Ollama, a local large language model (LLM) runtime, was detected on the remote host via its HTTP API.

By default, Ollama binds only to localhost (127.0.0.1) and does not provide built-in authentication. Detecting it on a network-accessible interface indicates that the configuration has been changed to bind to a non-loopback address (e.g. by setting OLLAMA_HOST=0.0.0.0), exposing the full API to unauthenticated users.

An unauthenticated attacker with network access can:

  - Run arbitrary LLM inference queries, consuming GPU and compute resources

  - List, pull, and delete models

  - Exfiltrate proprietary or fine-tuned model data

  - Use the instance as an anonymous AI proxy

The version of Zed installed on the remote host is prior to 0.224.4. It is, therefore, affected by multiple vulnerabilities:

  - A Zip Slip path traversal vulnerability exists in the extension archive extraction functionality. The extract_zip()     function fails to validate ZIP entry filenames for path traversal sequences, allowing a malicious extension to write     files outside its designated sandbox directory by downloading and extracting a crafted ZIP archive.
    (CVE-2026-27800)

  - A path traversal vulnerability exists in the extension installer tar extractor. The tar extractor creates symlinks     from the archive without validation, and the path guard only performs lexical prefix checks without resolving     symlinks. An attacker can ship a tar that creates a symlink inside the extension workdir pointing outside, then     writes files through the symlink, causing writes to arbitrary host paths. This escapes the extension sandbox and     enables code execution. (CVE-2026-27976)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of the BentoML library installed on the remote host is prior to 1.4.36. It is, therefore, affected by an arbitrary file write vulnerability:

  - The safe_extract_tarfile() function validates that each tar member's path is within the destination     directory, but for symlink members it only validates the symlink's own path, not the symlink's target.
    An attacker can create a malicious bento/model tar file containing a symlink pointing outside the     extraction directory, followed by a regular file that writes through the symlink, achieving arbitrary     file write on the host filesystem. (CVE-2026-27905)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Zed, a fast, collaborative code editor built in Rust, is installed on the remote Linux host.

Zed, a fast, collaborative code editor built in Rust, is installed on the remote macOS host.

Zed, a fast, collaborative code editor built in Rust, is installed on the remote Windows host.

The version of Zed installed on the remote host is prior to 0.225.9. It is, therefore, affected by a symlink escape vulnerability:

  - A symlink escape vulnerability exists in the Zed Agent file tools (read_file, edit_file) that allows reading and     writing files outside the project directory when a project contains symbolic links pointing to external paths. This     bypasses the intended workspace boundary and privacy protections, potentially leaking sensitive user data to the     LLM. (CVE-2026-27967)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of MLflow installed on the remote host is prior to 3.8.0. It is, therefore, affected by an authentication bypass vulnerability:

  - A use of default password vulnerability exists in the basic_auth.ini file. The file     contains hard-coded default credentials that allow remote, unauthenticated attackers     to bypass authentication and execute arbitrary code in the context of the     administrator. (CVE-2026-2635)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of the OpenClaw AI assistant installed on the remote host is prior to 2026.2.15. It is, therefore, affected by multiple vulnerabilities, including:

  - A configuration injection issue in the Docker tool sandbox could allow dangerous Docker options such as bind mounts,     host networking, and unconfined profiles to be applied, enabling container escape or host data access.
    (CVE-2026-27002)

  - The current working directory path was embedded into the agent system prompt without sanitization, allowing prompt     injection via crafted directory names containing control or format characters. (CVE-2026-27001)

  - A bug in download skill installation allowed targetDir values from skill frontmatter to resolve outside the per-skill     tools directory, potentially writing files outside the intended install sandbox. (CVE-2026-27008)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of the OpenClaw AI assistant installed on the remote host is prior to 2026.2.14. It is, therefore, affected by multiple vulnerabilities, including:

  - A command injection in the maintainer clawtributors updater script allowed arbitrary command execution via crafted     git commit author metadata. (CVE-2026-26323)

  - The Gateway tool accepted a tool-supplied gatewayUrl without sufficient restrictions, enabling SSRF via outbound     WebSocket connections to user-specified targets. (CVE-2026-26322)

  - The optional Telnyx webhook handler could accept unsigned inbound webhook requests when telnyx.publicKey is not     configured, allowing unauthenticated callers to forge Telnyx events. (CVE-2026-26319)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of the OpenClaw AI assistant installed on the remote macOS host is 2026.2.6 or later but prior to 2026.2.14. It is, therefore, affected by a remote code execution vulnerability:

  - The OpenClaw macOS desktop client registers the openclaw:// URL scheme. For openclaw://agent deep links without an     unattended key, the app shows a confirmation dialog that only displays the first 240 characters of the message but     executes the full message after the user clicks Run. An attacker could pad the message with whitespace to push a     malicious payload outside the visible preview, increasing the chance a user approves a different message than the     one that is actually executed. (CVE-2026-26320)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of the OpenClaw AI assistant installed on the remote host is prior to 2026.2.13. It is, therefore, affected by multiple vulnerabilities:

  - The optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the     TCP peer address being loopback, even when the configured webhook secret was missing or incorrect.
    (CVE-2026-26316)

  - Browser download helpers accepted an unsanitized output path, allowing path traversal to write downloads outside     the intended temp downloads directory when invoked via browser control gateway routes. (CVE-2026-26972)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of the OpenClaw AI assistant installed on the remote host is prior to 2026.2.3. It is, therefore, affected by a prompt injection vulnerability:

  - When the Slack integration is enabled, channel metadata (topic/description) can be incorporated into the model's     system prompt, allowing untrusted Slack channel metadata to be treated as higher-trust system input.
    (CVE-2026-24764)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of the OpenClaw AI assistant installed on the remote host is prior to 2026.2.1. It is, therefore, affected by an authentication bypass vulnerability:

  - If channels.telegram.webhookSecret is not set when in Telegram webhook mode, OpenClaw may accept webhook HTTP     requests without verifying Telegram's secret token header, allowing forged Telegram updates that could lead to     unintended bot actions. (CVE-2026-25474)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Cursor installed on the remote host is prior to 2.5. It is, therefore, affected by a remote code execution vulnerability:

  - A malicious agent (ie prompt injection) could write to improperly protected .git settings, including git hooks,     which may cause out-of-sandbox remote code execution next time they are triggered. No user interaction was required     as Git executes these commands automatically. (CVE-2026-26268)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of the BentoML library installed on the remote host is prior to 1.4.34. It is, therefore, affected by a path traversal vulnerability:

  - BentoML's bentofile.yaml configuration allows path traversal attacks through multiple file path     fields (description, docker.setup_script, docker.dockerfile_template, conda.environment_yml). An     attacker can craft a malicious bentofile that, when built by a victim, exfiltrates arbitrary files     from the filesystem into the bento archive. This enables supply chain attacks where sensitive files     (SSH keys, credentials, environment variables) are silently embedded in bentos and exposed when     pushed to registries or deployed. (CVE-2026-24123)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of the OpenClaw AI assistant installed on the remote host is prior to 2026.1.20. It is, therefore, affected by a command injection vulnerability:

  - An unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set     unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user.
    (CVE-2026-25593)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of the OpenClaw AI assistant installed on the remote host is prior to 2026.1.30. It is, therefore, affected by a path traversal vulnerability:

  - The isValidMedia() function in src/media/parse.ts allows arbitrary file paths including absolute paths, home     directory paths, and directory traversal sequences. An agent can read any file on the system by outputting     MEDIA:/path/to/file, exfiltrating sensitive data to the user/channel. (CVE-2026-25475)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of the OpenClaw AI assistant installed on the remote host is prior to 2026.1.29. It is, therefore, affected by multiple vulnerabilities:

  - A command injection vulnerability exists in OpenClaw's Docker sandbox execution mechanism due to unsafe     handling of the PATH environment variable when constructing shell commands. An authenticated user able to     control environment variables could influence command execution within the container context.
    (CVE-2026-24763)

  - The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project     path in an error message. When the cd command failed, the unescaped path was interpolated directly into an     echo statement, allowing arbitrary command execution on the remote SSH host. The parseSSHTarget function     did not validate that SSH target strings could not begin with a dash. An attacker-supplied target like
    -oProxyCommand=... would be interpreted as an SSH configuration flag rather than a hostname, allowing     arbitrary command execution on the local machine. (CVE-2026-25157)

  - OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and     automatically makes a WebSocket connection without prompting, sending a token value. (CVE-2026-25253)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The OpenClaw AI assistant is installed on the remote host.

Note that enabling the 'Perform thorough tests' setting will search the file system for the product.

The remote host has a version of figma-developer-mcp prior to 0.6.3.  A command injection vulnerability exists in the figma-developer-mcp MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to child_process.exec, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

One or more known MCP JSON config files were detected on the remote Windows host. These files may contain sensitive configuration or credential information. Sensitive values in the output have been redacted.

The version of Cursor installed on the remote host is prior to 1.7. It is, therefore, affected by a remote code execution vulnerability. Versions 1.6.23 and below contain case-sensitive checks in the way Cursor IDE protects its sensitive files (e.g., */.cursor/mcp.json), which allows attackers to modify the content of these files through prompt injection and achieve remote code execution. A prompt injection can lead to full RCE through modifying sensitive files on case-insensitive fileystems. 

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Google Gemini CLI, a Node.js package providing CLI support for Google's artificial intelligence, is installed on the remote host.

Note that enabling the 'Perform thorough tests' setting will search the file system for the product.

One or more known MCP JSON config files were detected on the remote macOS host. These files may contain sensitive configuration or credential information. Sensitive values in the output have been redacted.

The version of Ollama installed on the remote host is 0.9.6 or earlier. It is, therefore, affected by a vulnerability. Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.9.6 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Ollama installed on the remote host is prior or equal to 0.3.3. It is, therefore, affected by a vulnerability. A divide by zero vulnerability exists in ollama/ollama version v0.3.3. The vulnerability occurs when importing GGUF models with a crafted type for `block_count` in the Modelfile. This can lead to a denial of service (DoS) condition when the server processes the model, causing it to crash.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Cursor installed on the remote host is prior to 1.2.4. It is, therefore, affected by a remote code execution vulnerability. Attackers can achieve remote and persistent code execution by modifying an already trusted MCP configuration file inside a shared GitHub repository or editing the file locally on the target's machine. Once a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt. If an attacker has write permissions on a user's active branches of a source repository that contains existing MCP servers the user has previously approved, or allows an attacker has arbitrary file-write locally, the attacker can achieve arbitrary code execution. 

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Cursor installed on the remote host is 1.2.1 or prior. It is, therefore, affected by a remote code execution vulnerability. An attacker could achieve remote and persistent code execution by modifying an already trusted MCP configuration file inside a shared GitHub repository or editing the file locally on the target's machine. Once a collaborator accepts a harmless MCP, the attacker could silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

A MCP Server using Server Sent Events (SSE) was detected on the remote host.

An Model Context Protocol Python library is installed on the remote host. 

Note that Nessus has relied upon on the application's self-reported version number.

The remote host has a 'ModelContextProtocol' with a Verified NuGet package status and is installed on the remote host.

Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of the BentoML library installed on the remote host has an arbitrary code execution vulnerability. BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to 1.4.8, there was an insecure deserialization in BentoML's runner server. By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server, which will grant the attackers to have the initial access and information disclosure on the server.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Ollama is installed on the remote Windows host.

The version of Ollama installed on the remote host is prior or equal to 0.3.14. It is, therefore, affected by multiple vulnerabilities, including the following:

  - A vulnerability in ollama/ollama versions <=0.3.14 allows a malicious user to upload and create a customized     GGUF model file on the Ollama server. This can lead to a division by zero error in the ggufPadding     function, causing the server to crash and resulting in a Denial of Service (DoS) attack. (CVE-2025-0317)     
  - A vulnerability in ollama/ollama <=0.3.14 allows a malicious user to create a customized GGUF model file,     upload it to the Ollama server, and create it. This can cause the server to allocate unlimited memory,     leading to a Denial of Service (DoS) attack. (CVE-2025-0315)

  - A vulnerability in Ollama versions <=0.3.14 allows a malicious user to create a customized gguf model     file that can be uploaded to the public Ollama server. When the server processes this malicious model,     it crashes, leading to a Denial of Service (DoS) attack. The root cause of the issue is an out-of-bounds     read in the gguf.go file. (CVE-2024-12055)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Ollama is installed on the remote Linux host.

The remote web server hosts Gradio UI web application

Granola, an app that uses AI to create meeting notes, is installed on the remote macOS host.

The version of Gradio installed on the remote host is prior to 4.19.2. It is, therefore, affected by a Cross-Site Request Forgery (CSRF) vulnerability in gradio-app/gradio which allows attackers to upload multiple large files to a victim's system if they are running Gradio locally. By crafting a malicious HTML page that triggers an unauthorized file upload to the victim's server, an attacker can deplete the system's disk space, potentially leading to a denial of service. This issue affects the file upload functionality as implemented in gradio/routes.py.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An Gradio Python library is installed on the remote host. 

Note that Nessus has relied upon on the application's self-reported version number.

The version of Gradio installed on the remote host is prior to 4.13.0. It is, therefore, affected by a local file access vulnerability. An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_to_block_cache()` method of the `Block` class, an attacker can copy any file on the filesystem to a temporary directory and subsequently retrieve it. This vulnerability enables unauthorized local file read access, posing a significant risk especially when the application is exposed to the internet via `launch(share=True)`, thereby allowing remote attackers to read files on the host machine. Furthermore, gradio apps hosted on `huggingface.co` are also affected, potentially leading to the exposure of sensitive information such as API keys and credentials stored in environment variables.

  Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Gradio installed on the remote host is prior to 4.19.2. It is, therefore, affected by a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component. Attackers can exploit this vulnerability to read arbitrary files on the filesystem, such as private SSH keys, by manipulating the file path in the request to the `/queue/join` endpoint. This issue could potentially lead to remote code execution. The vulnerability is present in the handling of file upload paths, allowing attackers to redirect file uploads to unintended locations on the server.

  Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Gradio installed on the remote host is prior to 4.18.0. It is, therefore, affected by an SSRF vulnerability exists in the gradio-app/gradio due to insufficient validation of user-supplied URLs in the `/proxy` route. Attackers can exploit this vulnerability by manipulating the `self.replica_urls` set through the `X-Direct-Url` header in requests to the `/` and `/config` routes, allowing the addition of arbitrary URLs for proxying. This flaw enables unauthorized proxying of requests and potential access to internal endpoints within the Hugging Face space. The issue arises from the application's inadequate checking of safe URLs in the `build_proxy_request` function.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Gradio installed on the remote host is prior to 4.42.0. It is, therefore, affected by a hidden server-side request forgery (SSRF) vulnerability. The reason is that within the save_url_to_cache function, there are no restrictions on the URL, which allows access to local target resources. This can lead to the download of local resources and sensitive information.

    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of LangChain installed on the remote host is prior to 0.2.5. It is, therefore, affected by a Denial-of-Service (DoS) vulnerability in the `SitemapLoader` class. The `parse_sitemap` method, responsible for parsing sitemaps and extracting URLs, lacks a mechanism to prevent infinite recursion when a sitemap URL refers to the current sitemap itself. This oversight allows for the possibility of an infinite loop, leading to a crash by exceeding the maximum recursion depth in Python. This vulnerability can be exploited to occupy server socket/port resources and crash the Python process, impacting the availability of services relying on this functionality.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of LangChain installed on the remote host is prior to 0.2.5. It is, therefore, affected by a   path traversal vulnerability which exists in the `getFullPath` method. This vulnerability allows attackers   to save files anywhere in the filesystem, overwrite existing text files, read `.txt` files, and delete   files. The vulnerability is exploited through the `setFileContent`,  `getParsedFile`, and `mdelete`   methods, which do not properly sanitize user input.

  Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of LangChain installed on the remote host is prior to 0.1.35. It is, therefore, affected by a XML External Entity (XXE) vulnerability in the langchain-ai/langchain repository allows for a Billion Laughs Attack, a type of XML External Entity (XXE) exploitation. By nesting multiple layers of entities within an XML document, an attacker can cause the XML parser to consume excessive CPU and memory resources, leading to a denial of service (DoS).

    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of LangChain installed on the remote host is prior to 0.0.27. It is, therefore, affected by a server-side request forgery (SSRF) vulnerability in the function load_local in the library libs/community/langchain_community/retrievers/tfidf.py of the component TFIDFRetriever. 

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Severity
302134	Ollama Unauthenticated Access	critical
300838	Zed < 0.224.4 Multiple Path Traversal Vulnerabilities	high
300821	BentoML < 1.4.36 Arbitrary File Write	high
300258	Zed Installed (Linux)	info
300257	Zed Installed (macOS)	info
300256	Zed Installed (Windows)	info
300255	Zed < 0.225.9 Symlink Escape (CVE-2026-27967)	high
299880	MLflow < 3.8.0 Authentication Bypass (ZDI-26-111)	critical
299798	OpenClaw < 2026.2.15 Multiple Vulnerabilities	high
299797	OpenClaw < 2026.2.14 Multiple Vulnerabilities	high
299796	OpenClaw 2026.2.6 < 2026.2.14 Deep Link Message Truncation (macOS) (GHSA-7q2j-c4q5-rm27)	high
299795	OpenClaw < 2026.2.13 Multiple Vulnerabilities	high
299794	OpenClaw < 2026.2.3 Prompt Injection (GHSA-782p-5fr5-7fj8)	low
299793	OpenClaw < 2026.2.1 Authentication Bypass (GHSA-mp5h-m6qj-6292)	high
299665	Cursor < 2.5 RCE (GHSA-8pcm-8jpx-hv8r)	critical
298466	BentoML < 1.4.34 Path Traversal	medium
298465	OpenClaw < 2026.1.20 Command Injection (GHSA-g55j-c2v4-pjcg)	high
298450	OpenClaw < 2026.1.30 Path Traversal (GHSA-r8g4-86fx-92mq)	medium
297816	OpenClaw < 2026.1.29 Multiple Vulnerabilities	high
297108	OpenClaw AI Assistant Installed	info
271839	Figma Developer MCP < 0.6.3 RCE (GHSA-gxw4-4fc5-9gr5)	high
271266	MCP JSON Config Detected (Windows)	info
270574	Cursor < 1.7 RCE (GHSA-xcwh-rrwj-gxc7)	high
265760	Google Gemini CLI Installed (macOS)	info
265759	Google Gemini CLI Installed (Windows)	info
265758	Google Gemini CLI Installed (Linux/UNIX)	info
252964	MCP JSON Config Detected (macOS)	info
250293	Ollama <= 0.9.6 Cross-Domain Token Exposure	medium
250292	Ollama <= 0.3.3 DoS	high
243972	Cursor < 1.2.4 RCE (GHSA-24mc-g4xr-4395)	high
243971	Cursor <= 1.2.1 RCE (GHSA-4cxx-hrm3-49rm)	high
243280	MCP Server using Server Sent Events Detected	info
241433	Model Context Protocol (MCP) Python Library Detection	info
241432	NuGet Package 'ModelContextProtocol' Detection	info
235353	BentoML 1.x < 1.4.8 Arbitrary Code Execution	critical
233770	Ollama Installed (Windows)	info
233434	Ollama <= 0.3.14 Multiple Vulnerabilities	high
233180	Ollama Installed (Linux)	info
232290	Gradio UI Detection	info
214856	Granola Installed (macOS)	info
213711	Gradio < 4.19.2 CSRF	medium
213710	Gradio Detection	info
213709	Gradio < 4.13.0 Local File Access	high
213708	Gradio < 4.19.2 Vulnerability - CVE-2024-1728	high
213707	Gradio < 4.18.0 Vulnerability - CVE-2024-2206	medium
213706	Gradio < 4.42.0 SSRF	medium
213567	LangChain < 0.2.5 DoS	medium
213566	LangChain < 0.2.5 Arbitrary File Write	critical
213565	LangChain < 0.1.35 XXE	medium
213564	LangChain < 0.0.27 SSRF	medium

Detections

Analytics

Artificial Intelligence Family for Nessus

critical

high

high

info

info

info

high

critical

high

high

high

high

low

high

critical

medium

high

medium

high

info

high

info

high

info

info

info

info

medium

high

high

high

info

info

info

critical

info

high

info

info

info

medium

info

high

high

medium

medium

medium

critical

medium

medium