2 matches found
CVE-2026-35167
CVE-2026-35167 affects Kedro. The _get_versioned_path() function constructs filesystem paths by directly interpolating user-supplied version strings, preserving traversal sequences like ../ and enabling access outside the intended versioned dataset directory. This affects multiple entry points (c...
CVE-2026-35171
Kedro prior to version 1.3.0 is vulnerable to remote code execution via unsafe use of logging.config.dictConfig() with user-controlled input. The logging config path can be set through the KEDRO_LOGGING_CONFIG environment variable and is loaded without validation. The schema allows the special ()...