VulnerableCode Package Details - pkg:pypi/aim@4.0.0.dev6

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-6p77-vztx-sbcf	Aim path traversal in LockManager.release_locks A vulnerability in the `LockManager.release_locks` function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The `run_hash` parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the `Repo._close_run()` method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.	CVE-2024-8769 GHSA-4qcx-jx49-6qrh
VCID-b8tg-gjmy-2fac	Aim vulnerable to Cross-site Scripting Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js().	CVE-2025-51464 GHSA-gmvv-rj92-9w35
VCID-k766-4pgg-6bcb	Aim Stored XSS through TEXT EXPLORER A vulnerability, which was classified as problematic, was found in aimhubio aim up to 3.24. Affected is the function dangerouslySetInnerHTML of the file textbox.tsx of the component Text Explorer. The manipulation of the argument query leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.	CVE-2024-8863 GHSA-pmhg-f7wc-c97m
VCID-sgsk-jtpy-v7fn	Aim Web API vulnerable to Remote Code Execution A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` endpoint, affecting versions >= 3.0.0. The vulnerability resides in the `run_search_api` function of the `aim/web/api/runs/views.py` file, where improper restriction of user access to the `RunView` object allows for the execution of arbitrary code via the `query` parameter. This issue enables attackers to execute arbitrary commands on the server, potentially leading to full system compromise.	CVE-2024-2195 GHSA-mxvw-cj37-8g2h

Vulnerability

Summary

Aliases

VCID-6p77-vztx-sbcf

Aim path traversal in LockManager.release_locks A vulnerability in the `LockManager.release_locks` function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal. The `run_hash` parameter, which is user-controllable, is concatenated without normalization as part of a path used to specify file deletion. This vulnerability is exposed through the `Repo._close_run()` method, which is accessible via the tracking server instruction API. As a result, an attacker can exploit this to delete any arbitrary file on the machine running the tracking server.

CVE-2024-8769
GHSA-4qcx-jx49-6qrh

VCID-b8tg-gjmy-2fac

Aim vulnerable to Cross-site Scripting Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js().

CVE-2025-51464
GHSA-gmvv-rj92-9w35

VCID-k766-4pgg-6bcb

Aim Stored XSS through TEXT EXPLORER A vulnerability, which was classified as problematic, was found in aimhubio aim up to 3.24. Affected is the function dangerouslySetInnerHTML of the file textbox.tsx of the component Text Explorer. The manipulation of the argument query leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2024-8863
GHSA-pmhg-f7wc-c97m

VCID-sgsk-jtpy-v7fn

Aim Web API vulnerable to Remote Code Execution A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` endpoint, affecting versions >= 3.0.0. The vulnerability resides in the `run_search_api` function of the `aim/web/api/runs/views.py` file, where improper restriction of user access to the `RunView` object allows for the execution of arbitrary code via the `query` parameter. This issue enables attackers to execute arbitrary commands on the server, potentially leading to full system compromise.

CVE-2024-2195
GHSA-mxvw-cj37-8g2h

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T05:56:03.752007+00:00	GitLab Importer	Fixing	VCID-b8tg-gjmy-2fac	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/aim/CVE-2025-51464.yml	38.6.0
2026-06-06T05:43:46.789944+00:00	GitLab Importer	Fixing	VCID-6p77-vztx-sbcf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/aim/CVE-2024-8769.yml	38.6.0
2026-06-06T05:22:20.012999+00:00	GitLab Importer	Fixing	VCID-k766-4pgg-6bcb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/aim/CVE-2024-8863.yml	38.6.0
2026-06-06T04:48:37.699802+00:00	GitLab Importer	Fixing	VCID-sgsk-jtpy-v7fn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/aim/CVE-2024-2195.yml	38.6.0