VulnerableCode Package Details - pkg:pypi/nvflare@2.0.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-ckay-6d62-ekb6 Aliases: CVE-2022-31605 GHSA-hrf3-622q-8366 PYSEC-2022-232	NVFLARE, versions prior to 2.1.2, contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of Untrusted Data, may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.	2.1.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-hent-veuq-mfga Aliases: CVE-2026-24178 PYSEC-2026-100	NVIDIA NVFlare Dashboard contains a vulnerability in the user management and authentication system where an unauthenticated attacker may cause authorization bypass through user-controlled key. A successful exploit of this vulnerability may lead to privilege escalation, data tampering, information disclosure, code execution, and denial of service.	2.7.2 Affected by 0 other vulnerabilities.
VCID-hqup-r5bc-z3gk Aliases: CVE-2022-34668 GHSA-6qv6-q77g-7qm6 PYSEC-2022-257	NVFLARE, versions prior to 2.1.4, contains a vulnerability that deserialization of Untrusted Data due to Pickle usage may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.	2.1.4 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-wps3-9req-s7bt Aliases: CVE-2022-31604 GHSA-rcxc-3w2m-mp8h PYSEC-2022-231	NVFLARE, versions prior to 2.1.2, contains a vulnerability in its PKI implementation module, where The CA credentials are transported via pickle and no safe deserialization. The deserialization of Untrusted Data may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.	2.1.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-ckay-6d62-ekb6
Aliases:
CVE-2022-31605
GHSA-hrf3-622q-8366
PYSEC-2022-232

NVFLARE, versions prior to 2.1.2, contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of Untrusted Data, may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.

2.1.2
Affected by 2 other vulnerabilities.

VCID-hent-veuq-mfga
Aliases:
CVE-2026-24178
PYSEC-2026-100

NVIDIA NVFlare Dashboard contains a vulnerability in the user management and authentication system where an unauthenticated attacker may cause authorization bypass through user-controlled key. A successful exploit of this vulnerability may lead to privilege escalation, data tampering, information disclosure, code execution, and denial of service.

2.7.2
Affected by 0 other vulnerabilities.

VCID-hqup-r5bc-z3gk
Aliases:
CVE-2022-34668
GHSA-6qv6-q77g-7qm6
PYSEC-2022-257

NVFLARE, versions prior to 2.1.4, contains a vulnerability that deserialization of Untrusted Data due to Pickle usage may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.

2.1.4
Affected by 1 other vulnerability.

VCID-wps3-9req-s7bt
Aliases:
CVE-2022-31604
GHSA-rcxc-3w2m-mp8h
PYSEC-2022-231

NVFLARE, versions prior to 2.1.2, contains a vulnerability in its PKI implementation module, where The CA credentials are transported via pickle and no safe deserialization. The deserialization of Untrusted Data may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.

2.1.2
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:24:55.877947+00:00	Pypa Importer	Affected by	VCID-hent-veuq-mfga	https://github.com/pypa/advisory-database/blob/main/vulns/nvflare/PYSEC-2026-100.yaml	38.6.0
2026-06-02T04:17:34.806415+00:00	Pypa Importer	Affected by	VCID-hqup-r5bc-z3gk	https://github.com/pypa/advisory-database/blob/main/vulns/nvflare/PYSEC-2022-257.yaml	38.6.0
2026-06-02T04:17:27.281197+00:00	Pypa Importer	Affected by	VCID-wps3-9req-s7bt	https://github.com/pypa/advisory-database/blob/main/vulns/nvflare/PYSEC-2022-231.yaml	38.6.0
2026-06-02T04:17:27.132095+00:00	Pypa Importer	Affected by	VCID-ckay-6d62-ekb6	https://github.com/pypa/advisory-database/blob/main/vulns/nvflare/PYSEC-2022-232.yaml	38.6.0