Lucene search
K

12104 matches found

Github Security Blog
Github Security Blog
added 2026/05/21 5:56 p.m.13 views

Amazon SageMaker Python SDK is missing integrity verification in its Triton inference handler

Summary Amazon SageMaker Python SDK is an open-source library for training and deploying machine learning models on Amazon SageMaker. An issue exists where, under certain circumstances, the Triton inference handler deserializes model artifacts without performing integrity verification, allowing...

7.2CVSS6.5AI score0.0039EPSS
Exploits0References6Affected Software1
Snyk
Snyk
added 2026/05/21 5:42 p.m.10 views

Cleartext Storage of Sensitive Information

Overview sagemaker-serve is a SageMaker Serve package for model serving and deployment Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in the ModelBuilder/Serve component. An attacker can extract sensitive HMAC signing keys by accessing the SageMaker...

9.1CVSS6.2AI score0.00439EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/21 5:42 p.m.14 views

Cleartext storage of HMAC signing key in Amazon SageMaker Python SDK ModelBuilder/Serve path

Summary Amazon SageMaker Python SDK is an open-source library for training and deploying machine learning models on Amazon SageMaker. An issue exists where, under certain circumstances, the ModelBuilder/Serve component stores an HMAC signing key in cleartext as a container environment variable,...

8.5CVSS6.2AI score0.00439EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/05/21 5:30 p.m.11 views

GHSA-M549-QQ94-FVHG LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization

Summary lmdeploy hardcodes trustremotecode=True in multiple HuggingFace model-loading call sites. The affected code paths are in: text lmdeploy/archs.py lmdeploy/utils.py The vulnerable call sites pass trustremotecode=True into HuggingFace Transformers APIs such as AutoConfig.frompretrained,...

7.8CVSS6.5AI score0.00142EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/21 5:30 p.m.15 views

LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization

Summary lmdeploy hardcodes trustremotecode=True in multiple HuggingFace model-loading call sites. The affected code paths are in: text lmdeploy/archs.py lmdeploy/utils.py The vulnerable call sites pass trustremotecode=True into HuggingFace Transformers APIs such as AutoConfig.frompretrained,...

7.8CVSS6.5AI score0.00142EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/05/21 4:24 p.m.8 views

RLSA-2026:1631 Moderate: python3 security update

Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems. Security Fixes:...

7.5CVSS6.7AI score0.00696EPSS
Exploits0References2
Schneier on Security
Schneier on Security
added 2026/05/21 4:3 p.m.10 views

macOS Kernel Memory Corruption Exploit

A group used Anthropic's Mythos AI model to help find a kernel memory corruption vulnerability and exploit on Apple's M5. News article...

5.8AI score
Exploits0
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/21 3:2 p.m.8 views

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an Improper Input Validation in ONNX [CVE-2026-34445, CVE-2026-34446, CVE-2026-34447]

Summary IBM Watson Speech Services Cartridge is vulnerable to an Improper Input Validation in ONNX due to an issue with the ExternalDataInfo class in ONNX using Python's setattr function to load metadata like file paths or data lengths directly from an ONNX model file, which fails to properly...

8.6CVSS5.8AI score0.00288EPSS
Exploits1Affected Software1
SUSE CVE
SUSE CVE
added 2026/05/21 1:12 p.m.9 views

SUSE CVE-2026-9126

Use after free in DOM in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: Medium...

8.8CVSS6.2AI score0.00396EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/05/21 10:48 a.m.10 views

CVE-2026-2734

A flaw was found in mlflow. An authenticated user could exploit a lack of proper authorization checks in the SearchModelVersions REST API and mlflowSearchModelVersions GraphQL query. This flaw allows them to enumerate all model versions across all registered models, potentially exposing sensitive...

6.5CVSS6.5AI score0.00441EPSS
Exploits1References5
Snyk
Snyk
added 2026/05/21 7:35 a.m.12 views

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass via the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query. An attacker can access sensitive information, including model names, version descriptions, source URIs, tags, and other...

7.1CVSS6.6AI score0.00441EPSS
Exploits1References2
Snyk
Snyk
added 2026/05/21 7:35 a.m.10 views

Access Control Bypass

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Access Control Bypass via the SearchModelVersions REST API endpoin...

7.1CVSS6.7AI score0.00441EPSS
Exploits1References2
OSV
OSV
added 2026/05/21 6:31 a.m.4 views

GHSA-W5XQ-C4PF-GHQ7 MLflow authenticated users can enumerate any registered model versions due to lack of per-model permissions checks

In mlflow/mlflow versions up to 3.9.0, the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registere...

6.5CVSS6.3AI score0.00441EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/05/21 6:31 a.m.7 views

MLflow authenticated users can enumerate any registered model versions due to lack of per-model permissions checks

In mlflow/mlflow versions up to 3.9.0, the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registere...

6.5CVSS6.3AI score0.00441EPSS
Exploits1References4Affected Software1
NVD
NVD
added 2026/05/21 5:16 a.m.18 views

CVE-2026-2734

In mlflow/mlflow versions up to 3.9.0, the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registere...

6.5CVSS0.00441EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/05/21 3:49 a.m.43 views

CVE-2026-2734 Authorization Bypass in SearchModelVersions in mlflow/mlflow

In mlflow/mlflow versions up to 3.9.0, the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registere...

6.5CVSS0.00441EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/05/21 3:49 a.m.9 views

CVE-2026-2734 Authorization Bypass in SearchModelVersions in mlflow/mlflow

In mlflow/mlflow versions up to 3.9.0, the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registere...

6.5CVSS6.5AI score0.00441EPSS
Exploits1References2
CVE
CVE
added 2026/05/21 3:49 a.m.23 views

CVE-2026-2734

Summary : For mlflow/mlflow up to version 3.9.0, the REST endpoint GET /api/2.0/mlflow/model-versions/search and the GraphQL query mlflowSearchModelVersions lack per-model authorization when basic auth is enabled. This results in any authenticated user being able to enumerate all model versions a...

6.5CVSS6.5AI score0.00441EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/05/21 3:49 a.m.9 views

CVE-2026-2734

In mlflow/mlflow versions up to 3.9.0, the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registere...

6.5CVSS6.5AI score0.00441EPSS
Exploits1References3
EUVD
EUVD
added 2026/05/21 3:49 a.m.11 views

EUVD-2026-31210

In mlflow/mlflow versions up to 3.9.0, the SearchModelVersions REST API endpoint and the mlflowSearchModelVersions GraphQL query lack proper per-model authorization checks when basic authentication is enabled. This allows any authenticated user to enumerate all model versions across all registere...

6.5CVSS6.5AI score0.00441EPSS
Exploits1References2
Rows per page
Query Builder