superagi CVE Vulnerabilities & Metrics

Focus on superagi vulnerabilities and metrics.

Last updated: 21 Aug 2025, 22:25 UTC

About superagi Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with superagi. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total superagi CVEs: 10
Earliest CVE date: 16 Nov 2023, 18:15 UTC
Latest CVE date: 19 Jun 2025, 22:15 UTC

Latest CVE reference: CVE-2025-6280

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 9

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 800.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 800.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical superagi CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 0.52

Max CVSS: 5.2

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	9
4.0-6.9	1
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS superagi CVEs

These are the five CVEs with the highest CVSS scores for superagi, sorted by severity first and recency.

CVE-2025-6280 superagi Published on 19 Jun 2025, 22:15 UTC (CVSS: 5.2)
A vulnerability, which was classified as critical, was found in TransformerOptimus SuperAGI up to 0.0.14. Affected is the function download_attachment of the file SuperAGI/superagi/helper/read_email.py of the component EmailToolKit. The manipulation of the argument filename leads to path traversal. The exploit has been disclosed to the public and may be used.
CVE-2024-9447 superagi Published on 20 Mar 2025, 10:15 UTC (CVSS: 0)
An information disclosure vulnerability exists in the latest version of transformeroptimus/superagi. The `/get/organisation/` endpoint does not verify the user's organization, allowing any authenticated user to retrieve sensitive configuration details, including API keys, of any organization. This could lead to unauthorized access to services and significant data breaches or financial loss.
CVE-2024-9439 superagi Published on 20 Mar 2025, 10:15 UTC (CVSS: 0)
SuperAGI is vulnerable to remote code execution in the latest version. The `agent template update` API allows attackers to control certain parameters, which are then fed to the eval function without any sanitization or checks in place. This vulnerability can lead to full system compromise.
CVE-2024-9437 superagi Published on 20 Mar 2025, 10:15 UTC (CVSS: 0)
SuperAGI version v0.0.14 is vulnerable to an unauthenticated Denial of Service (DoS) attack. The vulnerability exists in the resource upload request, where appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request causes the server to continuously process each character. This leads to excessive resource consumption and renders the service unavailable. The i...
CVE-2024-9431 superagi Published on 20 Mar 2025, 10:15 UTC (CVSS: 0)
In version v0.0.14 of transformeroptimus/superagi, there is an improper privilege management vulnerability. After logging into the system, users can change the passwords of other users, leading to potential account takeover.

All CVEs for superagi

CVE-2025-6280 superagi vulnerability CVSS: 5.2 19 Jun 2025, 22:15 UTC

A vulnerability, which was classified as critical, was found in TransformerOptimus SuperAGI up to 0.0.14. Affected is the function download_attachment of the file SuperAGI/superagi/helper/read_email.py of the component EmailToolKit. The manipulation of the argument filename leads to path traversal. The exploit has been disclosed to the public and may be used.

CVE-2024-9447 superagi vulnerability CVSS: 0 20 Mar 2025, 10:15 UTC

An information disclosure vulnerability exists in the latest version of transformeroptimus/superagi. The `/get/organisation/` endpoint does not verify the user's organization, allowing any authenticated user to retrieve sensitive configuration details, including API keys, of any organization. This could lead to unauthorized access to services and significant data breaches or financial loss.

CVE-2024-9439 superagi vulnerability CVSS: 0 20 Mar 2025, 10:15 UTC

SuperAGI is vulnerable to remote code execution in the latest version. The `agent template update` API allows attackers to control certain parameters, which are then fed to the eval function without any sanitization or checks in place. This vulnerability can lead to full system compromise.

CVE-2024-9437 superagi vulnerability CVSS: 0 20 Mar 2025, 10:15 UTC

SuperAGI version v0.0.14 is vulnerable to an unauthenticated Denial of Service (DoS) attack. The vulnerability exists in the resource upload request, where appending characters, such as dashes (-), to the end of a multipart boundary in an HTTP request causes the server to continuously process each character. This leads to excessive resource consumption and renders the service unavailable. The issue is unauthenticated and does not require any user interaction, impacting all users of the service.

CVE-2024-9431 superagi vulnerability CVSS: 0 20 Mar 2025, 10:15 UTC

In version v0.0.14 of transformeroptimus/superagi, there is an improper privilege management vulnerability. After logging into the system, users can change the passwords of other users, leading to potential account takeover.

CVE-2024-9418 superagi vulnerability CVSS: 0 20 Mar 2025, 10:15 UTC

In version 0.0.14 of transformeroptimus/superagi, the API endpoint `/api/users/get/{id}` returns the user's password in plaintext. This vulnerability allows an attacker to retrieve the password of another user, leading to potential account takeover.

CVE-2024-9415 superagi vulnerability CVSS: 0 20 Mar 2025, 10:15 UTC

A Path Traversal vulnerability exists in the file upload functionality of transformeroptimus/superagi version 0.0.14. This vulnerability allows an attacker to upload an arbitrary file to the server, potentially leading to remote code execution or overwriting any file on the server.

CVE-2024-12048 superagi vulnerability CVSS: 0 20 Mar 2025, 10:15 UTC

An IDOR (Insecure Direct Object Reference) vulnerability exists in transformeroptimus/superagi version v0.0.14. The application fails to properly check authorization for multiple API endpoints, allowing attackers to view, edit, and delete other users' information without proper authorization. Affected endpoints include but are not limited to /get/project/{project_id}, /get/schedule_data/{agent_id}, /delete/{agent_id}, /get/organisation/{organisation_id}, and /get/user/{user_id}.

CVE-2024-10267 superagi vulnerability CVSS: 0 20 Mar 2025, 10:15 UTC

An information disclosure vulnerability exists in the latest version of transformeroptimus/superagi. An attacker can leak sensitive user information, including names, emails, and passwords, by attempting to register a new account with an email that is already in use. The server returns all information associated with the existing account. The vulnerable endpoint is located in the user registration functionality.

CVE-2023-48055 superagi vulnerability CVSS: 0 16 Nov 2023, 18:15 UTC

SuperAGI v0.0.13 was discovered to use a hardcoded key for encryption operations. This vulnerability can lead to the disclosure of information and communications.