Remote Code Execution
333 entries
Every Remote Code Execution entry VulnWatch has indexed, sorted by publication date.
Subscribe to this tag's RSS feed
BentoML: SSTI via Unsandboxed Jinja2 in Dockerfile Generation
## Summary The Dockerfile generation function `generate_containerfile()` in `src/bentoml/_internal/container/generate.py` uses an unsandboxed `jinja2.Environment` with the `jinja2.ext.do` extension t...
BentoML: Command Injection in cloud deployment setup script
Commit ce53491 (March 24) fixed command injection via `system_packages` in Dockerfile templates and `images.py` by adding `shlex.quote`. However, the cloud deployment path in `src/bentoml/_internal/cl...
LiteLLM: Privilege escalation via unrestricted proxy configuration endpoint
### Impact The `/config/update endpoint` does not enforce admin role authorization. A user who is already authenticated into the platform can then use this endpoint to do the following: - Modify p...
mlflow: FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization
In mlflow/mlflow, the FastAPI job endpoints under `/ajax-api/3.0/jobs/*` are not protected by authentication or authorization when the `basic-auth` app is enabled. This vulnerability affects the lates...
Mlflow: Command Injection when serving models with enable_mlserver=True
A command injection vulnerability exists in Mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper san...
MLflow Command Injection vulnerability
A command injection vulnerability exists in MLflow's model serving container initialization code, specifically in the `_install_model_dependencies_to_env()` function. When deploying a model with `env_...
Hugging Face Smolagents has an Injection issue
A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluate_augassign/evaluate_call/evaluate_with of the file src/smolagents/local_python_executor.py of th...
vLLM has Hardcoded Trust Override in Model Files Enables RCE Despite Explicit User Opt-Out
### Summary Two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables re...
BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml
## Summary The `docker.system_packages` field in `bentofile.yaml` accepts arbitrary strings that are interpolated directly into Dockerfile `RUN` commands without sanitization. Since `system_packages`...
Langflow Code Injection Vulnerability
Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication.
Langflow has an Arbitrary File Write (RCE) via v2 API
### Summary While reviewing the recent patch for **CVE-2025-68478** (External Control of File Name in v1.7.1), I discovered that the root architectural issue within `LocalStorageService` remains unre...
Arbitrary file write via tar traversal in mlflow
A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar archive entries. Specifically, the use of `tarfile.extractall` without path valid...
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
## Summary The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows without requiring authentication. When the optional `data` parameter is supplied, the endpoint uses...
MLflow has a command injection in mlflow/sagemaker/__init__.py
A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct int...
LangGraph checkpoint loading has unsafe msgpack deserialization
LangGraph checkpointers can load msgpack-encoded checkpoints that reconstruct Python objects during deserialization. If an attacker can modify checkpoint data in the backing store (for example, after...
NLTK has a Path Traversal issue
A vulnerability in NLTK versions up to and including 3.9.2 allows arbitrary file read via path traversal in multiple CorpusReader classes, including WordListCorpusReader, TaggedCorpusReader, and Brack...
PickleScan's pkgutil.resolve_name has a universal blocklist bypass
## Summary `pkgutil.resolve_name()` is a Python stdlib function that resolves any `"module:attribute"` string to the corresponding Python object at runtime. By using `pkgutil.resolve_name` as the fir...
BentoML Vulnerable to Arbitrary File Write via Symlink Path Traversal in Tar Extraction
# Arbitrary File Write via Symlink Path Traversal in Tar Extraction ## Summary The `safe_extract_tarfile()` function validates that each tar member's path is within the destination directory, but fo...
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability
MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflo...
Microsoft Semantic Kernel InMemoryVectorStore filter functionality vulnerable to remote code execution
### Impact: An RCE vulnerability has been identified in Microsoft Semantic Kernel Python SDK, specifically within the `InMemoryVectorStore` filter functionality. ### Patches: The problem has been fix...
Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER
### Summary This is a scanning bypass to `scan_pytorch` function in `picklescan`. As we can see in the implementation of [get_magic_number()](https://github.com/mmaitre314/picklescan/blob/2a8383cfeb41...
picklescan missing detection by simple obfuscation of a `builtins.eval` call
### Summary An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the host loading a pickle payload from an untrusted source. ### Details It's possibl...
vLLM has RCE In Video Processing
## Summary **A chain of vulnerabilities in vLLM allow Remote Code Execution (RCE):** 1. **Info Leak** - PIL error messages expose memory addresses, bypassing ASLR 2. **Heap Overflow** - JPEG2000 dec...
mlflow Creates of Temporary File in Directory with Insecure Permissions
In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions (0o777). This vulnerability allows an attacker with writ...
Duplicate Advisory: gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755)
### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4h5r-5jm8-jxjm. This link is maintained to preserve external references. ### Original Description gemini-mcp-...