Lucene search
K

10 matches found

RedhatCVE
RedhatCVE
added 2026/06/15 8:35 a.m.8 views

CVE-2026-45833

A flaw was found in the ChromaDB Python project. An authenticated attacker with UPDATECOLLECTION permission could exploit a code injection vulnerability. By sending a malicious model repository to a specific API endpoint with trustremotecode enabled, the attacker can execute arbitrary code on the...

9.4CVSS6.1AI score0.00342EPSS
Exploits0References4
Snyk
Snyk
added 2026/06/12 4:39 p.m.6 views

Arbitrary Code Injection

Overview chromadb is a Chroma. Affected versions of this package are vulnerable to Arbitrary Code Injection in the api/v2/tenants/defaulttenant/databases/defaultdatabase/collections/collectionid endpoint when a malicious model repository is sent and trustremotecode is set to true. An attacker can...

9.4CVSS6.1AI score0.00342EPSS
Exploits0References2
NVD
NVD
added 2026/06/12 4:16 p.m.13 views

CVE-2026-45833

A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server by sending a malicious model repository and trustremotecode set to true in...

9.4CVSS0.00342EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/06/12 3:16 p.m.9 views

CVE-2026-45833

A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server by sending a malicious model repository and trustremotecode set to true in...

9.4CVSS5.8AI score0.00342EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/12 3:16 p.m.30 views

CVE-2026-45833

A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server by sending a malicious model repository and trustremotecode set to true in...

9.4CVSS0.00342EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/12 3:16 p.m.21 views

EUVD-2026-36484

A code injection vulnerability in version 0.4.17 or later of the ChromaDB Python project allows an authenticated attacker to run arbitrary code on the server by sending a malicious model repository and trustremotecode set to true in...

9.4CVSS5.8AI score0.00342EPSS
Exploits0References1
CVE
CVE
added 2026/06/12 3:16 p.m.32 views

CVE-2026-45833

CVE-2026-45833 affects the ChromaDB Python project (version 0.4.17 and later). The issue is a code injection vulnerability where an authenticated attacker can execute arbitrary code on the server by supplying a malicious model repository and setting trust_remote_code to true in the API path /api/...

9.4CVSS5.8AI score0.00342EPSS
Exploits0References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.20 views

PT-2026-48898

Name of the Vulnerable Software and Affected Versions ChromaDB versions 0.4.17 through 0.4.16 Description An authenticated attacker with the UPDATE COLLECTION permission can execute arbitrary code on the server. This occurs by sending a malicious model repository and setting the trust remote code...

9.4CVSS5.9AI score0.00342EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/21 9:45 p.m.29 views

CVE-2026-8139 Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName

Concrete CMS 9.5.0 and below is vulnerable to Stored XSS via external-link page cvName because updateCollectionAliasExternal bypasses being sanitized. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with...

2CVSS0.0015EPSS
Exploits0References1
CVE
CVE
added 2026/05/21 9:45 p.m.24 views

CVE-2026-8139

Concrete CMS versions 9.5.0 and earlier are vulnerable to stored XSS on the external-link page cvName due to updateCollectionAliasExternal bypassing sanitization. The issue is triggered by the sanitize bypass in updateCollectionAliasExternal, enabling stored scripts delivered to users. Affected p...

5.4CVSS5.8AI score0.0015EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder