CVE-2026-4964 | letta-ai letta 0.16.4 File URL message_helper.py _convert_message_create_to_message ImageContent server-side request forgery

Inserito da Angelo Barbosa | Mar 27, 2026 | CVE

A vulnerability was found in letta-ai letta 0.16.4 and classified as critical. This vulnerability affects the function _convert_message_create_to_message of the file letta/helpers/message_helper.py of the component File URL Handler. Such manipulation of the argument ImageContent leads to server-side request forgery.

This vulnerability is referenced as CVE-2026-4964. It is possible to launch the attack remotely. Furthermore, an exploit is available.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-4964 | letta-ai letta 0.16.4 File URL message_helper.py _convert_message_create_to_message ImageContent server-side request forgery

Post correlati

CVE-2025-46474 | SEUR Oficial Plugin up to 2.2.23 on WordPress Image Parser file inclusion

CVE-2025-9647 | mtons mblog up to 3.5.0 /admin/role/list Name cross site scripting (ICPMNE)

CVE-2025-54461 | NEOJAPAN ChatLuck Guest User insufficient granularity of access control

CVE-2024-13461 | patternsinthecloud Autoship Cloud for WooCommerce Subscription Products Plugin Shortcode autoship-create-scheduled-order-action cross site scripting