952 matches found
BIT-MLFLOW-2026-33866 Authorization Bypass in MLflow AJAX Endpoint
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to...
BIT-MLFLOW-2026-33865 Stored XSS via unsafe YAML parsing in MLflow
MLflow is vulnerable to Stored Cross-Site Scripting XSS caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actio...
PT-2026-34060
Name of the Vulnerable Software and Affected Versions goshs versions prior to 2.0.0-beta.6 Description goshs is a SimpleHTTPServer written in Go. An ArtiPACKED issue allows the leakage of the GITHUB TOKEN through workflow artifacts, even when the token is not included in the repository source cod...
CVE-2026-32604
Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions...
CVE-2026-32604 Spinnaker vulnerable to RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths
Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions...
CVE-2026-32604 Spinnaker vulnerable to RCE when using gitrepo artifact types due to improper sanitization of user input on branch and paths
Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions...
CVE-2026-32604
Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions...
CVE-2026-32604
CVE-2026-32604 affects Spinnaker before the patched releases 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2. The vulnerability arises in clouddriver components when handling gitrepo artifacts, allowing a bad actor to execute arbitrary commands on the pod (RCE) by exploiting improper input handling on...
Out-of-bounds Write
Overview Affected versions of this package are vulnerable to Out-of-bounds Write via the ConnectedComponentsImage function when the connected-components: define specifies an invalid index. An attacker can cause an access violation and potentially crash the application by supplying crafted...
Malicious code in ant-mcp-proxy-for-test (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 51df3beb4457da4a841727c91a2517ba5727c841c08f9d43cf2b25be9e476564 During use of the package, it silently downloads and executes remote executables or scripts. During analysis, the remote resources were no longer available. Th...
MLflow Is Vulnerable To Stored Cross-Site Scripting (XSS) Caused By Unsafe Parsing Of YAML-based MLmodel Artifacts In It
MLflow is vulnerable to Stored Cross-Site Scripting XSS caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actio...
MLflow Is Vulnerable To An Authorization Bypass Affecting The AJAX Endpoint
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to...
CVE-2026-33866
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint used to download saved model artifacts. Due to missing access‑control validation, a user without permissions to a given experiment can directly query this endpoint and retrieve model artifacts they are not authorized to...
EUVD-2026-20775
UAC Unix-like Artifacts Collector before 3.3.0-rc1 contains a command injection vulnerability in the placeholder substitution and command execution pipeline where the runcommand function passes constructed command strings directly to eval without proper sanitization. Attackers can inject shell...
CVE-2026-40032 UAC < 3.3.0-rc1 Command Injection via Placeholder Substitution
UAC Unix-like Artifacts Collector before 3.3.0-rc1 contains a command injection vulnerability in the placeholder substitution and command execution pipeline where the runcommand function passes constructed command strings directly to eval without proper sanitization. Attackers can inject shell...
CVE-2026-40032
CVE-2026-40032 affects UAC (Unix-like Artifacts Collector) up to version 3.3.0-rc1. The vulnerability is a command injection in the placeholder substitution and command execution pipeline: _run_command() passes constructed command strings directly to eval without proper sanitization, enabling arb...
CVE-2026-40029 parseusbs < 1.9 Command Injection via Crafted LNK Filename
parseusbs before 1.9 contains an OS command injection vulnerability in parseUSBs.py where LNK file paths are passed unsanitized into an os.popen shell command, allowing arbitrary command execution via crafted .lnk filenames containing shell metacharacters. An attacker can craft a .lnk filename wi...
CVE-2026-40029
Technical details (affected product/component/version, root cause, impact, and remediation) are not publicly provided in the supplied documents; monitor for updates.
[SECURITY] Fedora 43 Update: rauc-1.15.2-1.fc43
RAUC is a lightweight update client that runs on your Embedded Linux device and reliably controls the procedure of updating your device with a new firmwa re revision. RAUC is also the tool on your host system that lets you create, inspect and modify update artifacts for your device. Service is no...
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface
MLflow is vulnerable to Stored Cross-Site Scripting XSS caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actio...