Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for LightRAG by HKUDS

    CVE-2026-39413 (GCVE-0-2026-39413)

    Vulnerability from nvd – Published: 2026-04-08 19:41 – Updated: 2026-04-22 15:28
    VLAI
    Title
    LightRAG has a JWT Algorithm Confusion Vulnerability in LightRAG API
    Summary
    LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode() call does not explicitly deny the 'none' algorithm, a crafted token without a signature will be accepted as valid, leading to unauthorized access. This vulnerability is fixed in 1.4.14.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    Impacted products
    Vendor Product Version
    HKUDS LightRAG Affected: < 1.4.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-39413",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-08T20:18:28.117904Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-08T20:18:55.606Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-04-22T15:28:31.845Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://github.com/github/advisory-database/issues/7373"
              }
            ],
            "title": "CVE Program Container",
            "x_generator": {
              "engine": "ADPogram 0.0.1"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "LightRAG",
              "vendor": "HKUDS",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.4.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying \u0027alg\u0027: \u0027none\u0027 in the JWT header. Since the jwt.decode() call does not explicitly deny the \u0027none\u0027 algorithm, a crafted token without a signature will be accepted as valid, leading to unauthorized access. This vulnerability is fixed in 1.4.14."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T19:41:23.909Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/HKUDS/LightRAG/security/advisories/GHSA-8ffj-4hx4-9pgf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/HKUDS/LightRAG/security/advisories/GHSA-8ffj-4hx4-9pgf"
            }
          ],
          "source": {
            "advisory": "GHSA-8ffj-4hx4-9pgf",
            "discovery": "UNKNOWN"
          },
          "title": "LightRAG has a JWT Algorithm Confusion Vulnerability in LightRAG API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-39413",
        "datePublished": "2026-04-08T19:41:23.909Z",
        "dateReserved": "2026-04-07T00:23:30.595Z",
        "dateUpdated": "2026-04-22T15:28:31.845Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-6773 (GCVE-0-2025-6773)

    Vulnerability from nvd – Published: 2025-06-27 19:00 – Updated: 2025-06-27 19:21
    VLAI
    Title
    HKUDS LightRAG File Upload document_routes.py upload_to_input_dir path traversal
    Summary
    A vulnerability was found in HKUDS LightRAG up to 1.3.8. It has been declared as critical. Affected by this vulnerability is the function upload_to_input_dir of the file lightrag/api/routers/document_routes.py of the component File Upload. The manipulation of the argument file.filename leads to path traversal. It is possible to launch the attack on the local host. The identifier of the patch is 60777d535b719631680bcf5d0969bdef79ca4eaf. It is recommended to apply a patch to fix this issue.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    HKUDS LightRAG Affected: 1.3.0
    Affected: 1.3.1
    Affected: 1.3.2
    Affected: 1.3.3
    Affected: 1.3.4
    Affected: 1.3.5
    Affected: 1.3.6
    Affected: 1.3.7
    Affected: 1.3.8
    Create a notification for this product.
    Credits
    Hannibal0x (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-6773",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-27T19:21:17.582848Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-27T19:21:27.100Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "File Upload"
              ],
              "product": "LightRAG",
              "vendor": "HKUDS",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.3.0"
                },
                {
                  "status": "affected",
                  "version": "1.3.1"
                },
                {
                  "status": "affected",
                  "version": "1.3.2"
                },
                {
                  "status": "affected",
                  "version": "1.3.3"
                },
                {
                  "status": "affected",
                  "version": "1.3.4"
                },
                {
                  "status": "affected",
                  "version": "1.3.5"
                },
                {
                  "status": "affected",
                  "version": "1.3.6"
                },
                {
                  "status": "affected",
                  "version": "1.3.7"
                },
                {
                  "status": "affected",
                  "version": "1.3.8"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Hannibal0x (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in HKUDS LightRAG up to 1.3.8. It has been declared as critical. Affected by this vulnerability is the function upload_to_input_dir of the file lightrag/api/routers/document_routes.py of the component File Upload. The manipulation of the argument file.filename leads to path traversal. It is possible to launch the attack on the local host. The identifier of the patch is 60777d535b719631680bcf5d0969bdef79ca4eaf. It is recommended to apply a patch to fix this issue."
            },
            {
              "lang": "de",
              "value": "In HKUDS LightRAG bis 1.3.8 wurde eine kritische Schwachstelle ausgemacht. Hierbei betrifft es die Funktion upload_to_input_dir der Datei lightrag/api/routers/document_routes.py der Komponente File Upload. Mittels Manipulieren des Arguments file.filename mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Der Angriff muss lokal angegangen werden. Der Patch wird als 60777d535b719631680bcf5d0969bdef79ca4eaf bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4.3,
                "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-27T19:00:17.695Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-314089 | HKUDS LightRAG File Upload document_routes.py upload_to_input_dir path traversal",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.314089"
            },
            {
              "name": "VDB-314089 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.314089"
            },
            {
              "name": "Submit #601276 | HKUDS LightRAG v1.3.8 Path Traversal",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.601276"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/HKUDS/LightRAG/issues/1692"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/HKUDS/LightRAG/issues/1692#issuecomment-3009368235"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/HKUDS/LightRAG/commit/60777d535b719631680bcf5d0969bdef79ca4eaf"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-06-27T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-06-27T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-06-27T12:27:32.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "HKUDS LightRAG File Upload document_routes.py upload_to_input_dir path traversal"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-6773",
        "datePublished": "2025-06-27T19:00:17.695Z",
        "dateReserved": "2025-06-27T10:22:28.489Z",
        "dateUpdated": "2025-06-27T19:21:27.100Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-39413 (GCVE-0-2026-39413)

    Vulnerability from cvelistv5 – Published: 2026-04-08 19:41 – Updated: 2026-04-22 15:28
    VLAI
    Title
    LightRAG has a JWT Algorithm Confusion Vulnerability in LightRAG API
    Summary
    LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the jwt.decode() call does not explicitly deny the 'none' algorithm, a crafted token without a signature will be accepted as valid, leading to unauthorized access. This vulnerability is fixed in 1.4.14.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-347 - Improper Verification of Cryptographic Signature
    Assigner
    Impacted products
    Vendor Product Version
    HKUDS LightRAG Affected: < 1.4.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-39413",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-08T20:18:28.117904Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-08T20:18:55.606Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2026-04-22T15:28:31.845Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://github.com/github/advisory-database/issues/7373"
              }
            ],
            "title": "CVE Program Container",
            "x_generator": {
              "engine": "ADPogram 0.0.1"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "LightRAG",
              "vendor": "HKUDS",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 1.4.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.4.14, the LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying \u0027alg\u0027: \u0027none\u0027 in the JWT header. Since the jwt.decode() call does not explicitly deny the \u0027none\u0027 algorithm, a crafted token without a signature will be accepted as valid, leading to unauthorized access. This vulnerability is fixed in 1.4.14."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.2,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-347",
                  "description": "CWE-347: Improper Verification of Cryptographic Signature",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T19:41:23.909Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/HKUDS/LightRAG/security/advisories/GHSA-8ffj-4hx4-9pgf",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/HKUDS/LightRAG/security/advisories/GHSA-8ffj-4hx4-9pgf"
            }
          ],
          "source": {
            "advisory": "GHSA-8ffj-4hx4-9pgf",
            "discovery": "UNKNOWN"
          },
          "title": "LightRAG has a JWT Algorithm Confusion Vulnerability in LightRAG API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-39413",
        "datePublished": "2026-04-08T19:41:23.909Z",
        "dateReserved": "2026-04-07T00:23:30.595Z",
        "dateUpdated": "2026-04-22T15:28:31.845Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-6773 (GCVE-0-2025-6773)

    Vulnerability from cvelistv5 – Published: 2025-06-27 19:00 – Updated: 2025-06-27 19:21
    VLAI
    Title
    HKUDS LightRAG File Upload document_routes.py upload_to_input_dir path traversal
    Summary
    A vulnerability was found in HKUDS LightRAG up to 1.3.8. It has been declared as critical. Affected by this vulnerability is the function upload_to_input_dir of the file lightrag/api/routers/document_routes.py of the component File Upload. The manipulation of the argument file.filename leads to path traversal. It is possible to launch the attack on the local host. The identifier of the patch is 60777d535b719631680bcf5d0969bdef79ca4eaf. It is recommended to apply a patch to fix this issue.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    HKUDS LightRAG Affected: 1.3.0
    Affected: 1.3.1
    Affected: 1.3.2
    Affected: 1.3.3
    Affected: 1.3.4
    Affected: 1.3.5
    Affected: 1.3.6
    Affected: 1.3.7
    Affected: 1.3.8
    Create a notification for this product.
    Credits
    Hannibal0x (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-6773",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-27T19:21:17.582848Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-27T19:21:27.100Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "File Upload"
              ],
              "product": "LightRAG",
              "vendor": "HKUDS",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.3.0"
                },
                {
                  "status": "affected",
                  "version": "1.3.1"
                },
                {
                  "status": "affected",
                  "version": "1.3.2"
                },
                {
                  "status": "affected",
                  "version": "1.3.3"
                },
                {
                  "status": "affected",
                  "version": "1.3.4"
                },
                {
                  "status": "affected",
                  "version": "1.3.5"
                },
                {
                  "status": "affected",
                  "version": "1.3.6"
                },
                {
                  "status": "affected",
                  "version": "1.3.7"
                },
                {
                  "status": "affected",
                  "version": "1.3.8"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Hannibal0x (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in HKUDS LightRAG up to 1.3.8. It has been declared as critical. Affected by this vulnerability is the function upload_to_input_dir of the file lightrag/api/routers/document_routes.py of the component File Upload. The manipulation of the argument file.filename leads to path traversal. It is possible to launch the attack on the local host. The identifier of the patch is 60777d535b719631680bcf5d0969bdef79ca4eaf. It is recommended to apply a patch to fix this issue."
            },
            {
              "lang": "de",
              "value": "In HKUDS LightRAG bis 1.3.8 wurde eine kritische Schwachstelle ausgemacht. Hierbei betrifft es die Funktion upload_to_input_dir der Datei lightrag/api/routers/document_routes.py der Komponente File Upload. Mittels Manipulieren des Arguments file.filename mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Der Angriff muss lokal angegangen werden. Der Patch wird als 60777d535b719631680bcf5d0969bdef79ca4eaf bezeichnet. Als bestm\u00f6gliche Massnahme wird Patching empfohlen."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4.3,
                "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "Path Traversal",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-06-27T19:00:17.695Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-314089 | HKUDS LightRAG File Upload document_routes.py upload_to_input_dir path traversal",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/?id.314089"
            },
            {
              "name": "VDB-314089 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/?ctiid.314089"
            },
            {
              "name": "Submit #601276 | HKUDS LightRAG v1.3.8 Path Traversal",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/?submit.601276"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/HKUDS/LightRAG/issues/1692"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/HKUDS/LightRAG/issues/1692#issuecomment-3009368235"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/HKUDS/LightRAG/commit/60777d535b719631680bcf5d0969bdef79ca4eaf"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-06-27T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2025-06-27T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2025-06-27T12:27:32.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "HKUDS LightRAG File Upload document_routes.py upload_to_input_dir path traversal"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2025-6773",
        "datePublished": "2025-06-27T19:00:17.695Z",
        "dateReserved": "2025-06-27T10:22:28.489Z",
        "dateUpdated": "2025-06-27T19:21:27.100Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }