Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/730033?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/730033?format=api", "purl": "pkg:pypi/aim@3.17.5rc4", "type": "pypi", "namespace": "", "name": "aim", "version": "3.17.5rc4", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.0.0.dev6", "latest_non_vulnerable_version": "4.0.0.dev6", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55587?format=api", "vulnerability_id": "VCID-1ndt-py87-vuaz", "summary": "Aim Stored Cross-site Scripting Vulnerability\nA stored cross-site scripting (XSS) vulnerability exists in aimhubio/aim version 3.19.3. The vulnerability arises from the improper neutralization of input during web page generation, specifically in the logs-tab for runs. The terminal output logs are displayed using the `dangerouslySetInnerHTML` function in React, which is susceptible to XSS attacks. An attacker can exploit this vulnerability by injecting malicious scripts into the logs, which will be executed when a user views the logs-tab.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6578", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00233", "scoring_system": "epss", "scoring_elements": "0.46283", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00233", "scoring_system": "epss", "scoring_elements": "0.46236", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00233", "scoring_system": "epss", "scoring_elements": "0.46263", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00233", "scoring_system": "epss", "scoring_elements": "0.46281", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6578" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://huntr.com/bounties/5b1ebc67-5346-44aa-b8b8-3c1c09d79680", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" }, { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-29T18:44:56Z/" } ], "url": "https://huntr.com/bounties/5b1ebc67-5346-44aa-b8b8-3c1c09d79680" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6578", "reference_id": "CVE-2024-6578", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6578" }, { "reference_url": "https://github.com/advisories/GHSA-p9f2-jg9w-cx69", "reference_id": "GHSA-p9f2-jg9w-cx69", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p9f2-jg9w-cx69" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/749748?format=api", "purl": "pkg:pypi/aim@3.20.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3jnj-9x14-4qce" }, { "vulnerability": "VCID-5c2z-bweu-47hy" }, { "vulnerability": "VCID-6p77-vztx-sbcf" }, { "vulnerability": "VCID-ahjg-p7ah-2ugh" }, { "vulnerability": "VCID-b8tg-gjmy-2fac" }, { "vulnerability": "VCID-cv98-1rer-xfdz" }, { "vulnerability": "VCID-cvnh-3u25-wqhu" }, { "vulnerability": "VCID-hyhp-a7z8-jfft" }, { "vulnerability": "VCID-k766-4pgg-6bcb" }, { "vulnerability": "VCID-qrfx-jwtm-y3aq" }, { "vulnerability": "VCID-tdcy-azet-r3ge" }, { "vulnerability": "VCID-tsvd-q9dm-qka9" }, { "vulnerability": "VCID-ud1y-m5hg-mffh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@3.20.1" } ], "aliases": [ "CVE-2024-6578", "GHSA-p9f2-jg9w-cx69" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1ndt-py87-vuaz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55477?format=api", "vulnerability_id": "VCID-2kd7-zuu4-juh3", "summary": "Aim denial of service vulnerability\nA vulnerability in aimhubio/aim version 3.19.3 allows an attacker to cause an infinite loop by configuring the remote tracking server to point at itself. This results in the server endlessly connecting to itself, rendering it unable to respond to other connections.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6227", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00272", "scoring_system": "epss", "scoring_elements": "0.5086", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00272", "scoring_system": "epss", "scoring_elements": "0.50809", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00272", "scoring_system": "epss", "scoring_elements": "0.50839", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00272", "scoring_system": "epss", "scoring_elements": "0.50855", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6227" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://github.com/aimhubio/aim/blob/2e7b8aff8dcba9ddd5043dfec88cf2319ba8a87c/aim/sdk/repo.py#L195", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim/blob/2e7b8aff8dcba9ddd5043dfec88cf2319ba8a87c/aim/sdk/repo.py#L195" }, { "reference_url": "https://huntr.com/bounties/abcea7c6-bb3b-45e9-aa15-9eb6b224451a", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-08T19:51:23Z/" } ], "url": "https://huntr.com/bounties/abcea7c6-bb3b-45e9-aa15-9eb6b224451a" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6227", "reference_id": "CVE-2024-6227", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6227" }, { "reference_url": "https://github.com/advisories/GHSA-36h2-g4c8-9xcm", "reference_id": "GHSA-36h2-g4c8-9xcm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-36h2-g4c8-9xcm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/749748?format=api", "purl": "pkg:pypi/aim@3.20.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3jnj-9x14-4qce" }, { "vulnerability": "VCID-5c2z-bweu-47hy" }, { "vulnerability": "VCID-6p77-vztx-sbcf" }, { "vulnerability": "VCID-ahjg-p7ah-2ugh" }, { "vulnerability": "VCID-b8tg-gjmy-2fac" }, { "vulnerability": "VCID-cv98-1rer-xfdz" }, { "vulnerability": "VCID-cvnh-3u25-wqhu" }, { "vulnerability": "VCID-hyhp-a7z8-jfft" }, { "vulnerability": "VCID-k766-4pgg-6bcb" }, { "vulnerability": "VCID-qrfx-jwtm-y3aq" }, { "vulnerability": "VCID-tdcy-azet-r3ge" }, { "vulnerability": "VCID-tsvd-q9dm-qka9" }, { "vulnerability": "VCID-ud1y-m5hg-mffh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@3.20.1" } ], "aliases": [ "CVE-2024-6227", "GHSA-36h2-g4c8-9xcm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2kd7-zuu4-juh3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56838?format=api", "vulnerability_id": "VCID-3jnj-9x14-4qce", "summary": "Aim Uncontrolled Resource Consumption vulnerability\nIn version 3.25.0 of aimhubio/aim, the tracking server is vulnerable to a denial of service attack. The server overrides the maximum size for websocket messages, allowing very large images to be tracked. This causes the server to become unresponsive to other requests while processing the large image, leading to a denial of service condition.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-0189", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00578", "scoring_system": "epss", "scoring_elements": "0.69257", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00578", "scoring_system": "epss", "scoring_elements": "0.69241", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00578", "scoring_system": "epss", "scoring_elements": "0.69266", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-0189" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://huntr.com/bounties/e4c9bf41-72cf-4d04-baaf-8f12b5b7926e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:50:24Z/" } ], "url": "https://huntr.com/bounties/e4c9bf41-72cf-4d04-baaf-8f12b5b7926e" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0189", "reference_id": "CVE-2025-0189", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0189" }, { "reference_url": "https://github.com/advisories/GHSA-j5qj-rg5j-j7c2", "reference_id": "GHSA-j5qj-rg5j-j7c2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j5qj-rg5j-j7c2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/808969?format=api", "purl": "pkg:pypi/aim@3.25.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6p77-vztx-sbcf" }, { "vulnerability": "VCID-b8tg-gjmy-2fac" }, { "vulnerability": "VCID-cvnh-3u25-wqhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@3.25.1" } ], "aliases": [ "CVE-2025-0189", "GHSA-j5qj-rg5j-j7c2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3jnj-9x14-4qce" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56883?format=api", "vulnerability_id": "VCID-5c2z-bweu-47hy", "summary": "Aim vulnerable to Cross-Site Request Forgery\naimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the tracking server. The vulnerability is due to overly permissive CORS settings, allowing cross-origin requests from all origins. This enables CSRF attacks on all endpoints of the tracking server, which can be chained with other existing vulnerabilities such as remote code execution, denial of service, and arbitrary file read/write.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-7760", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00229", "scoring_system": "epss", "scoring_elements": "0.45746", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00229", "scoring_system": "epss", "scoring_elements": "0.45703", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00229", "scoring_system": "epss", "scoring_elements": "0.45729", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00229", "scoring_system": "epss", "scoring_elements": "0.45749", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-7760" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://huntr.com/bounties/2038df5f-4829-4040-8573-67bf9bb89229", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:51:47Z/" } ], "url": "https://huntr.com/bounties/2038df5f-4829-4040-8573-67bf9bb89229" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7760", "reference_id": "CVE-2024-7760", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7760" }, { "reference_url": "https://github.com/advisories/GHSA-38r9-3j52-h92v", "reference_id": "GHSA-38r9-3j52-h92v", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-38r9-3j52-h92v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/84478?format=api", "purl": "pkg:pypi/aim@3.23.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3jnj-9x14-4qce" }, { "vulnerability": "VCID-6p77-vztx-sbcf" }, { "vulnerability": "VCID-b8tg-gjmy-2fac" }, { "vulnerability": "VCID-cv98-1rer-xfdz" }, { "vulnerability": "VCID-cvnh-3u25-wqhu" }, { "vulnerability": "VCID-hyhp-a7z8-jfft" }, { "vulnerability": "VCID-k766-4pgg-6bcb" }, { "vulnerability": "VCID-qrfx-jwtm-y3aq" }, { "vulnerability": "VCID-tsvd-q9dm-qka9" }, { "vulnerability": "VCID-ud1y-m5hg-mffh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@3.23.0" } ], "aliases": [ "CVE-2024-7760", "GHSA-38r9-3j52-h92v" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5c2z-bweu-47hy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56921?format=api", "vulnerability_id": "VCID-6p77-vztx-sbcf", "summary": "Aim path traversal in LockManager.release_locks\nA vulnerability in the `LockManager.release_locks` function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The `run_hash` parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the `Repo._close_run()` method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8769", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01313", "scoring_system": "epss", "scoring_elements": "0.80185", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.01313", "scoring_system": "epss", "scoring_elements": "0.80176", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.01313", "scoring_system": "epss", "scoring_elements": "0.80184", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.01313", "scoring_system": "epss", "scoring_elements": "0.80188", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8769" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://github.com/aimhubio/aim/blob/bb76afe6e9a54364f322520cc4fea2679238f904/aim/sdk/lock_manager.py#L140", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim/blob/bb76afe6e9a54364f322520cc4fea2679238f904/aim/sdk/lock_manager.py#L140" }, { "reference_url": "https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-03-20T13:05:15Z/" } ], "url": "https://huntr.com/bounties/59d3472f-f581-4beb-a090-afd36a00ecf7" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8769", "reference_id": "CVE-2024-8769", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8769" }, { "reference_url": "https://github.com/advisories/GHSA-4qcx-jx49-6qrh", "reference_id": "GHSA-4qcx-jx49-6qrh", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4qcx-jx49-6qrh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/730043?format=api", "purl": "pkg:pypi/aim@4.0.0.dev6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@4.0.0.dev6" } ], "aliases": [ "CVE-2024-8769", "GHSA-4qcx-jx49-6qrh" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-6p77-vztx-sbcf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56935?format=api", "vulnerability_id": "VCID-ahjg-p7ah-2ugh", "summary": "Aim Path Traversal vulnerability\nIn version 3.22.0 of aimhubio/aim, the LocalFileManager._cleanup function in the aim tracking server accepts a user-specified glob-pattern for deleting files. The function does not verify that the matched files are within the directory managed by LocalFileManager, allowing a maliciously crafted glob-pattern to lead to arbitrary file deletion.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6851", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01241", "scoring_system": "epss", "scoring_elements": "0.79622", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.01241", "scoring_system": "epss", "scoring_elements": "0.79613", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.01241", "scoring_system": "epss", "scoring_elements": "0.79627", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6851" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://github.com/aimhubio/aim/blob/88ac143708fad8737094b74e9e5b25689d18f1a6/aim/sdk/reporter/file_manager.py#L44", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim/blob/88ac143708fad8737094b74e9e5b25689d18f1a6/aim/sdk/reporter/file_manager.py#L44" }, { "reference_url": "https://huntr.com/bounties/839703fb-23b7-4dc4-ae81-44cd4740d3f3", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:52:40Z/" } ], "url": "https://huntr.com/bounties/839703fb-23b7-4dc4-ae81-44cd4740d3f3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6851", "reference_id": "CVE-2024-6851", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6851" }, { "reference_url": "https://github.com/advisories/GHSA-mrvr-7493-pfq3", "reference_id": "GHSA-mrvr-7493-pfq3", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-mrvr-7493-pfq3" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/84478?format=api", "purl": "pkg:pypi/aim@3.23.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3jnj-9x14-4qce" }, { "vulnerability": "VCID-6p77-vztx-sbcf" }, { "vulnerability": "VCID-b8tg-gjmy-2fac" }, { "vulnerability": "VCID-cv98-1rer-xfdz" }, { "vulnerability": "VCID-cvnh-3u25-wqhu" }, { "vulnerability": "VCID-hyhp-a7z8-jfft" }, { "vulnerability": "VCID-k766-4pgg-6bcb" }, { "vulnerability": "VCID-qrfx-jwtm-y3aq" }, { "vulnerability": "VCID-tsvd-q9dm-qka9" }, { "vulnerability": "VCID-ud1y-m5hg-mffh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@3.23.0" } ], "aliases": [ "CVE-2024-6851", "GHSA-mrvr-7493-pfq3" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ahjg-p7ah-2ugh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56886?format=api", "vulnerability_id": "VCID-anvr-6jwv-9yf7", "summary": "Aim External Control of File Name or Path vulnerability\nA vulnerability in aimhubio/aim version 3.19.3 allows an attacker to exploit the `tarfile.extractall()` function to extract the contents of a maliciously crafted tarfile to arbitrary locations on the host server. The attacker can control `repo.path` and `run_hash` to bypass directory existence checks and extract files to unintended locations, potentially overwriting critical files. This can lead to arbitrary data being written to arbitrary locations on the remote tracking server, which could be used for further attacks such as writing a new SSH key to the target server.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6829", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.34617", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.34563", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.34597", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00145", "scoring_system": "epss", "scoring_elements": "0.34633", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6829" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://huntr.com/bounties/7c97065c-1b63-4982-82c1-8038be0ed570", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:50:36Z/" } ], "url": "https://huntr.com/bounties/7c97065c-1b63-4982-82c1-8038be0ed570" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6829", "reference_id": "CVE-2024-6829", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6829" }, { "reference_url": "https://github.com/advisories/GHSA-75px-35p4-qq6h", "reference_id": "GHSA-75px-35p4-qq6h", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-75px-35p4-qq6h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/749748?format=api", "purl": "pkg:pypi/aim@3.20.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3jnj-9x14-4qce" }, { "vulnerability": "VCID-5c2z-bweu-47hy" }, { "vulnerability": "VCID-6p77-vztx-sbcf" }, { "vulnerability": "VCID-ahjg-p7ah-2ugh" }, { "vulnerability": "VCID-b8tg-gjmy-2fac" }, { "vulnerability": "VCID-cv98-1rer-xfdz" }, { "vulnerability": "VCID-cvnh-3u25-wqhu" }, { "vulnerability": "VCID-hyhp-a7z8-jfft" }, { "vulnerability": "VCID-k766-4pgg-6bcb" }, { "vulnerability": "VCID-qrfx-jwtm-y3aq" }, { "vulnerability": "VCID-tdcy-azet-r3ge" }, { "vulnerability": "VCID-tsvd-q9dm-qka9" }, { "vulnerability": "VCID-ud1y-m5hg-mffh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@3.20.1" } ], "aliases": [ "CVE-2024-6829", "GHSA-75px-35p4-qq6h" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-anvr-6jwv-9yf7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57698?format=api", "vulnerability_id": "VCID-b8tg-gjmy-2fac", "summary": "Aim vulnerable to Cross-site Scripting\nCross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js().", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-51464", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01878", "scoring_system": "epss", "scoring_elements": "0.83496", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.01878", "scoring_system": "epss", "scoring_elements": "0.83505", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.01878", "scoring_system": "epss", "scoring_elements": "0.83508", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.01878", "scoring_system": "epss", "scoring_elements": "0.83506", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-51464" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-07-22T18:15:49Z/" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://github.com/aimhubio/aim/pull/3333", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-07-22T18:15:49Z/" } ], "url": "https://github.com/aimhubio/aim/pull/3333" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51464", "reference_id": "CVE-2025-51464", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51464" }, { "reference_url": "https://www.gecko.security/blog/cve-2025-51464", "reference_id": "CVE-2025-51464", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-07-22T18:15:49Z/" } ], "url": "https://www.gecko.security/blog/cve-2025-51464" }, { "reference_url": "https://github.com/advisories/GHSA-gmvv-rj92-9w35", "reference_id": "GHSA-gmvv-rj92-9w35", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-gmvv-rj92-9w35" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/730043?format=api", "purl": "pkg:pypi/aim@4.0.0.dev6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@4.0.0.dev6" } ], "aliases": [ "CVE-2025-51464", "GHSA-gmvv-rj92-9w35" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "7.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b8tg-gjmy-2fac" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56900?format=api", "vulnerability_id": "VCID-cv98-1rer-xfdz", "summary": "Aim Uncontrolled Resource Consumption vulnerability\nA vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service (DoS) attack. The issue arises when a large number of tracked metrics are retrieved simultaneously from the Aim web API, causing the web server to become unresponsive. The root cause is the lack of a limit on the number of metrics that can be requested per call, combined with the server's single-threaded nature, leading to excessive resource consumption and blocking of the server.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12778", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00426", "scoring_system": "epss", "scoring_elements": "0.6262", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00426", "scoring_system": "epss", "scoring_elements": "0.62604", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00426", "scoring_system": "epss", "scoring_elements": "0.62618", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00426", "scoring_system": "epss", "scoring_elements": "0.62629", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12778" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://huntr.com/bounties/892a9eee-0251-4e57-94a4-dad2e7f32715", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:52:12Z/" } ], "url": "https://huntr.com/bounties/892a9eee-0251-4e57-94a4-dad2e7f32715" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12778", "reference_id": "CVE-2024-12778", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12778" }, { "reference_url": "https://github.com/advisories/GHSA-35p3-6j45-prwm", "reference_id": "GHSA-35p3-6j45-prwm", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-35p3-6j45-prwm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/808969?format=api", "purl": "pkg:pypi/aim@3.25.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6p77-vztx-sbcf" }, { "vulnerability": "VCID-b8tg-gjmy-2fac" }, { "vulnerability": "VCID-cvnh-3u25-wqhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@3.25.1" } ], "aliases": [ "CVE-2024-12778", "GHSA-35p3-6j45-prwm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cv98-1rer-xfdz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57371?format=api", "vulnerability_id": "VCID-cvnh-3u25-wqhu", "summary": "Aim Vulnerable to Sandbox Escape Leading to Remote Code Execution\nA vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the file /aim/storage/query.py of the component run_view Object Handler. The manipulation of the argument Query leads to sandbox issue. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-5321", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00376", "scoring_system": "epss", "scoring_elements": "0.59515", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00376", "scoring_system": "epss", "scoring_elements": "0.59487", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00376", "scoring_system": "epss", "scoring_elements": "0.59506", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00376", "scoring_system": "epss", "scoring_elements": "0.59511", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-5321" }, { "reference_url": "https://gist.github.com/superboy-zjc/1fc4747a0ac77a1edc8c32e1d4edc54c", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:L/Au:S/C:P/I:P/A:P" }, { "value": "6.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-29T15:16:32Z/" } ], "url": "https://gist.github.com/superboy-zjc/1fc4747a0ac77a1edc8c32e1d4edc54c" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://vuldb.com/?ctiid.310492", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:L/Au:S/C:P/I:P/A:P" }, { "value": "6.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-29T15:16:32Z/" } ], "url": "https://vuldb.com/?ctiid.310492" }, { "reference_url": "https://vuldb.com/?id.310492", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:L/Au:S/C:P/I:P/A:P" }, { "value": "6.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-29T15:16:32Z/" } ], "url": "https://vuldb.com/?id.310492" }, { "reference_url": "https://vuldb.com/?submit.580253", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:L/Au:S/C:P/I:P/A:P" }, { "value": "6.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-29T15:16:32Z/" } ], "url": "https://vuldb.com/?submit.580253" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5321", "reference_id": "CVE-2025-5321", "reference_type": "", "scores": [ { "value": "6.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5321" }, { "reference_url": "https://github.com/advisories/GHSA-gp5h-f9c5-8355", "reference_id": "GHSA-gp5h-f9c5-8355", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-gp5h-f9c5-8355" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/821706?format=api", "purl": "pkg:pypi/aim@3.30.0.dev20250508", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-b8tg-gjmy-2fac" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@3.30.0.dev20250508" } ], "aliases": [ "CVE-2025-5321", "GHSA-gp5h-f9c5-8355" ], "risk_score": 3.0, "exploitability": "0.5", "weighted_severity": "5.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-cvnh-3u25-wqhu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56905?format=api", "vulnerability_id": "VCID-hyhp-a7z8-jfft", "summary": "Aim vulnerable to Synchronous Access of Remote Resource without Timeout\nA vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service through the misuse of the sshfs-client. The tracking server, which is single-threaded, can be made unresponsive by requesting it to connect to an unresponsive socket via sshfs. The lack of an additional timeout setting in the sshfs-client causes the server to hang for a significant amount of time, preventing it from responding to other requests.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12777", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00214", "scoring_system": "epss", "scoring_elements": "0.44023", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00214", "scoring_system": "epss", "scoring_elements": "0.4397", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00214", "scoring_system": "epss", "scoring_elements": "0.44006", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00214", "scoring_system": "epss", "scoring_elements": "0.44031", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-12777" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://github.com/aimhubio/aim/blob/d4ad66ac87606b1f377d3e685e861abb2eef6c45/aim/ext/sshfs/utils.py#L151-L154", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim/blob/d4ad66ac87606b1f377d3e685e861abb2eef6c45/aim/ext/sshfs/utils.py#L151-L154" }, { "reference_url": "https://huntr.com/bounties/cdf8db79-c290-4fe5-9383-4c518bfba4a8", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-20T13:30:15Z/" } ], "url": "https://huntr.com/bounties/cdf8db79-c290-4fe5-9383-4c518bfba4a8" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12777", "reference_id": "CVE-2024-12777", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12777" }, { "reference_url": "https://github.com/advisories/GHSA-v5pj-jrpv-h6g2", "reference_id": "GHSA-v5pj-jrpv-h6g2", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-v5pj-jrpv-h6g2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/808969?format=api", "purl": "pkg:pypi/aim@3.25.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6p77-vztx-sbcf" }, { "vulnerability": "VCID-b8tg-gjmy-2fac" }, { "vulnerability": "VCID-cvnh-3u25-wqhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@3.25.1" } ], "aliases": [ "CVE-2024-12777", "GHSA-v5pj-jrpv-h6g2" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hyhp-a7z8-jfft" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55828?format=api", "vulnerability_id": "VCID-k766-4pgg-6bcb", "summary": "Aim Stored XSS through TEXT EXPLORER\nA vulnerability, which was classified as problematic, was found in aimhubio aim up to 3.24. Affected is the function dangerouslySetInnerHTML of the file textbox.tsx of the component Text Explorer. The manipulation of the argument query leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8863", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00134", "scoring_system": "epss", "scoring_elements": "0.32579", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00134", "scoring_system": "epss", "scoring_elements": "0.32509", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00134", "scoring_system": "epss", "scoring_elements": "0.3254", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00134", "scoring_system": "epss", "scoring_elements": "0.32611", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8863" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://rumbling-slice-eb0.notion.site/Stored-XSS-through-TEXT-EXPLORER-in-aimhubio-aim-d0f07b7194724950a673498546d80d43?pvs=4", "reference_id": "", "reference_type": "", "scores": [ { "value": "4", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:L/Au:S/C:N/I:P/A:N" }, { "value": "3.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T14:12:24Z/" } ], "url": "https://rumbling-slice-eb0.notion.site/Stored-XSS-through-TEXT-EXPLORER-in-aimhubio-aim-d0f07b7194724950a673498546d80d43?pvs=4" }, { "reference_url": "https://vuldb.com/?ctiid.277500", "reference_id": "", "reference_type": "", "scores": [ { "value": "4", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:L/Au:S/C:N/I:P/A:N" }, { "value": "3.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T14:12:24Z/" } ], "url": "https://vuldb.com/?ctiid.277500" }, { "reference_url": "https://vuldb.com/?id.277500", "reference_id": "", "reference_type": "", "scores": [ { "value": "4", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:L/Au:S/C:N/I:P/A:N" }, { "value": "3.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T14:12:24Z/" } ], "url": "https://vuldb.com/?id.277500" }, { "reference_url": "https://vuldb.com/?submit.403203", "reference_id": "", "reference_type": "", "scores": [ { "value": "4", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:L/Au:S/C:N/I:P/A:N" }, { "value": "3.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-16T14:12:24Z/" } ], "url": "https://vuldb.com/?submit.403203" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8863", "reference_id": "CVE-2024-8863", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8863" }, { "reference_url": "https://github.com/advisories/GHSA-pmhg-f7wc-c97m", "reference_id": "GHSA-pmhg-f7wc-c97m", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pmhg-f7wc-c97m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/730043?format=api", "purl": "pkg:pypi/aim@4.0.0.dev6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@4.0.0.dev6" } ], "aliases": [ "CVE-2024-8863", "GHSA-pmhg-f7wc-c97m" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k766-4pgg-6bcb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56884?format=api", "vulnerability_id": "VCID-qrfx-jwtm-y3aq", "summary": "Aim Vulnerable to Denial of Service (DoS)\nIn version 3.23.0 of aimhubio/aim, the ScheduledStatusReporter object can be instantiated to run on the main thread of the tracking server, leading to the main thread being blocked indefinitely. This results in a denial of service as the tracking server becomes unable to respond to other requests.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-10110", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00345", "scoring_system": "epss", "scoring_elements": "0.57384", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00345", "scoring_system": "epss", "scoring_elements": "0.57369", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00345", "scoring_system": "epss", "scoring_elements": "0.57382", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00345", "scoring_system": "epss", "scoring_elements": "0.57394", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-10110" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://github.com/aimhubio/aim/blob/a566d4a2501c96a545a3c89d92af6ad7e7e0da99/aim/sdk/reporter/__init__.py#L789", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim/blob/a566d4a2501c96a545a3c89d92af6ad7e7e0da99/aim/sdk/reporter/__init__.py#L789" }, { "reference_url": "https://huntr.com/bounties/5ea6cf56-7b4c-4dce-9b6c-3e910fbb1ae4", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:53:59Z/" } ], "url": "https://huntr.com/bounties/5ea6cf56-7b4c-4dce-9b6c-3e910fbb1ae4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10110", "reference_id": "CVE-2024-10110", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10110" }, { "reference_url": "https://github.com/advisories/GHSA-fx47-jpv9-7hxr", "reference_id": "GHSA-fx47-jpv9-7hxr", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fx47-jpv9-7hxr" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/82645?format=api", "purl": "pkg:pypi/aim@3.24.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3jnj-9x14-4qce" }, { "vulnerability": "VCID-6p77-vztx-sbcf" }, { "vulnerability": "VCID-b8tg-gjmy-2fac" }, { "vulnerability": "VCID-cv98-1rer-xfdz" }, { "vulnerability": "VCID-cvnh-3u25-wqhu" }, { "vulnerability": "VCID-hyhp-a7z8-jfft" }, { "vulnerability": "VCID-k766-4pgg-6bcb" }, { "vulnerability": "VCID-tsvd-q9dm-qka9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@3.24.0" } ], "aliases": [ "CVE-2024-10110", "GHSA-fx47-jpv9-7hxr" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qrfx-jwtm-y3aq" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47444?format=api", "vulnerability_id": "VCID-rwnh-n4wn-6bch", "summary": "Aim Cross-Site Request Forgery vulnerability allows user to delete runs and perform other operations\naimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim dashboard. An attacker can exploit this by tricking a user into executing a malicious script that sends unauthorized requests to the aim server, leading to potential data loss and unauthorized data manipulation.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2196", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00536", "scoring_system": "epss", "scoring_elements": "0.6787", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00536", "scoring_system": "epss", "scoring_elements": "0.67852", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00536", "scoring_system": "epss", "scoring_elements": "0.67866", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00536", "scoring_system": "epss", "scoring_elements": "0.67877", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2196" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://huntr.com/bounties/e141e3f2-afbb-405f-a891-f66628c8b68f", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-31T14:42:05Z/" } ], "url": "https://huntr.com/bounties/e141e3f2-afbb-405f-a891-f66628c8b68f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2196", "reference_id": "CVE-2024-2196", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2196" }, { "reference_url": "https://github.com/advisories/GHSA-99w2-67h8-5948", "reference_id": "GHSA-99w2-67h8-5948", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-99w2-67h8-5948" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/730034?format=api", "purl": "pkg:pypi/aim@3.18.0.dev2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1ndt-py87-vuaz" }, { "vulnerability": "VCID-2kd7-zuu4-juh3" }, { "vulnerability": "VCID-3jnj-9x14-4qce" }, { "vulnerability": "VCID-5c2z-bweu-47hy" }, { "vulnerability": "VCID-6p77-vztx-sbcf" }, { "vulnerability": "VCID-ahjg-p7ah-2ugh" }, { "vulnerability": "VCID-anvr-6jwv-9yf7" }, { "vulnerability": "VCID-b8tg-gjmy-2fac" }, { "vulnerability": "VCID-cv98-1rer-xfdz" }, { "vulnerability": "VCID-cvnh-3u25-wqhu" }, { "vulnerability": "VCID-hyhp-a7z8-jfft" }, { "vulnerability": "VCID-k766-4pgg-6bcb" }, { "vulnerability": "VCID-qrfx-jwtm-y3aq" }, { "vulnerability": "VCID-sgsk-jtpy-v7fn" }, { "vulnerability": "VCID-tdcy-azet-r3ge" }, { "vulnerability": "VCID-tsvd-q9dm-qka9" }, { "vulnerability": "VCID-ud1y-m5hg-mffh" }, { "vulnerability": "VCID-va11-wf2e-gydn" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@3.18.0.dev2" } ], "aliases": [ "CVE-2024-2196", "GHSA-99w2-67h8-5948" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rwnh-n4wn-6bch" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47438?format=api", "vulnerability_id": "VCID-sgsk-jtpy-v7fn", "summary": "Aim Web API vulnerable to Remote Code Execution\nA critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` endpoint, affecting versions >= 3.0.0. The vulnerability resides in the `run_search_api` function of the `aim/web/api/runs/views.py` file, where improper restriction of user access to the `RunView` object allows for the execution of arbitrary code via the `query` parameter. This issue enables attackers to execute arbitrary commands on the server, potentially leading to full system compromise.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2195", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.08378", "scoring_system": "epss", "scoring_elements": "0.92467", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.08378", "scoring_system": "epss", "scoring_elements": "0.92457", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.08378", "scoring_system": "epss", "scoring_elements": "0.92458", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.08378", "scoring_system": "epss", "scoring_elements": "0.92463", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-2195" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://huntr.com/bounties/22f2355e-b875-4c01-b454-327e5951c018", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-04-10T19:27:31Z/" } ], "url": "https://huntr.com/bounties/22f2355e-b875-4c01-b454-327e5951c018" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2195", "reference_id": "CVE-2024-2195", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-2195" }, { "reference_url": "https://github.com/advisories/GHSA-mxvw-cj37-8g2h", "reference_id": "GHSA-mxvw-cj37-8g2h", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mxvw-cj37-8g2h" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/730043?format=api", "purl": "pkg:pypi/aim@4.0.0.dev6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@4.0.0.dev6" } ], "aliases": [ "CVE-2024-2195", "GHSA-mxvw-cj37-8g2h" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-sgsk-jtpy-v7fn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56862?format=api", "vulnerability_id": "VCID-tdcy-azet-r3ge", "summary": "Aim Improper Access Control\nIn version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function from RestrictedPython. This version does not protect against the str.format_map() method, allowing an attacker to leak server-side secrets or potentially gain unrestricted code execution. The vulnerability arises because str.format_map() can read arbitrary attributes of Python objects, enabling attackers to access sensitive variables such as os.environ. If an attacker can write files to a known location on the Aim server, they can use str.format_map() to load a malicious .dll/.so file into the Python interpreter, leading to unrestricted code execution.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8238", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0039", "scoring_system": "epss", "scoring_elements": "0.60419", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.0039", "scoring_system": "epss", "scoring_elements": "0.60393", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.0039", "scoring_system": "epss", "scoring_elements": "0.6041", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.0039", "scoring_system": "epss", "scoring_elements": "0.60422", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8238" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://github.com/aimhubio/aim/blob/main/aim/storage/query.py#L45", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim/blob/main/aim/storage/query.py#L45" }, { "reference_url": "https://huntr.com/bounties/4e140ef9-f6d1-4e68-a44c-3b9e856924d3", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-20T14:23:53Z/" } ], "url": "https://huntr.com/bounties/4e140ef9-f6d1-4e68-a44c-3b9e856924d3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8238", "reference_id": "CVE-2024-8238", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8238" }, { "reference_url": "https://github.com/advisories/GHSA-r229-5wgf-f28g", "reference_id": "GHSA-r229-5wgf-f28g", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-r229-5wgf-f28g" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/84478?format=api", "purl": "pkg:pypi/aim@3.23.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3jnj-9x14-4qce" }, { "vulnerability": "VCID-6p77-vztx-sbcf" }, { "vulnerability": "VCID-b8tg-gjmy-2fac" }, { "vulnerability": "VCID-cv98-1rer-xfdz" }, { "vulnerability": "VCID-cvnh-3u25-wqhu" }, { "vulnerability": "VCID-hyhp-a7z8-jfft" }, { "vulnerability": "VCID-k766-4pgg-6bcb" }, { "vulnerability": "VCID-qrfx-jwtm-y3aq" }, { "vulnerability": "VCID-tsvd-q9dm-qka9" }, { "vulnerability": "VCID-ud1y-m5hg-mffh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@3.23.0" } ], "aliases": [ "CVE-2024-8238", "GHSA-r229-5wgf-f28g" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tdcy-azet-r3ge" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56870?format=api", "vulnerability_id": "VCID-tsvd-q9dm-qka9", "summary": "Aim Excessive Data Query Operations in a Large Data Table vulnerability\nIn version 3.25.0 of aimhubio/aim, a denial of service vulnerability exists. By tracking a large number of `Text` objects and then querying them simultaneously through the web API, the Aim web server becomes unresponsive to other requests for an extended period while processing and returning these objects. This vulnerability can be exploited repeatedly, leading to a complete denial of service.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-0190", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00442", "scoring_system": "epss", "scoring_elements": "0.63659", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00442", "scoring_system": "epss", "scoring_elements": "0.63647", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00442", "scoring_system": "epss", "scoring_elements": "0.63658", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00442", "scoring_system": "epss", "scoring_elements": "0.63666", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-0190" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://huntr.com/bounties/38d151f1-abb4-443a-86b0-6c26f0c6cb70", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:55:00Z/" } ], "url": "https://huntr.com/bounties/38d151f1-abb4-443a-86b0-6c26f0c6cb70" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0190", "reference_id": "CVE-2025-0190", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0190" }, { "reference_url": "https://github.com/advisories/GHSA-fm93-g6xp-35xq", "reference_id": "GHSA-fm93-g6xp-35xq", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-fm93-g6xp-35xq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/808969?format=api", "purl": "pkg:pypi/aim@3.25.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6p77-vztx-sbcf" }, { "vulnerability": "VCID-b8tg-gjmy-2fac" }, { "vulnerability": "VCID-cvnh-3u25-wqhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@3.25.1" } ], "aliases": [ "CVE-2025-0190", "GHSA-fm93-g6xp-35xq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tsvd-q9dm-qka9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56864?format=api", "vulnerability_id": "VCID-ud1y-m5hg-mffh", "summary": "Aim allows denial of service due to no timeouts for some tracking server endpoints\nIn version 3.23.0 of aimhubio/aim, certain methods that request data from external servers do not have set timeouts, causing the server to wait indefinitely for a response. This can lead to a denial of service, as the tracking server does not respond to other requests while waiting. The issue arises in the client used by the `aim` tracking server to communicate with external resources, specifically in the `_run_read_instructions` method and similar calls without timeouts.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8061", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00471", "scoring_system": "epss", "scoring_elements": "0.65012", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00471", "scoring_system": "epss", "scoring_elements": "0.64998", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00471", "scoring_system": "epss", "scoring_elements": "0.6501", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00471", "scoring_system": "epss", "scoring_elements": "0.65022", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-8061" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://github.com/aimhubio/aim/blob/a6c6f2fee0f1abe37c1d66701b0329fb6af31a3d/aim/ext/transport/client.py#L258", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim/blob/a6c6f2fee0f1abe37c1d66701b0329fb6af31a3d/aim/ext/transport/client.py#L258" }, { "reference_url": "https://huntr.com/bounties/c85d005c-b354-4c51-a88f-adda2f09622b", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:52:15Z/" } ], "url": "https://huntr.com/bounties/c85d005c-b354-4c51-a88f-adda2f09622b" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8061", "reference_id": "CVE-2024-8061", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8061" }, { "reference_url": "https://github.com/advisories/GHSA-6w7p-xrvp-p7xv", "reference_id": "GHSA-6w7p-xrvp-p7xv", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-6w7p-xrvp-p7xv" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/82645?format=api", "purl": "pkg:pypi/aim@3.24.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3jnj-9x14-4qce" }, { "vulnerability": "VCID-6p77-vztx-sbcf" }, { "vulnerability": "VCID-b8tg-gjmy-2fac" }, { "vulnerability": "VCID-cv98-1rer-xfdz" }, { "vulnerability": "VCID-cvnh-3u25-wqhu" }, { "vulnerability": "VCID-hyhp-a7z8-jfft" }, { "vulnerability": "VCID-k766-4pgg-6bcb" }, { "vulnerability": "VCID-tsvd-q9dm-qka9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@3.24.0" } ], "aliases": [ "CVE-2024-8061", "GHSA-6w7p-xrvp-p7xv" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ud1y-m5hg-mffh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56857?format=api", "vulnerability_id": "VCID-va11-wf2e-gydn", "summary": "Aim Relative Path Traversal vulnerability\nA vulnerability in the `runs/delete-batch` endpoint of aimhubio/aim version 3.19.3 allows for arbitrary file or directory deletion through path traversal. The endpoint does not mitigate path traversal when handling user-specified run-names, which are used to specify log/metadata files for deletion. This can be exploited to delete arbitrary files or directories, potentially causing denial of service or data loss.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6483", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00659", "scoring_system": "epss", "scoring_elements": "0.71505", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00659", "scoring_system": "epss", "scoring_elements": "0.71471", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00659", "scoring_system": "epss", "scoring_elements": "0.71487", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00659", "scoring_system": "epss", "scoring_elements": "0.71511", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6483" }, { "reference_url": "https://github.com/aimhubio/aim", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/aimhubio/aim" }, { "reference_url": "https://huntr.com/bounties/dc45d480-e579-4af4-8603-c52ecfd5e363", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-20T17:53:32Z/" } ], "url": "https://huntr.com/bounties/dc45d480-e579-4af4-8603-c52ecfd5e363" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6483", "reference_id": "CVE-2024-6483", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6483" }, { "reference_url": "https://github.com/advisories/GHSA-p6x3-v6g3-7557", "reference_id": "GHSA-p6x3-v6g3-7557", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-p6x3-v6g3-7557" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/749748?format=api", "purl": "pkg:pypi/aim@3.20.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3jnj-9x14-4qce" }, { "vulnerability": "VCID-5c2z-bweu-47hy" }, { "vulnerability": "VCID-6p77-vztx-sbcf" }, { "vulnerability": "VCID-ahjg-p7ah-2ugh" }, { "vulnerability": "VCID-b8tg-gjmy-2fac" }, { "vulnerability": "VCID-cv98-1rer-xfdz" }, { "vulnerability": "VCID-cvnh-3u25-wqhu" }, { "vulnerability": "VCID-hyhp-a7z8-jfft" }, { "vulnerability": "VCID-k766-4pgg-6bcb" }, { "vulnerability": "VCID-qrfx-jwtm-y3aq" }, { "vulnerability": "VCID-tdcy-azet-r3ge" }, { "vulnerability": "VCID-tsvd-q9dm-qka9" }, { "vulnerability": "VCID-ud1y-m5hg-mffh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@3.20.1" } ], "aliases": [ "CVE-2024-6483", "GHSA-p6x3-v6g3-7557" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-va11-wf2e-gydn" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/aim@3.17.5rc4" }