VulnerableCode Package Details - pkg:pypi/aim@3.26.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-48xs-6auv-93b7 Aliases: CVE-2025-5321 GHSA-gp5h-f9c5-8355	A vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the file /aim/storage/query.py of the component run_view Object Handler. The manipulation of the argument Abfrage leads to erweiterte Rechte. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.	3.30.0.dev20250508 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-nh25-j9ac-p7gw Aliases: CVE-2024-8769 GHSA-4qcx-jx49-6qrh	A vulnerability in the `LockManager.release_locks` function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The `run_hash` parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the `Repo._close_run()` method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.	4.0.0.dev6 Affected by 0 other vulnerabilities.
VCID-rqgm-8gsj-qbeg Aliases: CVE-2025-51464 GHSA-gmvv-rj92-9w35	Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js().	4.0.0.dev6 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-48xs-6auv-93b7
Aliases:
CVE-2025-5321
GHSA-gp5h-f9c5-8355

A vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the file /aim/storage/query.py of the component run_view Object Handler. The manipulation of the argument Abfrage leads to erweiterte Rechte. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

3.30.0.dev20250508
Affected by 1 other vulnerability.

VCID-nh25-j9ac-p7gw
Aliases:
CVE-2024-8769
GHSA-4qcx-jx49-6qrh

A vulnerability in the `LockManager.release_locks` function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The `run_hash` parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the `Repo._close_run()` method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.

4.0.0.dev6
Affected by 0 other vulnerabilities.

VCID-rqgm-8gsj-qbeg
Aliases:
CVE-2025-51464
GHSA-gmvv-rj92-9w35

Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js().

4.0.0.dev6
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T20:07:38.270722+00:00	GitLab Importer	Affected by	VCID-rqgm-8gsj-qbeg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/aim/CVE-2025-51464.yml	38.6.0
2026-06-12T20:02:46.214464+00:00	GitLab Importer	Affected by	VCID-48xs-6auv-93b7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/aim/CVE-2025-5321.yml	38.6.0
2026-06-12T19:56:17.490858+00:00	GitLab Importer	Affected by	VCID-nh25-j9ac-p7gw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/aim/CVE-2024-8769.yml	38.6.0