Overview

Multiple vulnerabilities were discovered in The Librarian, an AI-powered personal assistant tool provided by the company TheLibrarian.io. The Librarian can be used to manage personal email, calendar, documents, and other information through external services, such as Gmail and Google Drive, and also summarize meetings and schedule emails. The vulnerabilities are among internal tools that The Librarian uses during its normal functions. These tools, view_document, web_fetch, and image_generate, allow an authenticated user * access to the administrative console * internal web crawling and port scanning of the internal infrastructure for thelibrarian.io * disclosure of the internal system prompt for The Librarian

All vulnerabilities have since been fixed by thelibrarian.io, and the tools have now been deprecated.

Description

TheLibrarian.io is an AI company that offers the namesake AI-powered personal assistant tool, "The Librarian". This assistant can perform a variety of services and can integrate with other external applications. Some of these abilities include calendar management, sending email, and document management. Integratable services include Google products such as Gmail and Google Drive.

A series of vulnerabilities have been discovered within The Librarian that enable an attacker to access the internal infrastructure of TheLibrarian.io, including the administrator console and cloud environment. They also permit disclosure of the internal system prompt, web crawling, log access, and viewing of internal processes that infrastructure for TheLibrarian.io is running.

Below is a list of all the vulnerabilities and respective CVE IDs assigned to them.

VU#383552.1 The Librarian image_generation tool can be used to disclose the full system prompt through requesting an image to be generated with the embedded system prompt.

VU#383552.2 The Librarian view_document tool can be used to disclose the full system prompt through requesting the system prompt be appended to a document that is uploaded to the system.

CVE-2026-0612 The Librarian contains a information leakage vulnerability through the web_fetch tool, which can be used to retrieve arbitrary external content provided by an attacker, which can be used to proxy requests through The Librarian infrastructure.

CVE-2026-0613 The Librarian contains an internal port scanning vulnerability, facilitated by the web_fetch tool, which can be used with SSRF-style behavior to perform GET requests to internal IP addresses and services, enabling scanning and metadata retrieval of the Hertzner cloud environment that TheLibrarian uses.

CVE-2026-0615 The Librarian supervisord status page can be retrieved by the web_fetch tool, which can be used to retrieve running processes within The Librarian backend.

CVE-2026-0616 The Librarian's web_fetch tool can be used to retrieve the Adminer interface content, which can then be used to log in to the internal backend system of The Librarian.

Impact

An attacker who exploits these vulnerabilities could control a wide variety of aspects of the internal infrastructure for TheLibrarian.io. This could include process control, lateral movement, and credential theft. CVE-2026-0614, CVE-2026-0615, and CVE-2026-0616 are largely responsible for this potential impact. VU#383552.1 to VU#383552.4 allow for exploitation and potential misuse of the capabilities of The Librarian, and could result in jailbreaks or unintended actions by the AI.

Solution

The vendor has stopped the web-fetch tool from being able to retrieve dangerous content. Web-retrieval is now handled by a third-party service. The vendor also stated that: "prompt content is not a secrecy boundary in our threat model" in regard to system prompt disclosure.

Acknowledgements

Thanks to the reporter, Aaron Portnoy of Mindgard.ai. This document was written by Christopher Cullen.

Vendor Information

References

• https://mindgard.ai/blog/thelibrarian-ios-ai-security-disclosure
• https://thelibrarian.io/

Overview

A vulnerability, tracked as CVE-2025-14894, has been discovered within Livewire Filemanager, a tool designed for usage within Laravel applications. The Livewire Filemanager tool allows for users to upload various files, including PHP files, and host them within the Laravel application. When a user uploads a PHP file to the application, it can be accessed and executed by visiting the web-accessible file hosting directory. This enables an attacker to create a malicious PHP file, upload it to the application, then force the application to execute it, enabling unauthenticated arbitrary code execution on the host device.

Description

Livewire Filemanager is a tool designed to be embedded into Laravel applications, allowing for files to be uploaded, stored and managed. Laravel is a PHP framework, intended for web application development. A vulnerability has been discovered within the Livewire Filemanager that enables remote code execution (RCE) by uploading a malicious PHP file. This vulnerability is tracked as CVE-2025-14894, and its description is below:

Livewire Filemanager, commonly used in Laravel applications, contains LivewireFilemanagerComponent.php, which does not perform file type and MIME validation, allowing for RCE through upload of a malicious php file that can then be executed via the /storage/ URL if a commonly performed setup process within Laravel applications has been completed.

As a note, Livewire Filemanager defines validation of file types to be out of scope, and recommends users perform their own file type validation. However, the ability to remotely execute files uploaded through the web application is what actually enables executing the malware.

During default usage of Livewire Filemanager, files can be accessed via the publicly accessible "storage/app/public" URL. This occurs if the php artisan storage:link command has previously been executed, enabling web serving. If a malicious PHP file is uploaded to the file manager, it can then be accessed and executed from that URL when passed a user ID alongside the request, enabling remote code execution on the target device.

Impact

The vulnerability enables unauthenticated remote code execution as the web server user, enabling full read and write of files accessible to that user, as well as the capability to further pivot and compromise connecting devices, making CVE-2025-14894 a high impact vulnerability.

Solution

At the time of writing, the vendor has not acknowledged the vulnerability. CERT/CC recommends using increased caution with Laravel Filemanager, and to check if the php artisan storage:link command has previously been executed, and if so, consider removing the web serving capability of the tool.

Acknowledgements

Thanks to the reporter HackingByDoing. This document was written by Christopher Cullen.

Vendor Information

References

• https://github.com/livewire-filemanager/filemanager
• https://hackingbydoing.wixsite.com/hackingbydoing/post/unauthenticated-rce-in-livewire-filemanager