CVE-2026-2651

A vulnerability in MLflow versions =3.10.1.dev0 allows unauthorized access to multipart upload MPU endpoints when the --serve-artifacts mode is enabled. The authorization logic does not enforce resource-level permission checks for /mlflow-artifacts/mpu/ endpoints, enabling attackers to overwrite...

CVE-2026-33866

CVE-2026-33866 affects MLflow up to version 3.10.1 and describes an authorization bypass in the AJAX endpoint for downloading saved model artifacts. Due to missing access-control validation, a user without permissions to a given experiment can directly query the endpoint and retrieve artifacts th...

EUVD-2025-18787

Malicious code in bioql PyPI...

EUVD-2023-36805

Malicious code in bioql PyPI...

EUVD-2021-28835

Malicious code in bioql PyPI...

CVE-2025-6264

Velociraptor allows collection of VQL queries packaged into Artifacts from endpoints. These artifacts can be used to do anything and usually run with elevated permissions. To limit access to some dangerous artifact, Velociraptor allows for those to require high permissions like EXECVE to launch...

CVE-2023-32561

A previously generated artifact by an administrator could be accessed by an attacker. The contents of this artifact could lead to authentication bypass. Fixed in version 6.4.1...

PT-2025-17346 · Z80Pack · Z80Pack

Name of the Vulnerable Software and Affected Versions: z80pack versions 1.38 and prior Description: The issue concerns the exposure of sensitive information, specifically the GITHUB TOKEN, in the workflow run artifact. This occurs because the makefile-ubuntu.yml workflow file uses...

CVE-2025-24029 Artifact permissions are not verified in the Cross Tracker Search widget in Tuleap

Tuleap is an Open Source Suite to improve management of software developments and collaboration. Users possibly anonymous ones if the widget is used in the dashboard of a public project might get access to artifacts they should not see. This issue has been addressed in Tuleap Community Edition...

PT-2025-5268 · Unknown · Tuleap Community Edition +1

Name of the Vulnerable Software and Affected Versions: Tuleap Community Edition versions prior to 16.3.99.1737562605 Tuleap Enterprise Edition versions prior to 16.3-5 Tuleap Enterprise Edition versions prior to 16.2-7 Description: Tuleap is an Open Source Suite to improve management of software...

Gitlab -- Vulnerabilities

Gitlab reports: XSS via the Maven Dependency Proxy Project level analytics settings leaked in DOM Reports can access and download job artifacts despite use of settings to prevent it Direct Transfer - Authorised project/group exports are accessible to other users Bypassing tag check and branch che...

CVE-2023-32561

A previously generated artifact by an administrator could be accessed by an attacker. The contents of this artifact could lead to authentication bypass. Fixed in version 6.4.1...

CVE-2023-32561

A previously generated artifact by an administrator could be accessed by an attacker. The contents of this artifact could lead to authentication bypass. Fixed in version 6.4.1...

CVE-2023-32561

A previously generated artifact by an administrator could be accessed by an attacker. The contents of this artifact could lead to authentication bypass. Fixed in version 6.4.1...

CVE-2023-32561

CVE-2023-32561 affects Ivanti Avalanche. The vulnerability is an authentication bypass in the dumpHeap component caused by incorrect permission assignment in Ivanti Avalanche WLAvalancheService.exe (v6.4.0.0 and earlier). Ivanti released fixes in Avalanche 6.4.1 (noted as 6.4.1.207) to remediate ...

Cross site scripting

Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. During CI/CD builds, it is possible to save build artifacts for later retrieval. They can be accessed through OneDev's web UI after the successful run of a build. These artifact files are served by the webserver in the same...

PT-2022-11491 · Jfrog · Jfrog Artifactory

Name of the Vulnerable Software and Affected Versions: JFrog Artifactory versions prior to 7.28.0 JFrog Artifactory versions prior to 6.23.38 Description: The issue is related to Broken Access Control, where the copy functionality can be exploited by a low-privileged user to read and copy any...

GHSA-PHF8-3QGV-RG5Q Missing Authorization in Jenkins Blue Ocean Plugin

The optional Run/Artifacts permission can be enabled by setting a Java system property. Blue Ocean did not check this permission before providing access to archived artifacts, Item/Read permission was sufficient. Blue Ocean now correctly checks the Run/Artifacts permission if it’s enabled before...

CVE-2021-28822

The Enterprise Message Service Server tibemsd, Enterprise Message Service Central Administration tibemsca, Enterprise Message Service JSON configuration generator tibemsconf2json, and Enterprise Message Service C API components of TIBCO Software Inc.'s TIBCO Enterprise Message Service, TIBCO...

CVE-2018-11086

Pivotal Usage Service in Pivotal Application Service, versions 2.0 prior to 2.0.21 and 2.1 prior to 2.1.13 and 2.2 prior to 2.2.5, contains a bug which may allow escalation of privileges. A space developer with access to the system org may be able to access an artifact which contains the CF admin...