SCA: security update for vllm (GHSA-qh4c-xf7m-gxfc)

high Tenable Cloud Security Plugin ID 437353

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.14.1, a
Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vLLM
project's multimodal feature set. The load_from_url and load_from_url_async methods obtain and process
media from URLs provided by users, using different Python parsing libraries when restricting the target
host. These two parsing libraries have different interpretations of backslashes, which allows the host
name restriction to be bypassed. This allows an attacker to coerce the vLLM server into making arbitrary
requests to internal network resources. This vulnerability is particularly critical in containerized
environments like `llm-d`, where a compromised vLLM pod could be used to scan the internal network,
interact with other pods, and potentially cause denial of service or access sensitive data. For example,
an attacker could make the vLLM pod send malicious requests to an internal `llm-d` management endpoint,
leading to system instability by falsely reporting metrics like the KV cache state. Version 0.14.1
contains a patch for the issue. (CVE-2026-24779)

See Also

https://github.com/advisories/GHSA-qh4c-xf7m-gxfc

Plugin Details

Severity: High

ID: 437353

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/28/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.5

Percentile: 51.98

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:P

CVSS Score Source: CVE-2026-24779

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/28/2026

Vulnerability Publication Date: 1/27/2026

Reference Information

CVE: CVE-2026-24779

cwe: CWE-918