Aggregates CVE and security vulnerability intelligence across all thesamur-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk cross-site scripting and related problems; some flaws may lead to vendor impact session compromise, affecting vendor surface software deployment scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-41023 | An authentication bypass vulnerability has been found in Thesamur's AutoGPT. This vulnerability allows an attacker to bypass authentication mechanisms. Once inside the web application, the attacker can use any of its features regardless of the authorisation method used. | [email protected] | 6.9 | 0.42% | 2026-02-19 | 2026-06-17 |
| CVE-2025-0747 | A Stored Cross-Site Scripting vulnerability has been found in EmbedAI. This vulnerability allows an authenticated attacker to inject a malicious JavaScript code into a message that will be executed when a user opens the chat. | [email protected] | 8.6 | 0.22% | 2025-01-30 | 2026-06-17 |
| CVE-2025-0746 | A Reflected Cross-Site Scripting vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to craft a malicious URL leveraging the"/embedai/users/show/<SCRIPT>" endpoint to inject the malicious JavaScript code. This JavaScript code will be executed when a user opens the malicious URL. | [email protected] | 6.1 | 0.20% | 2025-01-30 | 2026-06-17 |
| CVE-2025-0745 | An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to obtain the backups of the database by requesting the "/embedai/app/uploads/database/<SQL_FILE>" endpoint. | [email protected] | 7.5 | 0.29% | 2025-01-30 | 2026-06-17 |
| CVE-2025-0744 | an Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker change his subscription plan without paying by making a POST request changing the parameters of the "/demos/embedai/pmt_cash_on_delivery/pay" endpoint. | [email protected] | 7.5 | 0.25% | 2025-01-30 | 2026-06-17 |
| CVE-2025-0743 | An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to leverage the endpoint "/embedai/visits/show/<VISIT_ID>" to obtain information about the visits made by other users. The information provided by this endpoint includes IP address, userAgent and location of the user that visited the web page. | [email protected] | 5.3 | 0.32% | 2025-01-30 | 2026-06-17 |
| CVE-2025-0742 | An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to obtain files stored by others users by changing the "FILE_ID" of the endpoint "/embedai/files/show/<FILE_ID>". | [email protected] | 5.8 | 0.26% | 2025-01-30 | 2026-06-17 |
| CVE-2025-0741 | An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to write messages into other users chat by changing the parameter "chat_id" of the POST request "/embedai/chats/send_message". | [email protected] | 5.8 | 0.22% | 2025-01-30 | 2026-06-17 |
| CVE-2025-0740 | An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to obtain chat messages belonging to other users by changing the “CHAT_ID” of the endpoint "/embedai/chats/load_messages?chat_id=<CHAT_ID>". | [email protected] | 8.6 | 0.31% | 2025-01-30 | 2026-06-17 |
| CVE-2025-0739 | An Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker to show subscription's information of others users by changing the "SUSCBRIPTION_ID" param of the endpoint "/demos/embedai/subscriptions/show/<SUSCBRIPTION_ID>". | [email protected] | 8.6 | 0.31% | 2025-01-30 | 2026-06-17 |