Vendor
A server-side request forgery (SSRF) vulnerability exists in LMDeploy's vision-language module, allowing attackers to access cloud metadata services and internal networks by exploiting the lack of URL validation in the `load_image()` function.