Lucene search
K

4072 matches found

Huntr
Huntr
added 2026/04/05 12:58 a.m.3 views

Incomplete Fix for CVE-2026-0848: 5 Stanford Interface Classes Still Vulnerable to Untrusted JAR Code Execution

This report is not public...

10CVSS7.1AI score0.00777EPSS
Exploits3
Huntr
Huntr
added 2026/04/04 8:35 p.m.2 views

Lambda Layer `safe_mode=None` Guard Bypass — Arbitrary Code Execution via `from_config()`

This report is not public...

8.8CVSS7.2AI score
Exploits0
Huntr
Huntr
added 2026/04/03 7:32 a.m.2 views

Authorization bypass on all trace endpoints when auth is enabled

Description When MLflow runs with auth enabled, the trace API endpoints don't have authorization validators registered. The beforerequest handler checks each request against BEFOREREQUESTHANDLERS — experiments, runs, models all have entries there, but traces have zero entries. When no validator i...

8.1CVSS5.8AI score0.00337EPSS
Exploits0
Huntr
Huntr
added 2026/04/02 4:53 p.m.3 views

[CWE-73] Keras — Arbitrary HDF5 File Read via Virtual Dataset Bypass of External Storage Check (CVE-2026-1669 Incomplete Fix)

Description The fix for CVE-2026-1669 in Keras's H5IOStore.verifydataset method savinglib.py:1051 is incomplete. The patch checks dataset.external to block HDF5 datasets that use external file storage, but it does not check dataset.isvirtual. HDF5 Virtual Datasets VDS — created via...

7.5CVSS6.1AI score0.00298EPSS
Exploits0
Huntr
Huntr
added 2026/04/02 12:26 p.m.3 views

Zip Slip Arbitrary File Write via ZipFile.extractall() in StorageManager

Description The ClearML SDK uses ZipFile.extractall without path traversal validation when extracting .zip archives in StorageManager.extracttocache storage/manager.py line 199. In contrast, .tar.gz and .tgz archives ARE protected using a safeextract function storage/util.py line 414 that validat...

2.4CVSS6.5AI score0.00357EPSS
Exploits0
Huntr
Huntr
added 2026/04/01 12:14 a.m.4 views

Arbitrary File Read via Percent-Encoded Path Traversal in nltk.data.find() / nltk.data.load() - Incomplete Fix of Issue #3504

This report is not public...

7.5CVSS7.1AI score0.0051EPSS
Exploits1
Huntr
Huntr
added 2026/03/28 9:40 a.m.5 views

XSS via unsanitized `text/vnd.mermaid` output in nbconvert HTML export

This report is not public...

5.4CVSS6AI score0.00134EPSS
Exploits0
Huntr
Huntr
added 2026/03/27 5:21 a.m.4 views

Arbitrary code execution via malicious logging configuration (dictConfig factory injection)

Kedro v1.2.0 passes user-controlled YAML config to logging.config.dictConfig without validation. The factory key enables arbitrary callable instantiation, achieving RCE at startup. kedro/framework/project/init.py, ProjectLogging: loggingconfig = Pathpath.readtextencoding="utf-8"...

5.9AI score
Exploits0
Huntr
Huntr
added 2026/03/24 3:21 p.m.4 views

Path Traversal in DiskIOStore via Unsanitized Layer Names in Keras 3

Description A logic flaw in the Keras 3 v3.0.0+ model saving and loading library handles internal asset paths insecurely. Specifically, the DiskIOStore.make method in keras/src/saving/savinglib.py uses user-provided layer names to construct directory paths without sanitizing for parent directory...

6.1CVSS6.5AI score0.00263EPSS
Exploits0
Huntr
Huntr
added 2026/03/22 4:43 p.m.4 views

Git argument injection in deployment pull steps via unsanitized commit_sha enables RCE on workers

This report is not public...

9.9CVSS7.3AI score0.00874EPSS
Exploits3
Huntr
Huntr
added 2026/03/22 1:8 a.m.5 views

Arbitrary Code Execution via LossNode importlib.import_module() Before audit_tree() Trust Check

Arbitrary Code Execution via LossNode Import Before Audit — Trust Check Bypass Summary The LossNode.init method in skops/io/sklearn.py calls gettype, which invokes importlib.importmodule with attacker-controlled module and class names from the .skops file's schema.json. This import occurs during...

6.5AI score
Exploits0
Huntr
Huntr
added 2026/03/19 3:40 p.m.6 views

Unsafe cloudpickle.loads() and eval() in Callables Enable RCE via Malicious Task Payloads

This report is not public...

5.3AI score
Exploits0
Huntr
Huntr
added 2026/03/19 7:12 a.m.5 views

Unauthenticated remote shutdown in nltk.app.wordnet_app

This report is not public...

7.5CVSS7.3AI score0.00325EPSS
Exploits0
Huntr
Huntr
added 2026/03/17 1:2 a.m.10 views

Pickle deserialization RCE via pd.read_pickle() bypasses CVE-2024-24590 fix

Summary The fix for CVE-2024-24590 only hardened the type == "pickle" deserialization branch in Artifact.get. A parallel code path for type == "pandas" with contenttype == "application/pickle" calls pd.readpickle without any integrity or safety check. An attacker who uploads a malicious pickle...

8.8CVSS6.6AI score0.02452EPSS
Exploits9
Huntr
Huntr
added 2026/03/14 6:44 p.m.6 views

Decompression bomb bypass via negative max_length in streaming API (incomplete fix for CVE-2025-66471)

Description The fix for CVE-2025-66471 in urllib3 2.6.0 added maxlength support to all decoders to prevent decompression bombs when using the streaming API. However, three independent code paths in response.py bypass this protection in urllib3 2.6.3 latest. Bypass 1 — Negative maxlength from buff...

8.9CVSS6.2AI score0.00622EPSS
Exploits0
Huntr
Huntr
added 2026/03/13 1:22 p.m.8 views

Path Traversal in Keras Archive Extraction via CWD Validation Bypass Leading to Arbitrary File Write

Description Technical Details of the Vulnerability Summary Keras's archive extraction utilities in keras/src/utils/fileutils.py are vulnerable to path traversal. The functions filtersafetarinfos and filtersafezipinfos validate archive member paths against the process current working directory...

8.9CVSS7.6AI score0.00593EPSS
Exploits1
Huntr
Huntr
added 2026/03/13 1:57 a.m.9 views

model.weights.h5: h5py.ExternalLink at Group level silently followed during load_model(), bypassing CVE-2025-9905 fix — information disclosure from arbitrary HDF5 files

Keras 3.x introduced a fix for CVE-2025-9905 by checking dataset.external in H5IOStore.verifydataset. This check blocks datasets whose raw bytes are stored in external files via the HDF5 "External Data Storage" mechanism. However, HDF5 supports a second, unrelated external-reference mechanism:...

7.3CVSS7.5AI score0.00205EPSS
Exploits1
Huntr
Huntr
added 2026/03/12 3:45 p.m.5 views

Uncontrolled Search Path in HunposTagger Allows Untrusted Local Binary Selection in nltk/nltk

This report is not public...

5.3AI score
Exploits0
Huntr
Huntr
added 2026/03/09 12:11 a.m.6 views

Arbitrary File Write via Path Traversal in Malicious NLTK Downloader Index (nltk.downloader.Package.fromxml)

NLTK relies on the nltk.downloader.Downloader class to securely fetch corpora and models. It fetches an index.xml file to map package ids to payload URLs. A critical Arbitrary File Write vulnerability exists in nltk.downloader.Package.fromxml due to a lack of sanitization on the id field. When...

6.4AI score
Exploits0
Huntr
Huntr
added 2026/03/07 3:45 p.m.13 views

Path Traversal via Unsanitized Version String in Versioned Dataset Loading

This report is not public...

7.1CVSS5.3AI score0.00186EPSS
Exploits1
Huntr
Huntr
added 2026/03/07 2:36 p.m.6 views

Unsafe cloudpickle deserialization in Prefect task runners and bundle deserialization

This report is not public...

5.4AI score
Exploits0
Huntr
Huntr
added 2026/03/06 12:19 p.m.8 views

Arbitrary File Write via Validation/Extraction Path Mismatch in nltk.downloader._unzip_iter()

This report is not public...

5.3AI score
Exploits0
Huntr
Huntr
added 2026/03/06 8:31 a.m.5 views

Unbounded Frame Count in video/jpeg Base64 Data URL Processing Leads to OOM DoS

Summary The VideoMediaIO.loadbase64 method in vLLM's multimodal processing pipeline splits video/jpeg data URLs by comma delimiters to extract individual JPEG frames, but does not enforce a frame count limit. An attacker can craft a single API request containing thousands of comma-separated...

7.5CVSS5.7AI score0.00597EPSS
Exploits1
Huntr
Huntr
added 2026/03/05 1:20 p.m.6 views

NLTK Data Module - Arbitrary File Read via Dead Security Check

This report is not public...

5.3AI score
Exploits0
Huntr
Huntr
added 2026/03/05 7:17 a.m.8 views

AI Gateway secret API accepts `$ENV_VAR` references and can be remotely abused to exfiltrate server-side environment credentials to an attacker-controlled upstream endpoint. And the leaked credentials can be further leveraged to break security boundaries.

Analyzed project versions: Current target branch: master Current HEAD: dc8ef3cbbefccf7384f4e3023492aae635c5d5d0 Fix 403 Forbidden for artifact list via query param when defaultpermission=NOPERMISSIONS 21220, commit date: 2026-03-04 The vulnerability is that AI Gateway secrets allow...

9.1CVSS6.1AI score0.00435EPSS
Exploits1
Huntr
Huntr
added 2026/03/04 8:6 a.m.11 views

Integer Overflow Bypasses Memory Safety Checks in H5 Dataset Loading

This report is not public...

5.8AI score
Exploits0
Huntr
Huntr
added 2026/02/27 3:35 a.m.6 views

NLTK Downloader: Arbitrary File Write / Remote Code Execution via XML Attribute Injection in Package Index

Summary Field| Value ---|--- Component| nltk.downloader.Package Affected Version| NLTK element in the remote XML index contains a filename="..." attribute, it flows into kw and overwrites the safe value. The overridden filename is used directly at line 679 as the filesystem write destination:...

5.9AI score
Exploits0
Huntr
Huntr
added 2026/02/26 3:6 p.m.11 views

CWE-346: CORS Origin Validation Bypass via `re.match()` in `allow_origin_pat`

This report is not public...

8.8CVSS6.4AI score0.00197EPSS
Exploits1
Huntr
Huntr
added 2026/02/26 12:32 p.m.7 views

`trust_remote_code=False` Bypass in LightGlue Nested Config Resolution (Transformers 5.2.0) Leading to Remote Code Execution During Normal `from_pretrained()` Loading

Description Transformers contains a trust-boundary flaw in the LightGlue loading path. When loading a LightGlue model, LightGlueConfig reads trustremotecode from untrusted model config.json and reuses it for nested AutoConfig.frompretrained... resolution. This allows an attacker-controlled model...

9.6CVSS7.9AI score0.00519EPSS
Exploits1
Huntr
Huntr
added 2026/02/25 11:32 a.m.15 views

Incomplete Fix for CVE-2026-1669: HDF5 External Storage File Disclosure in Legacy H5 Loading

Description Keras 3 patched CVE-2026-1669 HDF5 External Storage File Disclosure in the new .keras and .weights.h5 loading paths by adding verifydataset to check for dataset.external in H5IOStore. However, the legacy .h5 loading path keras/src/legacy/saving/legacyh5format.py was not patched. This...

7.5CVSS5.9AI score0.00298EPSS
Exploits0
Huntr
Huntr
added 2026/02/25 9:10 a.m.15 views

Path Traversal via Incorrect startswith() Root Directory Check in jupyter-server Allows Access to Sibling Directories

This report is not public...

8.1CVSS6.7AI score0.00437EPSS
Exploits1
Huntr
Huntr
added 2026/02/25 7:28 a.m.7 views

Authentication Bypass via endswith() Health Check Exemption Allows Unauthenticated Access to Variables/Secrets in prefecthq/prefect

Description When PREFECTSERVERAPIAUTHSTRING is configured, Prefect Server's authentication middleware exempts any URL path ending with "health" or "ready" to allow health check probes. However, multiple API endpoints accept user-controlled string names as URL path parameters e.g.,...

7.5CVSS7.1AI score0.00476EPSS
Exploits1
Huntr
Huntr
added 2026/02/25 6:56 a.m.9 views

Path Traversal via Prefix Match Bypass in `_get_os_path`

This report is not public...

5.8AI score
Exploits0
Huntr
Huntr
added 2026/02/25 2:50 a.m.11 views

Gateway API Authorization Bypass: Any Authenticated User Can Enumerate Secrets, Endpoints, and Model Definitions

This report is not public...

6.5CVSS6.6AI score0.00244EPSS
Exploits1
Huntr
Huntr
added 2026/02/23 1:40 p.m.32 views

Arbitrary Remote Code Execution via `_attn_implementation_internal` Config Injection in transformers (No `trust_remote_code` Required)

Description A critical remote code execution vulnerability exists in the HuggingFace transformers library. An attacker can craft a malicious config.json containing the field attnimplementationinternal set to an attacker-controlled HuggingFace Hub repository ID. When a victim loads this model usin...

7.8CVSS7.8AI score0.00479EPSS
Exploits1
Huntr
Huntr
added 2026/02/23 3:32 a.m.11 views

Git Argument Injection via Reference Field in GitHubRepository Block

This report is not public...

8.5CVSS7.3AI score0.00298EPSS
Exploits0
Huntr
Huntr
added 2026/02/22 12:40 a.m.10 views

Arbitrary File Write via Path Traversal in Orbax Checkpoint Asset Dict Keys

Description When loading a Keras model from an Orbax checkpoint directory, the writenesteddicttodir function uses dict keys from the checkpoint's asset data directly in os.path.join without any path sanitization. A crafted Orbax checkpoint can include absolute paths or path traversal sequences .....

6AI score
Exploits0
Huntr
Huntr
added 2026/02/21 6:25 a.m.9 views

Path traversal via startswith() prefix confusion in is_path_in_dir (bypass of CVE-2025-12638 fix)

Description The ispathindir function in keras/src/utils/fileutils.py line 47-48 is a security-critical path validation function introduced as part of the fix for CVE-2025-12638. It is used by both filtersafezipinfos and filtersafetarinfos to validate that archive entries stay within the intended...

8CVSS7.2AI score0.00592EPSS
Exploits0
Huntr
Huntr
added 2026/02/20 6:3 p.m.13 views

Hardcoded trust_remote_code=True in Model Implementations Bypasses User Security Control

This report is not public...

8.8CVSS5.8AI score0.00747EPSS
Exploits0
Huntr
Huntr
added 2026/02/19 9:6 a.m.7 views

Path Traversal in NLTK Downloader Package Metadata Allows Arbitrary File Write

Description The NLTK downloader does not validate file paths constructed from package metadata before writing downloaded files. A malicious NLTK data server can specify arbitrary paths via the subdir and id attributes in the package index XML, allowing arbitrary file write outside the intended...

10CVSS6.1AI score0.0079EPSS
Exploits1
Huntr
Huntr
added 2026/02/18 8:11 a.m.10 views

Remote Code Execution via Flow Studio Node Definitions

Description LOLLMS Flow Studio contains multiple code execution vulnerabilities via unsafe use of Python's exec function. Two distinct code paths allow arbitrary Python code execution on the server: 1. Direct Code Execution via/api/flows/testcode Admin endpoint File: backend/routers/flowstudio.py...

6.3AI score
Exploits0
Huntr
Huntr
added 2026/02/17 8:26 p.m.13 views

Incomplete Fix for CVE-2025-10279: get_or_create_nfs_tmp_dir() Still Creates World-Writable (0o777) Directories Enabling Local Code Execution

Description Description CVE-2025-10279 huntr bounty 01d3b81e identified that MLflow's getorcreatetmpdir created temporary directories with world-writable permissions 0o777, enabling local attackers to tamper with model artifacts and achieve arbitrary code execution. The fix PR 17544, commit...

7.8CVSS7.4AI score0.00215EPSS
Exploits2
Huntr
Huntr
added 2026/02/17 6:0 a.m.10 views

Missing Authorization Validation on MLflow MPU Endpoints Leads to Cross-Resource Artifact Overwrite, Model Poisoning, and Cross-Boundary Command Execution on Model Load

Analyzed version: 5af88dc08a54d40dddfc019da9e7f0fd0fcf34e2 git describe: nightly-2300-g5af88dc08, local mlflow.version: 3.10.1.dev0 In --serve-artifacts mode, MLflow exposes MPU endpoints for large-file multipart uploads. However, its authorization logic only covers the /mlflow-artifacts/artifact...

9CVSS6.1AI score0.00345EPSS
Exploits1
Huntr
Huntr
added 2026/02/14 2:13 a.m.12 views

Authentication Bypass on FastAPI Routes (Job API, OTel API) When Basic Auth Enabled

Summary When MLflow is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI, the FastAPI permission middleware only enforces authentication on /gateway/ routes. All other FastAPI routes -- including the Job API /ajax-api/3.0/jobs/ and the OpenTelemetry trace...

8.6CVSS6AI score0.01502EPSS
Exploits1
Huntr
Huntr
added 2026/02/13 3:49 a.m.15 views

Authorization Bypass in SearchModelVersions Allows Any Authenticated User to Enumerate All Model Versions Regardless of Permissions

Summary MLflow's SearchModelVersions REST API endpoint GET /api/2.0/mlflow/model-versions/search and GraphQL query mlflowSearchModelVersions lack per-model authorization checks when basic auth is enabled. Any authenticated user can enumerate ALL model versions across ALL registered models,...

6.5CVSS5.8AI score0.00441EPSS
Exploits1
Huntr
Huntr
added 2026/02/11 9:16 a.m.6 views

Improper Origin Validation in MLflow Assistant /ajax-api Endpoints Enables Browser-Mediated Local Command Execution

Description Analyzed project version: MLflow 3.9.0 /version, commit 6e61043b0ff5d845bea479d7e7ea24dcd4b2c629. In MLflow 3.9.0, a new feature called MLflow Assistant was introduced, intended only for local development and designed to integrate with Claude Code accepting requests only from loopback...

9.6CVSS7.9AI score0.00371EPSS
Exploits1
Huntr
Huntr
added 2026/02/10 7:2 p.m.33 views

Arbitrary File Read via Prompt Tag Source Validation Bypass in CreateModelVersion

The createmodelversion handler in mlflow/server/handlers.py uses a client-controlled tag to decide whether to skip source path validation. When a CreateModelVersion request includes the tag mlflow.prompt.isprompt, the helper ispromptrequest returns True, and the entire source validation block...

7.5CVSS7.3AI score0.00696EPSS
Exploits1
Huntr
Huntr
added 2026/02/10 4:29 p.m.11 views

SSRF in MLflow via user-controlled webhook URL parameter

Description A Server-Side Request Forgery SSRF vulnerability exists in the webhook creation functionality of MLflow. The createwebhook handler accepts a user-controlled url parameter and stores it without any validation. When webhooks are tested or triggered, the sendwebhookrequest function sends...

7.1CVSS7.3AI score0.0037EPSS
Exploits1
Huntr
Huntr
added 2026/02/02 5:36 a.m.8 views

Zip Slip path traversal in keras.utils.get_file(..., extract=True) archive extraction

Summary Keras' download helper keras.utils.getfile..., extract=True via keras/src/utils/fileutils.py extracts zip/tar archives and attempts to filter unsafe member paths. However, the filter computes its base directory as the process CWD resolvepath"." rather than the extraction target directory...

6.2AI score
Exploits0
Huntr
Huntr
added 2026/01/28 12:48 p.m.18 views

Infinite Loop Denial of Service via Circular Dependencies in Functional Model Deserialization

Description A vulnerability in keras.src.models.functional.functionalfromconfig allows a Denial of Service DoS attack via an infinite loop. When reconstructing a Functional model from a configuration e.g., via keras.models.loadmodel, the deserialization logic fails to detect or break out of...

5.8AI score
Exploits0
Total number of security vulnerabilities4072