Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    Related vulnerabilities

    CVE-2026-34760 (GCVE-0-2026-34760)

    Vulnerability from cvelistv5 – Published: 2026-04-02 18:59 – Updated: 2026-04-03 14:42
    VLAI
    Title
    vLLM: Downmix Implementation Differences as Attack Vectors Against Audio AI Models
    Summary
    vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before version 0.18.0, Librosa defaults to using numpy.mean for mono downmixing (to_mono), while the international standard ITU-R BS.775-4 specifies a weighted downmixing algorithm. This discrepancy results in inconsistency between audio heard by humans (e.g., through headphones/regular speakers) and audio processed by AI models (Which infra via Librosa, such as vllm, transformer). This issue has been patched in version 0.18.0.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    vllm-project vllm Affected: >= 0.5.5, < 0.18.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34760",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-03T14:42:25.211772Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-03T14:42:34.842Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "vllm",
              "vendor": "vllm-project",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 0.5.5, \u003c 0.18.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before version 0.18.0, Librosa defaults to using numpy.mean for mono downmixing (to_mono), while the international standard ITU-R BS.775-4 specifies a weighted downmixing algorithm. This discrepancy results in inconsistency between audio heard by humans (e.g., through headphones/regular speakers) and audio processed by AI models (Which infra via Librosa, such as vllm, transformer). This issue has been patched in version 0.18.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-02T18:59:49.638Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/vllm-project/vllm/security/advisories/GHSA-6c4r-fmh3-7rh8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-6c4r-fmh3-7rh8"
            },
            {
              "name": "https://github.com/vllm-project/vllm/pull/37058",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/pull/37058"
            },
            {
              "name": "https://github.com/vllm-project/vllm/commit/c7f98b4d0a63b32ed939e2b6dfaa8a626e9b46c4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/commit/c7f98b4d0a63b32ed939e2b6dfaa8a626e9b46c4"
            },
            {
              "name": "https://github.com/vllm-project/vllm/releases/tag/v0.18.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/vllm-project/vllm/releases/tag/v0.18.0"
            }
          ],
          "source": {
            "advisory": "GHSA-6c4r-fmh3-7rh8",
            "discovery": "UNKNOWN"
          },
          "title": "vLLM: Downmix Implementation Differences as Attack Vectors Against Audio AI Models"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-34760",
        "datePublished": "2026-04-02T18:59:49.638Z",
        "dateReserved": "2026-03-30T19:17:10.225Z",
        "dateUpdated": "2026-04-03T14:42:34.842Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    PYSEC-2026-2299

    Vulnerability from pysec - Published: 2026-04-02 20:16 - Updated: 2026-07-13 05:52
    VLAI
    Details

    vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before version 0.18.0, Librosa defaults to using numpy.mean for mono downmixing (to_mono), while the international standard ITU-R BS.775-4 specifies a weighted downmixing algorithm. This discrepancy results in inconsistency between audio heard by humans (e.g., through headphones/regular speakers) and audio processed by AI models (Which infra via Librosa, such as vllm, transformer). This issue has been patched in version 0.18.0.

    Impacted products
    Name purl
    vllm pkg:pypi/vllm

    {
      "affected": [
        {
          "ecosystem_specific": {},
          "package": {
            "ecosystem": "PyPI",
            "name": "vllm",
            "purl": "pkg:pypi/vllm"
          },
          "ranges": [
            {
              "events": [
                {
                  "introduced": "0.5.5"
                },
                {
                  "fixed": "0.18.0"
                }
              ],
              "type": "ECOSYSTEM"
            }
          ],
          "versions": [
            "0.10.0",
            "0.10.1",
            "0.10.1.1",
            "0.10.2",
            "0.11.0",
            "0.11.1",
            "0.11.2",
            "0.12.0",
            "0.13.0",
            "0.14.0",
            "0.14.1",
            "0.15.0",
            "0.15.1",
            "0.16.0",
            "0.17.0",
            "0.17.1",
            "0.5.5",
            "0.6.0",
            "0.6.1",
            "0.6.1.post1",
            "0.6.1.post2",
            "0.6.2",
            "0.6.3",
            "0.6.3.post1",
            "0.6.4",
            "0.6.4.post1",
            "0.6.5",
            "0.6.6",
            "0.6.6.post1",
            "0.7.0",
            "0.7.1",
            "0.7.2",
            "0.7.3",
            "0.8.0",
            "0.8.1",
            "0.8.2",
            "0.8.3",
            "0.8.4",
            "0.8.5",
            "0.8.5.post1",
            "0.9.0",
            "0.9.0.1",
            "0.9.1",
            "0.9.2"
          ]
        }
      ],
      "aliases": [
        "CVE-2026-34760",
        "GHSA-6c4r-fmh3-7rh8"
      ],
      "details": "vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before version 0.18.0, Librosa defaults to using numpy.mean for mono downmixing (to_mono), while the international standard ITU-R BS.775-4 specifies a weighted downmixing algorithm. This discrepancy results in inconsistency between audio heard by humans (e.g., through headphones/regular speakers) and audio processed by AI models (Which infra via Librosa, such as vllm, transformer). This issue has been patched in version 0.18.0.",
      "id": "PYSEC-2026-2299",
      "modified": "2026-07-13T05:52:25.186969Z",
      "published": "2026-04-02T20:16:25.437Z",
      "references": [
        {
          "type": "ADVISORY",
          "url": "https://github.com/vllm-project/vllm/releases/tag/v0.18.0"
        },
        {
          "type": "ADVISORY",
          "url": "https://github.com/vllm-project/vllm/security/advisories/GHSA-6c4r-fmh3-7rh8"
        },
        {
          "type": "REPORT",
          "url": "https://github.com/vllm-project/vllm/pull/37058"
        },
        {
          "type": "FIX",
          "url": "https://github.com/vllm-project/vllm/commit/c7f98b4d0a63b32ed939e2b6dfaa8a626e9b46c4"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
          "type": "CVSS_V3"
        }
      ]
    }