Lucene search
K

16 matches found

ATTACKERKB
ATTACKERKB
added 2026/06/22 10:20 p.m.5 views

CVE-2026-47155

vLLM is an inference and serving engine for large language models LLMs. Prior to 0.22.0, vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies --revision or --code-revision can still load dynamic code, GGUF files, image...

6.5CVSS5.8AI score0.00146EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/10 5:11 p.m.14 views

vLLM's Artifact Pin Decay allows pinned deployments to load unpinned code, weights, and processors

Summary vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies --revision or --code-revision can still load dynamic code, GGUF files, image processors, retrieval side weights, or same-repository subfolder weights/config from an...

6.5CVSS5.6AI score0.00146EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/05 7:10 p.m.10 views

CVE-2026-35580

Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflowdispatch inputs were interpolated directly into shell commands via $ expression syntax. An attacker with repository write access could...

9.1CVSS5.6AI score0.00566EPSS
Exploits1References1
EUVD
EUVD
added 2025/10/07 12:30 a.m.3 views

EUVD-2021-2118

Malware in sbrugna...

6.5CVSS6.4AI score0.00416EPSS
Exploits0References5
EUVD
EUVD
added 2025/10/03 8:7 p.m.2 views

EUVD-2023-0097

Malicious code in bioql PyPI...

5.5CVSS5.5AI score0.00241EPSS
Exploits0References7
RedhatCVE
RedhatCVE
added 2025/05/23 4:10 a.m.5 views

CVE-2023-32076

in-toto is a framework to protect supply chain integrity. The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification. In versions 1.4.0 and prior, among the...

5.5CVSS7.1AI score0.00241EPSS
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2025/03/05 12:0 a.m.4 views

Linux Distros Unpatched Vulnerability : CVE-2023-32076

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - in-toto is a framework to protect supply chain integrity. The in-toto configuration is read from various directories and allows users to configure the behavior ...

5.5CVSS6.2AI score0.00241EPSS
Exploits0References3
NVD
NVD
added 2023/05/10 6:15 p.m.33 views

CVE-2023-32076

in-toto is a framework to protect supply chain integrity. The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification. In versions 1.4.0 and prior, among the...

5.5CVSS5.7AI score0.00241EPSS
Exploits0References4
UbuntuCve
UbuntuCve
added 2023/05/10 6:15 p.m.24 views

CVE-2023-32076

in-toto is a framework to protect supply chain integrity. The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification. In versions 1.4.0 and prior, among the...

5.5CVSS6AI score0.00241EPSS
Exploits0References5
Prion
Prion
added 2023/05/10 6:15 p.m.17 views

Design/Logic Flaw

in-toto is a framework to protect supply chain integrity. The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification. In versions 1.4.0 and prior, among the...

1.7CVSS5.7AI score0.00241EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2023/05/10 5:58 p.m.28 views

CVE-2023-32076 in-toto vulnerable to Configuration Read From Local Directory

in-toto is a framework to protect supply chain integrity. The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification. In versions 1.4.0 and prior, among the...

5.5CVSS5.9AI score0.00241EPSS
Exploits0References4
CVE
CVE
added 2023/05/10 5:58 p.m.71 views

CVE-2023-32076

Summary of CVE-2023-32076 (in-toto) : The vulnerability affects in-toto up to version 1.4.0, where the framework reads configuration from XDG directories and includes the hidden file .in_totorc. If an attacker controls inputs to a supply chain step, they can inject a crafted .in_totorc with exclu...

5.5CVSS5.6AI score0.00241EPSS
Exploits0References4Affected Software1
Debian CVE
Debian CVE
added 2023/05/10 5:58 p.m.34 views

CVE-2023-32076

in-toto is a framework to protect supply chain integrity. The in-toto configuration is read from various directories and allows users to configure the behavior of the framework. The files are from directories following the XDG base directory specification. In versions 1.4.0 and prior, among the...

5.5CVSS5.7AI score0.00241EPSS
Exploits0
NVD
NVD
added 2021/09/21 9:15 p.m.9 views

CVE-2021-41087

in-toto-golang is a go implementation of the in-toto framework to protect software supply chain integrity. In affected versions authenticated attackers posing as functionaries i.e., within a trusted set of users for a layout are able to create attestations that may bypass DISALLOW rules in the sa...

6.5CVSS0.00416EPSS
Exploits0References2
The Hacker News
The Hacker News
added 2021/06/18 7:20 a.m.50 views

Google Releases New Framework to Prevent Software Supply Chain Attacks

As software supply chain attacks emerge as a point of concern in the wake of SolarWinds and Codecov security incidents, Google is proposing a solution to ensure the integrity of software packages and prevent unauthorized modifications. Called "Supply chain Levels for Software Artifacts" SLSA, and...

0.1AI score
Exploits0
ThreatPost
ThreatPost
added 2016/09/08 11:9 a.m.18 views

DHS Urges Vigilance in Protecting Networking Gear

After a summer of high-profile attacks and disclosures centered around enterprise network infrastructure, the Department of Homeland Security on Tuesday put out an alert explaining some of the tactics used by advanced attackers, and urged special caution in maintaining supply chain integrity. The...

4.3CVSS0.4AI score0.01995EPSS
Exploits0References7
Rows per page
Query Builder