetGalleryConfigFromURLWithContext without proper validation, allowing attackers to force the server to issue HTTP GET requests to private and loopback ranges. Partial response conte [truncated]