CVE-2025-8406 Path Traversal in zenml-io/zenml

ZenML version 0.83.1 is affected by a path traversal vulnerability in the PathMaterializer class. The load function uses ispathwithindirectory to validate files during data.tar.gz extraction, which fails to effectively detect symbolic and hard links. This vulnerability can lead to arbitrary file...

CVE-2024-9340

ZenML vulnerability CVE-2024-9340 affects zenml-io/zenml v0.66.0. unauthenticated attackers can cause DoS by sending malformed multipart requests with extra characters at the end of multipart boundaries, triggering an infinite loop and complete denial of service. Affected endpoints include /api/v...

ZenML < 0.57.0 Password Reset Brute Force (CVE-2024-4311)

The version of ZenML installed on the remote host is prior to 0.57.0. It is, therefore, affected by an account takeover exposure due to the lack of rate-limiting in the password change function. An attacker can brute-force the current password in the 'Update Password' function, allowing them to...

PYSEC-2024-193

An issue was discovered in zenml-io/zenml versions up to and including 0.55.4. Due to improper authentication mechanisms, an attacker with access to an active user session can change the account password without needing to know the current password. This vulnerability allows for unauthorized...

PT-2024-19218 · Zenml · Zenml

Name of the Vulnerable Software and Affected Versions: zenml-io/zenml versions up to and including 0.55.4 Description: An issue was discovered due to improper authentication mechanisms, allowing an attacker with access to an active user session to change the account password without knowing the...

CVE-2024-28424

zenml v0.55.4 was discovered to contain an arbitrary file upload vulnerability in the load function at /materializers/cloudpicklematerializer.py. This vulnerability allows attackers to execute arbitrary code via uploading a crafted file...