CVE-2025-51464

Cross-site Scripting XSS in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox...

CVE-2025-5321

The CVE-2025-5321 entry affects aimhubio Aim up to 3.29.1, targeting the RestrictedPythonQuery function in /aim/storage/query.py (run_view Object Handler). The vulnerability arises from manipulation of the argument (Query/Abfrage) that can lead to elevated privileges and sandbox issues, enabling ...

CVE-2024-8769 Arbitrary File Deletion via Relative Path Traversal in aimhubio/aim

A vulnerability in the LockManager.releaselocks function in aimhubio/aim commit bb76afe allows for arbitrary file deletion through relative path traversal. The runhash parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. Thi...

CVE-2024-6396

A vulnerability in the backuprun function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any file on the host server and exfiltrate arbitrary data. The vulnerability arises due to improper handling of the runhash and repo.path parameters, which can be manipulated to create an...

CVE-2024-2196

aimhubio/aim is vulnerable to Cross-Site Request Forgery CSRF, allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim dashboar...