The video proxy endpoint GET /v1/videos/:task_id/content is vulnerable to an Insecure Direct Object Reference (IDOR). Any authenticated user who knows another user's task_id can retrieve that user's generated video content because the handler queries tasks by task_id alone and does not verify ownership.
A logic flaw in the universal secure verification flow allows an authenticated user with a registered passkey to satisfy secure verification without completing a WebAuthn assertion.
A potential unsafe operation occurs in component MarkdownRenderer.jsx, allowing for Cross-Site Scripting(XSS) when the model outputs items containing <script> tag.
A SQL LIKE wildcard injection vulnerability in the /api/token/search endpoint allows authenticated users to cause Denial of Service through resource exhaustion by crafting malicious search patterns.
A recently patched SSRF vulnerability contains a bypass method that can bypass the existing security fix and still allow SSRF to occur. Because the existing fix only applies security restrictions to the first URL request, a 302 redirect can bypass existing security measures and successfully access the intranet.