Remote Code Execution
333 entries
Every Remote Code Execution entry VulnWatch has indexed, sorted by publication date.
Subscribe to this tag's RSS feed
Transformers Deserialization of Untrusted Data vulnerability
The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_checkpoint()` function of the `TFPreTrainedModel()` class...
LangChain directory traversal vulnerability
LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading con...
PYSEC-2024-45
LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading con...
PYSEC-2024-43
LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading con...
Cross-site Scripting in MLFlow
Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems...
MLFlow Cross-site Scripting vulnerability leads to client-side Remote Code Execution
Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerabil...
PYSEC-2024-241
Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerabil...
PYSEC-2024-240
Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems...
transformers has a Deserialization of Untrusted Data vulnerability
Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
PYSEC-2023-301
Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
MLflow Server-Side Request Forgery (SSRF)
A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abused to get a remote code execution on the victim machine.
transformers has a Deserialization of Untrusted Data vulnerability
Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.0.
PYSEC-2023-300
Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
mlflow Command Injection vulnerability
with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system.
Remote Code Execution due to Full Controled File Write in mlflow
The mlflow web server includes tools for tracking experiments, packaging code into reproducible runs, and sharing and deploying models. As this vulnerability allows to write / overwrite any file on th...
TorchServe Pre-Auth Remote Code Execution
## Impact **Use of Open Source Library potentially exposed to RCE** **Issue**: Use of a version of the SnakeYAML `v1.31 `open source library with multiple issues that potentially exposes the user...
Langchain vulnerable to arbitrary code execution via the evaluate function in the numexpr library
An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library. Patches: Released in v.0.0.308. numexpr dependency is...
langchain vulnerable to arbitrary code execution
An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via the via the a json file to the `load_prompt` parameter. This is related to `__subclasses__` or a template.
llama-index vulnerable to arbitrary code execution
An issue in llama_index v.0.7.13 and before allows a remote attacker to execute arbitrary code via the `exec` parameter in PandasQueryEngine function.
LangChain vulnerable to arbitrary code execution
An issue in langchain langchain-ai before version 0.0.325 allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component.
LangChain vulnerable to arbitrary code execution
An issue in LangChain prior to v.0.0.247 allows a remote attacker to execute arbitrary code via the prompt parameter.
LangChain vulnerable to arbitrary code execution
An issue in Harrison Chase langchain before version 0.0.236 allows a remote attacker to execute arbitrary code via the `from_math_prompt` and `from_colored_object_prompt` functions.
langchain Code Injection vulnerability
An issue in Harrison Chase langchain allows an attacker to execute arbitrary code via the PALChain,from_math_prompt(llm).run in the python exec method.
mlflow vulnerable to OS Command Injection
OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.
PYSEC-2023-280
OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.