Remote Code Execution
101 entries
PYSEC-2024-241
Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerabil...
PYSEC-2024-240
Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems...
transformers has a Deserialization of Untrusted Data vulnerability
Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
PYSEC-2023-301
Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
MLflow Server-Side Request Forgery (SSRF)
A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abused to get a remote code execution on the victim machine.
transformers has a Deserialization of Untrusted Data vulnerability
Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.0.
PYSEC-2023-300
Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
mlflow Command Injection vulnerability
with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system.
Remote Code Execution due to Full Controled File Write in mlflow
The mlflow web server includes tools for tracking experiments, packaging code into reproducible runs, and sharing and deploying models. As this vulnerability allows to write / overwrite any file on th...
TorchServe Pre-Auth Remote Code Execution
## Impact **Use of Open Source Library potentially exposed to RCE** **Issue**: Use of a version of the SnakeYAML `v1.31 `open source library with multiple issues that potentially exposes the user...
Langchain vulnerable to arbitrary code execution via the evaluate function in the numexpr library
An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker to execute arbitrary code via the evaluate function in the numexpr library. Patches: Released in v.0.0.308. numexpr dependency is...
langchain vulnerable to arbitrary code execution
An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via the via the a json file to the `load_prompt` parameter. This is related to `__subclasses__` or a template.
llama-index vulnerable to arbitrary code execution
An issue in llama_index v.0.7.13 and before allows a remote attacker to execute arbitrary code via the `exec` parameter in PandasQueryEngine function.
LangChain vulnerable to arbitrary code execution
An issue in langchain langchain-ai before version 0.0.325 allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component.
LangChain vulnerable to arbitrary code execution
An issue in LangChain prior to v.0.0.247 allows a remote attacker to execute arbitrary code via the prompt parameter.
LangChain vulnerable to arbitrary code execution
An issue in Harrison Chase langchain before version 0.0.236 allows a remote attacker to execute arbitrary code via the `from_math_prompt` and `from_colored_object_prompt` functions.
langchain Code Injection vulnerability
An issue in Harrison Chase langchain allows an attacker to execute arbitrary code via the PALChain,from_math_prompt(llm).run in the python exec method.
mlflow vulnerable to OS Command Injection
OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.
PYSEC-2023-280
OS Command Injection in GitHub repository mlflow/mlflow prior to 2.6.0.
langchain vulnerable to arbitrary code execution
An issue in langchain allows a remote attacker to execute arbitrary code via the PALChain parameter in the Python exec method.
langchain arbitrary code execution vulnerability
An issue in langchain allows an attacker to execute arbitrary code via the PALChain in the python exec method.
Langchain vulnerable to arbitrary code execution
Langchain 0.0.171 is vulnerable to Arbitrary code execution in `load_prompt`.
PYSEC-2023-92
Langchain 0.0.171 is vulnerable to Arbitrary code execution in load_prompt.
Langchain OS Command Injection vulnerability
Langchain before v0.0.225 was discovered to contain a remote code execution (RCE) vulnerability in the component JiraAPIWrapper (aka the JIRA API wrapper). This vulnerability allows attackers to execu...
PYSEC-2023-91
Langchain 0.0.171 is vulnerable to Arbitrary Code Execution.