CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

228 matches found

MLflow < 3.10.0 - Authentication Bypass on FastAPI Routes

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...

8.6CVSS7.8AI score0.01321EPSS

Exploits1References2

Nuclei•added yesterday•9 views

Mesop AI Sandbox <= 1.2.2 - Remote Code Execution

Mesop = 1.2.2 contains an unrestricted remote code execution caused by unauthenticated ingestion and execution of base64-encoded Python code in the /exec-py endpoint of ai/testing module, letting attackers execute arbitrary commands on the host, exploit requires HTTP access to the server. id:...

9.8CVSS6.6AI score0.12897EPSS

Exploits0References2

OSV•added 2 days ago•4 views

GHSA-5X67-J5XG-C5GJ Bugsink: DOS using large numbers of event tags

Summary In affected versions, Bugsink stores every tag supplied with an incoming event. An event with an unusually large number of custom i.e. supplied by an attacker tags can therefore make ingestion spend more time than intended writing tag rows. Bugsink uses a single-writer database...

4.3CVSS5.5AI score

Exploits0References3

RedhatCVE•added 2 days ago•5 views

CVE-2026-2652

8.6CVSS7.8AI score0.01321EPSS

Exploits1References1

Snyk•added 2026/05/28 4:50 p.m.•7 views

Unintended Proxy or Intermediary ('Confused Deputy')

Overview Affected versions of this package are vulnerable to Unintended Proxy or Intermediary 'Confused Deputy' via the uri parameter being passed directly to urllib.request.urlopen, which allows fetching resources using unsupported schemes such as file, ftp, and data. An attacker can access...

4.2CVSS5.9AI score0.00034EPSS

Exploits1References2

OSV•added 2026/05/21 4:36 p.m.•2 views

GHSA-9VMH-WHC4-7PHG OpenMetadata: TEST_CONNECTION workflow leaks ingestion-bot JWT and database password to regular users

This is not applicable if an application is configuring the Secrets Store to store credentials. Please make sure to follow the best practices when deploying in production In OpenMetadata 1.12.1, a non-admin SSO user can trigger a TESTCONNECTION workflow for a Database Service and receive, in the...

8.3CVSS5.8AI score

Exploits0References2

Github Security Blog•added 2026/05/21 4:36 p.m.•4 views

OpenMetadata: TEST_CONNECTION workflow leaks ingestion-bot JWT and database password to regular users

5.8AI score

Exploits0References2Affected Software1

Positive Technologies•added 2026/05/21 12:0 a.m.•7 views

PT-2026-42613

This is not applicable if an application is configuring the Secrets Store to store credentials. Please make sure to follow the best practices when deploying in production In OpenMetadata 1.12.1, a non-admin SSO user can trigger a TEST CONNECTION workflow for a Database Service and receive, in the...

8.3CVSS5.8AI score

Exploits0References3

OSV•added 2026/05/19 8:53 a.m.•6 views

BIT-MLFLOW-2026-2652 Authentication Bypass in mlflow/mlflow

8.6CVSS6AI score0.01321EPSS

Exploits1References3

vulnersOsv•added 2026/05/19 12:0 a.m.•4 views

@alicloud/cloud-charts (>=0.1.0 <=0.1.10), @alicloud/console-charts (>=0.1.0 <=0.3.0) +140 more potentially affected by unknown CVE via @antv/g2-brush (=0.0.2)

@antv/g2-brush NPM version =0.0.2 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/g2-brush and may be impacted: - @alicloud/cloud-charts =0.1.0, =0.1.0, =0.0.113, =0.0.113, =0.1.4-beta-3.3, =2.5.1, =0.0.5, =0.0.5, =0.0.5, =0.0.5, =0.0.5, =0.0.5,...

5.8AI score

Exploits0

Microsoft CVE•added 2026/05/16 12:21 a.m.•7 views

Chromium: CVE-2026-8584 Inappropriate implementation in Views

This CVE was assigned by Chrome. Microsoft Edge Chromium-based ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information...

4.2CVSS5.8AI score0.00061EPSS

Exploits0

Github Security Blog•added 2026/05/15 3:30 a.m.•5 views

MLflow: unauthenticated access to certain FastAPI routes

8.6CVSS7.4AI score0.01321EPSS

Exploits1References4Affected Software1

Vulnrichment•added 2026/05/15 2:13 a.m.•7 views

CVE-2026-2652 Authentication Bypass in mlflow/mlflow

8.6CVSS7.5AI score0.01321EPSS

Exploits1References2

Cvelist•added 2026/05/15 2:13 a.m.•33 views

CVE-2026-2652 Authentication Bypass in mlflow/mlflow

8.6CVSS0.01321EPSS

Exploits1References2

EUVD•added 2026/05/15 2:13 a.m.•5 views

EUVD-2026-30499

8.6CVSS6AI score0.01321EPSS

Exploits1References2

OSV•added 2026/05/14 8:27 p.m.•6 views

GHSA-R472-MW7M-967F Open WebUI: Cross-User File Access via Unchecked file_id in Folder Knowledge and Knowledge-Base Attach Endpoints

Cross-User File Access via Unchecked fileid in Folder Knowledge and Knowledge-Base Attach Endpoints Summary Multiple endpoints accept a user-supplied fileid and attach the referenced file to a resource the caller controls folder knowledge, knowledge-base contents without verifying that the caller...

8.1CVSS5.8AI score0.00012EPSS

Exploits1References4

NVD•added 2026/05/14 8:17 p.m.•3 views

CVE-2026-26062

Fleet is open source device management software. Prior to version 4.81.0, Fleet contained a denial-of-service DoS issue in the gRPC Launcher PublishLogs endpoint. In affected versions, certain unexpected input values were not handled gracefully, which could cause the Fleet server process to...

8.7CVSS0.00088EPSS

Exploits0References2