Intercom is a solution to build & deploy AI customer experiences. If the identity verification is not enabled, an attacker can impersonate an other user and access to the previous conversations and data. This detection is included in the AI and LLM category.

H2O Flow is an open-source user interface for H2O, an open-source, distributed and scalable machine learning and predictive analytics platform. By default, H2O Flow does not require authentication to access the application. This allows an attacker to access sensitive data. This detection is included in the AI and LLM category.

This is an informational notice that the scanner was able to detect the exposition of tools on the target Model Context Protocol (MCP) server.

According to its banner, the version of Flowise running on the remote host is < 3.0.6. It is, therefore, affected by multiple vulnerabilities :

- An Unauthenticated Password Reset Token Disclosure

- A Server-Side Request Forgery vulnerability in the /api/v1/fetch-links endpoint

- A Remote Code Execution through CustomMCP node

- An unauthenticated Arbitrary File Read vulnerability through the chatId parameter supplied to both the /api/v1/get-upload-file and /api/v1/openai-assistants-file/download endpoints

- A Remote Code Execution through the Supabase RPC Filter component

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Lunary instance on the target application. Lunary is an observability, prompt management and evaluations platform. This detection is included in the AI and LLM category.

The scanner detected the presence of a Large Language Model (LLM) on the target application. LLMs are advanced AI models capable of understanding and generating human-like text based on the input they receive. They are commonly used in various applications, including chatbots, virtual assistants, content generation, and more.

The presence of an LLM can introduce unique security considerations, such as data privacy concerns, potential for generating misleading or harmful content, and vulnerabilities specific to AI models.

This detection is included in the AI and LLM category.

According to its banner, the version of Langflow running on the remote host is prior to 1.5.1. It is, therefore, affected by a Privilege Escalation vulnerability that allows an authenticated user with RCE access to create a new administrative user.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of NVIDIA Triton running on the remote host is < 25.07. It is, therefore, affected by multiples vulnerabilities :

- Multiples stack buffer overflow through specially crafted request.

- Multiples remote code execution vulnerabilities through specially crafted request.

- An information disclosure through a very large request

- Multiples denial of service vulnerabilities through specially crafted request.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible NVIDIA Triton instance on the target application. NVIDIA Triton provides an optimized cloud and edge inferencing solution. This detection is included in the AI and LLM category.

According to its banner, the version of ClearML running on the remote host is < 1.16.0. It is, therefore, affected by an Unauthenticated File Access due to the lack of authentication of the fileserver component.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible ClearML instance on the target application. ClearML is an infrastructure platform for AI builders. This detection is included in the AI and LLM category.

According to its banner, the version of BentoML running on the remote host is 1.4.x < 1.4.8. It is, therefore, affected by a Server-Side Request Forgery (SSRF) vulnerability in File Upload Processing. "According to its banner, the version of ZenML hosted on the remote is, affected by an Insufficient Session Expiration.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of ZenML running on the remote host is < 0.57.0. It is, therefore, affected by an Account Takeover due to the lack of rate-limiting in the password change function.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of BentoML running on the remote host is 1.3.4 < 1.4.3. It is, therefore, affected by an Insecure Deserialization vulnerability through data flow analysis

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of BentoML running on the remote host is 1.x < 1.4.8. It is, therefore, affected by an Insecure Deserialization vulnerability.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of BentoML running on the remote host is 1.4.x < 1.4.8. It is, therefore, affected by a Server-Side Request Forgery (SSRF) vulnerability in File Upload Processing.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

Model Context Protocol (MCP) Server Prompt Injection occurs when malicious actors use tools response to inject malicious prompts to the calling LLM through the MCP client. This can lead to the execution of unauthorized commands, data corruption, or the deployment of malicious tools. Such vulnerabilities are particularly dangerous in AI development environments, where malicious tools can compromise the integrity of the development process and lead to further exploitation. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible BentoML instance on the target application. BentoML is an open-source inference platform. This detection is included in the AI and LLM category.

Model Context Protocol (MCP) Server Tool Poisoning occurs when malicious actors manipulate tool configurations or metadata on a malicious MCP server. This can lead to the execution of unauthorized commands, data corruption, or the deployment of malicious tools. Such vulnerabilities are particularly dangerous in AI development environments, where poisoned tools can compromise the integrity of the development process and lead to further exploitation. This detection is included in the AI and LLM category.

According to the self-reported version number, the version of MCP Inspector hosted on the remote is affected by a Remote Code Execution vulnerability.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

This detection is included in the AI and LLM category.

DocsGPT is vulnerable to an attack allowing an unauthenticated attacker to execute arbitrary code via a specially forged request on the '/api/remote' endpoint. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible DocsGPT instance on the target application. DocsGPT is an open-source genAI tool that helps users get answers from knowledge source. This detection is included in the AI and LLM category.

ModelContextProtocol (MCP) servers using SSE (Server-Sent Events) transport mode are prone to DNS rebinding attacks when they do not enforce strict verification of both the 'Origin' and 'Host' headers. This vulnerability allows an attacker to bypass same-origin policies, potentially leading to unauthorized access to sensitive data or actions on behalf of the user in the context of the vulnerable MCP server.

This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible 'llms.txt' file on the target application. The 'llms.txt' file is a proposal designed to provide LLM-friendly content written in markdown for LLMs usage. This detection is included in the AI and LLM category.

This is an informational notice that the scanner was able to detect a Model Context Protocol (MCP) server available without authentication on the target server. When available, the plugin provides the list of tools, prompts and resources in the attachments.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Drift chatbot on the target application. Drift is a solution to build & deploy AI customer experiences. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Intercom chatbot on the target application. Intercom is a solution to build & deploy AI customer experiences. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Livechat chatbot on the target application. Livechat is a solution to build & deploy AI customer experiences. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Dialogflow chatbot on the target application. Google Dialogflow is a natural language understanding platform to help developers building conversational user interfaces. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Typebot chatbot on the target application. Typebot is an open-source chatbot builder. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Azure Bot Framework chatbot on the target application. Azure Bot Framework is a solution to build & deploy AI customer experiences. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Voiceflow chatbot on the target application. Voiceflow is a solution to build & deploy AI customer experiences. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Botpress chatbot on the target application. Botpress is an open-source visual framework to build & deploy GPT/LLM Agents. This detection is included in the AI and LLM category.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible Langflow chatbot on the target application. Langflow is an open-source visual framework for building multi-agent and RAG. This detection is included in the AI and LLM category.

Label Studio versions prior to 1.18.0 are vulnerable to a Reflected Cross-Site Scripting on '/projects/upload-example/' endpoint. This detection is included in the AI and LLM category.

This is an informational notice that the scanner was able to detect an MCP (Model Context Procol) Inspector instance on the target server.

This is an informational notice that the scanner was able to detect an MCP (Model Context Procol) manifest on the target server.

This is an informational notice that the scanner was able to detect an Agent2Agent (A2A) card on the target server.

This is an informational notice that the scanner was able to detect a Model Context Protocol (MCP) HTTP server (using SSE or Streamable-HTTP transport mode) on the target server.

Langflow is vulnerable to an attack allowing an unauthenticated attacker to execute arbitrary code via a specially forged request on the '/api/v1/validate/code' endpoint. This detection is included in the AI and LLM category.

Flowise is vulnerable to an attack allowing an unauthenticated attacker to upload an arbitrary file. This detection is included in the AI and LLM category.

Note that this plugin requires the 'File Upload' assessment option enabled in the scan configuration.

LiteLLM applies an authentication system with credentials that could have been suggested from the documentation. If these credentials are not modified, an attacker could access LiteLLM's interface and perform arbitrary actions. This detection is included in the AI and LLM category.

According to its self-reported version, the instance of LiteLLM running on the remote web server is prior to 1.48.18. It is, therefore, affected by a Server-Side Request Forgery vulnerability in the chat completion.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible LiteLLM instance on the target application. LiteLLM is a LLM Gateway to provide model access in the OpenAI format. This detection is included in the AI and LLM category.

According to the self-reported version in its response header, the version of LobeChat hosted on the remote web server is prior to 0.122.4. It is, therefore, affected by an Improper Access Control allowing access plugins without proper authorization.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the self-reported version in its response header, the version of LobeChat hosted on the remote web server is prior to 0.150.6. It is, therefore, affected by a Server-Side Request Forgery through agent proxy configuration.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the self-reported version in its response header, the version of LobeChat hosted on the remote web server is prior to 0.162.25. It is, therefore, affected by a Sensitive Data Exposure through SSO/Access Code.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the self-reported version in its response header, the version of LobeChat hosted on the remote web server is prior to 1.19.13. It is, therefore, affected by multiples Server-Side Request Forgery :

 - A Server-Side Request Forgery through proxy address

 - A Server-Side Request Forgery through through a bypass of a previous fix

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

This is an informational plugin to inform the user that the scanner has detected a publicly accessible LobeChat instance on the target application. LobeChat is an open-source, AI chat framework that supports multi AI providers. This detection is included in the AI and LLM category.

Danswer version prior to 0.10.0-beta.1 suffers from an Insecure Direct Object Reference allowing an unauthenticated attacker to access messages and attached files via a specially forged request. This detection is included in the AI and LLM category.

ID	Name	Severity
115001	Intercom Chatbot Misconfiguration	medium
114969	H2O Flow Unauthenticated Access	critical
114965	MCP Server Tools Detected	info
114963	Flowise < 3.0.6 Multiples Vulnerabilities	critical
114962	Lunary Detected	info
114959	LLM Detected	info
114949	Langflow < 1.5.1 Privilege Escalation	high
114941	NVIDIA Triton < 25.07 Multiple Vulnerabilities	critical
114940	NVIDIA Triton Detected	info
114939	ClearML < 1.16.0 Unauthenticated File Access	critical
114938	ClearML Detected	info
114937	ZenML Insufficient Session Expiration	low
114936	ZenML < 0.57.0 Account Takeover	medium
114934	BentoML 1.3.4 < 1.4.3 Insecure Deserialization	critical
114933	BentoML 1.x < 1.4.8 Insecure Deserialization	critical
114932	BentoML 1.4.x < 1.4.19 Server-Side Request Forgery	critical
114928	MCP Server Prompt Injection	high
114927	BentoML Detected	info
114921	MCP Server Tool Poisoning	high
114906	MCP Inspector < 0.14.1 Remote Code Execution	critical
114905	DocsGPT 0.8.1 < 0.13.0 Unauthenticated Remote Code Execution	critical
114904	DocsGPT Detected	info
114885	MCP Server SSE DNS Rebinding	medium
114883	Llms.txt File Detected	info
114791	MCP Server Unauthenticated Access	info
114881	Drift Chatbot Detected	info
114880	Intercom Chatbot Detected	info
114879	Livechat Chatbot Detected	info
114878	Dialogflow Chatbot Detected	info
114874	Typebot Chatbot Detected	info
114873	Azure Bot Framework Chatbot Detected	info
114872	Voiceflow Chatbot Detected	info
114871	Botpress Chatbot Detected	info
114870	Langflow Chatbot Detected	info
114798	Label Studio < 1.18.0 Reflected Cross-Site Scripting	high
114797	MCP Inspector Detected	info
114793	MCP Manifest Detected	info
114792	Agent2Agent (A2A) Card Detected	info
114790	MCP Server Detected	info
114668	Langflow < 1.3.0 Unauthenticated Remote Code Execution	critical
114667	FlowiseAI Arbitrary File Upload	critical
114625	LiteLLM Default Credentials	critical
114623	LiteLLM < 1.48.18 Server-Side Request Forgery	high
114622	LiteLLM Detected	info
114589	LobeChat < 0.122.4 Improper Access Control	medium
114588	LobeChat < 0.150.6 Server-Side Request Forgery	critical
114587	LobeChat < 0.162.25 Sensitive Data Exposure	medium
114586	LobeChat < 1.19.13 Server-Side Request Forgery	high
114585	LobeChat Detected	info
114467	Danswer < 0.10.0-beta.1 Insecure Direct Object Reference	medium

Detections

Analytics

Artificial Intelligence Family for Web App Scanning

medium

critical

info

critical

info

info

high

critical

info

critical

info

low

medium

critical

critical

critical

high

info

high

critical

critical

info

medium

info

info

info

info

info

info

info

info

info

info

info

high

info

info

info

info

critical

critical

critical

high

info

medium

critical

medium

high

info

medium