0lever-utils (>=0.0.2 <=0.0.7), 1337x (=1.2.5) +16397 more potentially affected by CVE-2025-66471 via urllib3 (>=1.10.2 <=2.5.0)

urllib3 PYPI version =1.10.2, =0.0.2, =0.3.0, =0.0.1a0, =2.3.84, =0.1.0, =1.1.2, =0.1.0, =0.1.0, =0.0.2, =0.0.5, =0.0.7 - a-mailx =0.1.0 - a-texam =1.1.0 and more Source cves: CVE-2025-66471 Source advisory: OSV:GHSA-2XPW-W6GG-JR37...

Arbitrary Code Injection

Overview ultralytics is an Ultralytics YOLOv8 for SOTA object detection, multi-object tracking, instance segmentation, pose estimation and image classification. Affected versions of this package are vulnerable to Arbitrary Code Injection via unsafe use of eval on attacker-controllable strings. Th...

3lc-ultralytics (>=0.1.0 <=0.1.6), afipcaeqrdecode (=0.0.15) +88 more potentially affected by unknown CVE via ultralytics (>=8.0.109 <=8.3.214)

ultralytics PYPI version =8.0.109, =0.1.0, =0.1.0, =0.1.0, =0.3.2, =0.0.5, =0.0.5, =1.0.2, =0.0.2, =1.0.0, =10.0.1, =0.1.0, =0.2.0 and more Source cves: unknown CVE Source advisory: SNYK:PYTHON-ULTRALYTICS-14157230...

Ultralytics Supply-Chain Attack

Last week, we saw a supply-chain attack against the Ultralytics AI library on GitHub. A quick summary: On December 4, a malicious version 8.3.41 of the popular AI library ultralytics ­--which has almost 60 million downloads--was published to the Python Package Index PyPI package repository. The...

A number of releases of ultralytics contained malicious crypto miner software.

Ultralytics has identified a supply chain attackaffecting affecting multiple versions of the ultralytics package.The compromised versions contained unauthorized code thatdownloaded and executed cryptocurrency mining softwarewhen instantiating YOLO models.This code was injected into the PyPI relea...

Ultralytics AI Library with 60M Downloads Compromised for Cryptomining

Another day, another supply chain attack!...

Ultralytics AI Library Compromised: Cryptocurrency Miner Found in PyPI Versions

In yet another software supply chain attack, it has come to light that two versions of a popular Python artificial intelligence AI library named ultralytics were compromised to deliver a cryptocurrency miner. The versions, 8.3.41 and 8.3.42, have since been removed from the Python Package Index...

Malicious Embedded Code

Overview ultralytics is an Ultralytics YOLOv8 for SOTA object detection, multi-object tracking, instance segmentation, pose estimation and image classification. Affected versions of this package are vulnerable to Malicious Embedded Code. These versions have been compromised to install an xmrig...

GitHub Actions Script Injection in `ultralytics/actions`

Summary The Ultralytics action available at https://github.com/marketplace/actions/ultralytics-actions is vulnerable to GitHub Actions script injection. If anyone uses the action within a workflow that runs on the pullrequesttarget trigger, then an attacker can inject arbitrary code into that...

Code Injection in ultralytics/yolov5

Description Arbitrary Code Excecution in ultralytics/yolov5. Yolov5 is a Object Detection model from Ultralytics. Ultralytics is a U.S.-based particle physics and AI startup with over 6 years of expertise supporting government, academic and business clients. Ultralytics offer a wide range of visi...

Code Injection in ultralytics/yolov3

Description Arbitrary Code Excecution in ultralytics/yolov3. Yolov3 is a model from Ultralytics. Ultralytics is a U.S.-based particle physics and AI startup with over 6 years of expertise supporting government, academic and business clients. Ultralytics offer a wide range of vision AI services,...