4072 matches found
Incomplete Fix for CVE-2026-0848: 5 Stanford Interface Classes Still Vulnerable to Untrusted JAR Code Execution
This report is not public...
Lambda Layer `safe_mode=None` Guard Bypass — Arbitrary Code Execution via `from_config()`
This report is not public...
Authorization bypass on all trace endpoints when auth is enabled
Description When MLflow runs with auth enabled, the trace API endpoints don't have authorization validators registered. The beforerequest handler checks each request against BEFOREREQUESTHANDLERS — experiments, runs, models all have entries there, but traces have zero entries. When no validator i...
[CWE-73] Keras — Arbitrary HDF5 File Read via Virtual Dataset Bypass of External Storage Check (CVE-2026-1669 Incomplete Fix)
Description The fix for CVE-2026-1669 in Keras's H5IOStore.verifydataset method savinglib.py:1051 is incomplete. The patch checks dataset.external to block HDF5 datasets that use external file storage, but it does not check dataset.isvirtual. HDF5 Virtual Datasets VDS — created via...
Zip Slip Arbitrary File Write via ZipFile.extractall() in StorageManager
Description The ClearML SDK uses ZipFile.extractall without path traversal validation when extracting .zip archives in StorageManager.extracttocache storage/manager.py line 199. In contrast, .tar.gz and .tgz archives ARE protected using a safeextract function storage/util.py line 414 that validat...
Arbitrary File Read via Percent-Encoded Path Traversal in nltk.data.find() / nltk.data.load() - Incomplete Fix of Issue #3504
This report is not public...
XSS via unsanitized `text/vnd.mermaid` output in nbconvert HTML export
This report is not public...
Arbitrary code execution via malicious logging configuration (dictConfig factory injection)
Kedro v1.2.0 passes user-controlled YAML config to logging.config.dictConfig without validation. The factory key enables arbitrary callable instantiation, achieving RCE at startup. kedro/framework/project/init.py, ProjectLogging: loggingconfig = Pathpath.readtextencoding="utf-8"...
Path Traversal in DiskIOStore via Unsanitized Layer Names in Keras 3
Description A logic flaw in the Keras 3 v3.0.0+ model saving and loading library handles internal asset paths insecurely. Specifically, the DiskIOStore.make method in keras/src/saving/savinglib.py uses user-provided layer names to construct directory paths without sanitizing for parent directory...
Git argument injection in deployment pull steps via unsanitized commit_sha enables RCE on workers
This report is not public...
Arbitrary Code Execution via LossNode importlib.import_module() Before audit_tree() Trust Check
Arbitrary Code Execution via LossNode Import Before Audit — Trust Check Bypass Summary The LossNode.init method in skops/io/sklearn.py calls gettype, which invokes importlib.importmodule with attacker-controlled module and class names from the .skops file's schema.json. This import occurs during...
Unsafe cloudpickle.loads() and eval() in Callables Enable RCE via Malicious Task Payloads
This report is not public...
Unauthenticated remote shutdown in nltk.app.wordnet_app
This report is not public...
Pickle deserialization RCE via pd.read_pickle() bypasses CVE-2024-24590 fix
Summary The fix for CVE-2024-24590 only hardened the type == "pickle" deserialization branch in Artifact.get. A parallel code path for type == "pandas" with contenttype == "application/pickle" calls pd.readpickle without any integrity or safety check. An attacker who uploads a malicious pickle...
Decompression bomb bypass via negative max_length in streaming API (incomplete fix for CVE-2025-66471)
Description The fix for CVE-2025-66471 in urllib3 2.6.0 added maxlength support to all decoders to prevent decompression bombs when using the streaming API. However, three independent code paths in response.py bypass this protection in urllib3 2.6.3 latest. Bypass 1 — Negative maxlength from buff...
Path Traversal in Keras Archive Extraction via CWD Validation Bypass Leading to Arbitrary File Write
Description Technical Details of the Vulnerability Summary Keras's archive extraction utilities in keras/src/utils/fileutils.py are vulnerable to path traversal. The functions filtersafetarinfos and filtersafezipinfos validate archive member paths against the process current working directory...
model.weights.h5: h5py.ExternalLink at Group level silently followed during load_model(), bypassing CVE-2025-9905 fix — information disclosure from arbitrary HDF5 files
Keras 3.x introduced a fix for CVE-2025-9905 by checking dataset.external in H5IOStore.verifydataset. This check blocks datasets whose raw bytes are stored in external files via the HDF5 "External Data Storage" mechanism. However, HDF5 supports a second, unrelated external-reference mechanism:...
Uncontrolled Search Path in HunposTagger Allows Untrusted Local Binary Selection in nltk/nltk
This report is not public...
Arbitrary File Write via Path Traversal in Malicious NLTK Downloader Index (nltk.downloader.Package.fromxml)
NLTK relies on the nltk.downloader.Downloader class to securely fetch corpora and models. It fetches an index.xml file to map package ids to payload URLs. A critical Arbitrary File Write vulnerability exists in nltk.downloader.Package.fromxml due to a lack of sanitization on the id field. When...
Path Traversal via Unsanitized Version String in Versioned Dataset Loading
This report is not public...
Unsafe cloudpickle deserialization in Prefect task runners and bundle deserialization
This report is not public...
Arbitrary File Write via Validation/Extraction Path Mismatch in nltk.downloader._unzip_iter()
This report is not public...
Unbounded Frame Count in video/jpeg Base64 Data URL Processing Leads to OOM DoS
Summary The VideoMediaIO.loadbase64 method in vLLM's multimodal processing pipeline splits video/jpeg data URLs by comma delimiters to extract individual JPEG frames, but does not enforce a frame count limit. An attacker can craft a single API request containing thousands of comma-separated...
NLTK Data Module - Arbitrary File Read via Dead Security Check
This report is not public...
AI Gateway secret API accepts `$ENV_VAR` references and can be remotely abused to exfiltrate server-side environment credentials to an attacker-controlled upstream endpoint. And the leaked credentials can be further leveraged to break security boundaries.
Analyzed project versions: Current target branch: master Current HEAD: dc8ef3cbbefccf7384f4e3023492aae635c5d5d0 Fix 403 Forbidden for artifact list via query param when defaultpermission=NOPERMISSIONS 21220, commit date: 2026-03-04 The vulnerability is that AI Gateway secrets allow...
Integer Overflow Bypasses Memory Safety Checks in H5 Dataset Loading
This report is not public...
NLTK Downloader: Arbitrary File Write / Remote Code Execution via XML Attribute Injection in Package Index
Summary Field| Value ---|--- Component| nltk.downloader.Package Affected Version| NLTK element in the remote XML index contains a filename="..." attribute, it flows into kw and overwrites the safe value. The overridden filename is used directly at line 679 as the filesystem write destination:...
CWE-346: CORS Origin Validation Bypass via `re.match()` in `allow_origin_pat`
This report is not public...
`trust_remote_code=False` Bypass in LightGlue Nested Config Resolution (Transformers 5.2.0) Leading to Remote Code Execution During Normal `from_pretrained()` Loading
Description Transformers contains a trust-boundary flaw in the LightGlue loading path. When loading a LightGlue model, LightGlueConfig reads trustremotecode from untrusted model config.json and reuses it for nested AutoConfig.frompretrained... resolution. This allows an attacker-controlled model...
Incomplete Fix for CVE-2026-1669: HDF5 External Storage File Disclosure in Legacy H5 Loading
Description Keras 3 patched CVE-2026-1669 HDF5 External Storage File Disclosure in the new .keras and .weights.h5 loading paths by adding verifydataset to check for dataset.external in H5IOStore. However, the legacy .h5 loading path keras/src/legacy/saving/legacyh5format.py was not patched. This...
Path Traversal via Incorrect startswith() Root Directory Check in jupyter-server Allows Access to Sibling Directories
This report is not public...
Authentication Bypass via endswith() Health Check Exemption Allows Unauthenticated Access to Variables/Secrets in prefecthq/prefect
Description When PREFECTSERVERAPIAUTHSTRING is configured, Prefect Server's authentication middleware exempts any URL path ending with "health" or "ready" to allow health check probes. However, multiple API endpoints accept user-controlled string names as URL path parameters e.g.,...
Path Traversal via Prefix Match Bypass in `_get_os_path`
This report is not public...
Gateway API Authorization Bypass: Any Authenticated User Can Enumerate Secrets, Endpoints, and Model Definitions
This report is not public...
Arbitrary Remote Code Execution via `_attn_implementation_internal` Config Injection in transformers (No `trust_remote_code` Required)
Description A critical remote code execution vulnerability exists in the HuggingFace transformers library. An attacker can craft a malicious config.json containing the field attnimplementationinternal set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads this model usin...
Git Argument Injection via Reference Field in GitHubRepository Block
This report is not public...
Arbitrary File Write via Path Traversal in Orbax Checkpoint Asset Dict Keys
Description When loading a Keras model from an Orbax checkpoint directory, the writenesteddicttodir function uses dict keys from the checkpoint's asset data directly in os.path.join without any path sanitization. A crafted Orbax checkpoint can include absolute paths or path traversal sequences .....
Path traversal via startswith() prefix confusion in is_path_in_dir (bypass of CVE-2025-12638 fix)
Description The ispathindir function in keras/src/utils/fileutils.py line 47-48 is a security-critical path validation function introduced as part of the fix for CVE-2025-12638. It is used by both filtersafezipinfos and filtersafetarinfos to validate that archive entries stay within the intended...
Hardcoded trust_remote_code=True in Model Implementations Bypasses User Security Control
This report is not public...
Path Traversal in NLTK Downloader Package Metadata Allows Arbitrary File Write
Description The NLTK downloader does not validate file paths constructed from package metadata before writing downloaded files. A malicious NLTK data server can specify arbitrary paths via the subdir and id attributes in the package index XML, allowing arbitrary file write outside the intended...
Remote Code Execution via Flow Studio Node Definitions
Description LOLLMS Flow Studio contains multiple code execution vulnerabilities via unsafe use of Python's exec function. Two distinct code paths allow arbitrary Python code execution on the server: 1. Direct Code Execution via/api/flows/testcode Admin endpoint File: backend/routers/flowstudio.py...
Incomplete Fix for CVE-2025-10279: get_or_create_nfs_tmp_dir() Still Creates World-Writable (0o777) Directories Enabling Local Code Execution
Description Description CVE-2025-10279 huntr bounty 01d3b81e identified that MLflow's getorcreatetmpdir created temporary directories with world-writable permissions 0o777, enabling local attackers to tamper with model artifacts and achieve arbitrary code execution. The fix PR 17544, commit...
Missing Authorization Validation on MLflow MPU Endpoints Leads to Cross-Resource Artifact Overwrite, Model Poisoning, and Cross-Boundary Command Execution on Model Load
Analyzed version: 5af88dc08a54d40dddfc019da9e7f0fd0fcf34e2 git describe: nightly-2300-g5af88dc08, local mlflow.version: 3.10.1.dev0 In --serve-artifacts mode, MLflow exposes MPU endpoints for large-file multipart uploads. However, its authorization logic only covers the /mlflow-artifacts/artifact...
Authentication Bypass on FastAPI Routes (Job API, OTel API) When Basic Auth Enabled
Summary When MLflow is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI, the FastAPI permission middleware only enforces authentication on /gateway/ routes. All other FastAPI routes -- including the Job API /ajax-api/3.0/jobs/ and the OpenTelemetry trace...
Authorization Bypass in SearchModelVersions Allows Any Authenticated User to Enumerate All Model Versions Regardless of Permissions
Summary MLflow's SearchModelVersions REST API endpoint GET /api/2.0/mlflow/model-versions/search and GraphQL query mlflowSearchModelVersions lack per-model authorization checks when basic auth is enabled. Any authenticated user can enumerate ALL model versions across ALL registered models,...
Improper Origin Validation in MLflow Assistant /ajax-api Endpoints Enables Browser-Mediated Local Command Execution
Description Analyzed project version: MLflow 3.9.0 /version, commit 6e61043b0ff5d845bea479d7e7ea24dcd4b2c629. In MLflow 3.9.0, a new feature called MLflow Assistant was introduced, intended only for local development and designed to integrate with Claude Code accepting requests only from loopback...
Arbitrary File Read via Prompt Tag Source Validation Bypass in CreateModelVersion
The createmodelversion handler in mlflow/server/handlers.py uses a client-controlled tag to decide whether to skip source path validation. When a CreateModelVersion request includes the tag mlflow.prompt.isprompt, the helper ispromptrequest returns True, and the entire source validation block...
SSRF in MLflow via user-controlled webhook URL parameter
Description A Server-Side Request Forgery SSRF vulnerability exists in the webhook creation functionality of MLflow. The createwebhook handler accepts a user-controlled url parameter and stores it without any validation. When webhooks are tested or triggered, the sendwebhookrequest function sends...
Zip Slip path traversal in keras.utils.get_file(..., extract=True) archive extraction
Summary Keras' download helper keras.utils.getfile..., extract=True via keras/src/utils/fileutils.py extracts zip/tar archives and attempts to filter unsafe member paths. However, the filter computes its base directory as the process CWD resolvepath"." rather than the extraction target directory...
Infinite Loop Denial of Service via Circular Dependencies in Functional Model Deserialization
Description A vulnerability in keras.src.models.functional.functionalfromconfig allows a Denial of Service DoS attack via an infinite loop. When reconstructing a Functional model from a configuration e.g., via keras.models.loadmodel, the deserialization logic fails to detect or break out of...