Vulnerabilities
Aggregated CVE / GHSA / KEV / OSV — filter by tag and category.
| ID | Title | |
|---|---|---|
| CVE-2026-8147 |
|
Vulnerability in lfprojects (CVE-2026-8147)
vulnerability in lfprojects (CVE-2026-8147). Confidential information can be exposed externally. Exploitable via ``_before_request``.
|
| CVE-2026-13484 |
|
Vulnerability in lfprojects (CVE-2026-13484)
vulnerability in lfprojects (CVE-2026-13484). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-10803 |
|
Vulnerability in mlflow (CVE-2026-10803)
vulnerability in mlflow (CVE-2026-10803). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `3.10.1` or later.
|
| CVE-2026-4035 |
|
Vulnerability in mlflow (CVE-2026-4035)
vulnerability in mlflow (CVE-2026-4035). Confidential information can be exposed externally. Exploitable via ``api_key``. Mitigation: upgrade to `3.11.0` or later.
|
| CVE-2026-3198 |
|
Vulnerability in mlflow (CVE-2026-3198)
vulnerability in mlflow (CVE-2026-3198). Confidential information can be exposed externally. Exploitable via ``BEFORE_REQUEST_HANDLERS``. Mitigation: upgrade to `3.10.0` or later.
|
| CVE-2026-2651 |
|
Vulnerability in mlflow (CVE-2026-2651)
vulnerability in mlflow (CVE-2026-2651). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `3.11.1` or later.
|
| CVE-2026-2734 |
|
Vulnerability in mlflow (CVE-2026-2734)
vulnerability in mlflow (CVE-2026-2734). Confidential information can be exposed externally. Exploitable via ``SearchModelVersions``. Mitigation: upgrade to `3.10.0` or later.
|
| CVE-2026-2611 |
|
Vulnerability in mlflow (CVE-2026-2611)
vulnerability in mlflow (CVE-2026-2611). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `3.10.0` or later.
|
| CVE-2026-4137 |
|
Vulnerability in mlflow (CVE-2026-4137)
vulnerability in mlflow (CVE-2026-4137). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `3.11.0` or later.
|
| CVE-2026-2652 |
|
Vulnerability in mlflow (CVE-2026-2652)
vulnerability in mlflow (CVE-2026-2652). Data can be tampered with by attackers. Mitigation: upgrade to `3.10.0` or later.
|
| CVE-2026-2614 |
|
MLflow allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem
MLflow allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem
|
| CVE-2026-2393 |
|
SSRF (Server-Side Request Forgery) in mlflow (CVE-2026-2393)
SSRF in mlflow (CVE-2026-2393). Confidential information can be exposed externally. Exploitable via ``url``. Mitigation: upgrade to `3.9.0` or later.
|
| CVE-2026-44430 |
|
SSRF (Server-Side Request Forgery) in github.com/modelcontextprotocol/registry (CVE-2026-44430)
SSRF in github.com/modelcontextprotocol/registry (CVE-2026-44430). Risk of unauthorized operations or information disclosure. Exploitable via `POST /v0/auth/http`. Mitigation: upgrade to `1.7.7` or later.
|
| CVE-2026-44429 |
|
Vulnerability in github.com/modelcontextprotocol/registry (CVE-2026-44429)
vulnerability in github.com/modelcontextprotocol/registry (CVE-2026-44429). Risk of unauthorized operations or information disclosure. Exploitable via `POST /v0/auth/github-at`. Mitigation: upgrade to `1.7.7` or later.
|
| CVE-2026-44428 |
|
SSRF (Server-Side Request Forgery) in github.com/modelcontextprotocol/registry (CVE-2026-44428)
SSRF in github.com/modelcontextprotocol/registry (CVE-2026-44428). Risk of unauthorized operations or information disclosure. Exploitable via ``c5c4b9e8890dd5754bee889b2f1417f4fe3b5ce5``. Mitigation: upgrade to `1.7.6` or later.
|
| CVE-2026-0545 |
|
Vulnerability in dos (CVE-2026-0545)
vulnerability in dos (CVE-2026-0545). Successful exploitation can lead to full system takeover.
|
| CVE-2026-34742 |
|
Vulnerability in lfprojects (CVE-2026-34742)
vulnerability in lfprojects (CVE-2026-34742). Confidential information can be exposed externally.
|
| CVE-2026-34237 |
|
Vulnerability in io.modelcontextprotocol.sdk:mcp-core (CVE-2026-34237)
vulnerability in io.modelcontextprotocol.sdk:mcp-core (CVE-2026-34237). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `0.18.3` or later.
|
| CVE-2025-15379 |
|
Command Injection in lfprojects (CVE-2025-15379)
command injection in lfprojects (CVE-2025-15379). Successful exploitation can lead to full system takeover. Exploitable via ``python_env.yaml``.
|
| CVE-2025-15036 |
|
Vulnerability in path-traversal (CVE-2025-15036)
vulnerability in path-traversal (CVE-2025-15036). Successful exploitation can lead to full system takeover. Exploitable via ``extract_archive_to_dir``.
|
| CVE-2025-15381 |
|
Information Disclosure in lfprojects (CVE-2025-15381)
vulnerability in lfprojects (CVE-2025-15381). Data can be tampered with by attackers. Exploitable via ``NO_PERMISSIONS``.
|
| CVE-2025-15031 |
|
Path Traversal in lfprojects (CVE-2025-15031)
path traversal in lfprojects (CVE-2025-15031). Confidential information can be exposed externally. Exploitable via ``tarfile.extractall``.
|
| CVE-2025-14287 |
|
Code Injection in lfprojects (CVE-2025-14287)
code injection in lfprojects (CVE-2025-14287). Successful exploitation can lead to full system takeover.
|
| CVE-2026-27896 |
|
Vulnerability in lfprojects (CVE-2026-27896)
vulnerability in lfprojects (CVE-2026-27896). Data can be tampered with by attackers.
|
| CVE-2026-27623 |
|
Vulnerability in lfprojects (CVE-2026-27623)
vulnerability in lfprojects (CVE-2026-27623). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-21863 |
|
Out-of-Bounds Read in lfprojects (CVE-2026-21863)
vulnerability in lfprojects (CVE-2026-21863). Risk of unauthorized operations or information disclosure.
|
| CVE-2025-67733 |
|
Vulnerability in lfprojects (CVE-2025-67733)
vulnerability in lfprojects (CVE-2025-67733). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-25536 |
|
Vulnerability in lfprojects (CVE-2026-25536)
vulnerability in lfprojects (CVE-2026-25536). Confidential information can be exposed externally.
|