CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

OSV•added 2026/04/07 3:30 p.m.•5 views

GHSA-FH64-R2VC-XVHR MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface

Github Security Blog•added 2026/04/07 3:30 p.m.•3 views

Exploits1References7

MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface

5.4CVSS5.9AI score0.00218EPSS

Exploits1References7Affected Software1

EUVD•added 2026/04/07 3:0 p.m.•5 views

EUVD-2026-19676

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature webserver.api.clipw that creates “CLI” API sessions intended to be read-only for configuration changes. While /api/config...

6.1CVSS5.9AI score0.00156EPSS

Exploits1References1

ATTACKERKB•added 2026/04/07 2:49 p.m.•2 views

CVE-2026-35486

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, he superbooga and superboogav2 RAG extensions fetch user-supplied URLs via requests.get with zero validation — no scheme check, no IP filtering, no hostname allowlist. An attacker can access clo...

7.5CVSS5.9AI score0.004EPSS

Exploits1References2Affected Software1

EUVD•added 2026/04/07 2:49 p.m.•6 views

EUVD-2026-19671

7.5CVSS5.9AI score0.004EPSS

Exploits1References1

CVE•added 2026/04/07 2:45 p.m.•19 views

CVE-2026-35483

The CVE concerns text-generation-webui, an open-source web interface for running Large Language Models. A path traversal vulnerability existed in load_template() before version 4.3 that allowed reading files on the server filesystem with .jinja, .jinja2, .yaml, or .yml extensions without authenti...

5.3CVSS5.9AI score0.00325EPSS

Exploits1References1Affected Software1

Snyk•added 2026/04/07 2:13 p.m.•3 views

Cross-site Scripting (XSS)

Overview mlflow is a platform to streamline machine learning development, including tracking experiments, packaging code into reproducible runs, and sharing and deploying models. Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsafe parsing of YAML-based MLmodel...

5.4CVSS6AI score0.00218EPSS

Snyk•added 2026/04/07 2:13 p.m.•2 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsafe parsing of YAML-based MLmodel artifacts in the web interface. An attacker can execute arbitrary scripts in the context of another user's browser session by uploading a crafted MLmodel file containing...

5.4CVSS6AI score0.00218EPSS

PyPA•added 2026/04/07 1:16 p.m.•11 views

PYSEC-2026-93

Exploits1References4Affected Software1

NVD•added 2026/04/07 1:16 p.m.•4 views

CVE-2026-33865

5.4CVSS0.00218EPSS

OSV•added 2026/04/07 1:16 p.m.•5 views

PYSEC-2026-93

Vulnrichment•added 2026/04/07 12:57 p.m.•2 views

Exploits1References4

CVE-2026-33865 Stored XSS via unsafe YAML parsing in MLflow

5.1CVSS5.9AI score0.00218EPSS

ATTACKERKB•added 2026/04/07 12:57 p.m.•2 views

CVE-2026-33865

5.1CVSS5.9AI score0.00218EPSS

CVE•added 2026/04/07 12:57 p.m.•17 views

CVE-2026-33865

MLflow

5.4CVSS5.9AI score0.00218EPSS

Exploits1References3Affected Software1

Fedora•added 2026/04/07 1:11 a.m.•3 views

[SECURITY] Fedora 42 Update: nextcloud-33.0.1-1.fc42

NextCloud gives you universal access to your files through a web interface or WebDAV. It also provides a platform to easily view & sync your contacts, calendars and bookmarks across all your devices and enables basic editing rig ht on the web. NextCloud is extendable via a simple but powerful API...

8.2CVSS6.4AI score0.00478EPSS

Exploits3

Positive Technologies•added 2026/04/07 12:0 a.m.•2 views

PT-2026-30820

Name of the Vulnerable Software and Affected Versions MLflow versions through 3.10.1 Description MLflow is susceptible to Stored Cross-Site Scripting XSS due to unsafe parsing of YAML-based MLmodel artifacts within its web interface. An authenticated attacker can upload a malicious MLmodel file...

CNNVD•added 2026/04/07 12:0 a.m.•6 views

Exploits1References15

MLflow 跨站脚本漏洞

MLFlow is an open-source platform that simplifies machine learning development. It includes features like tracking experiments, packaging code for reproducible runs, and sharing and deploying models. Versions of MLFlow prior to 3.10.1 contain a cross-site scripting vulnerability. This vulnerabili...

5.4CVSS5.7AI score0.00218EPSS

CNNVD•added 2026/04/07 12:0 a.m.•6 views

TOTOLINK A7100RU 操作系统命令注入漏洞

The TOTOLINK A7100RU is a wireless router produced by TOTOLINK, a Chinese company. The Totolink A7100RU 7.4cu.2313b20191024 version has a vulnerability related to operating system command injection. This vulnerability stems from incorrect handling of the parameter “enable” in the file...

7.5CVSS7.1AI score0.01429EPSS

Exploits0References5

Positive Technologies•added 2026/04/07 12:0 a.m.•2 views

PT-2026-30863

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature webserver.api.cli pw that creates “CLI” API sessions intended to be read-only for configuration changes. While /api/config...

6.1CVSS5.9AI score0.00156EPSS