Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-pugd-v7em-sbec
Vulnerability ID VCID-pugd-v7em-sbec
Aliases CVE-2026-33865
PYSEC-2026-93
Summary MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim. This issue affects MLflow version through 3.10.1
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (0)
There are no known CWE.
System Score Found at
cvssv3.1 5.4 https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors
epss 0.00011 https://api.first.org/data/v1/epss?cve=CVE-2026-33865
cvssv3.1 5.4 https://cert.pl/en/posts/2026/04/CVE-2026-33865/
cvssv3.1 5.4 https://github.com/mlflow/mlflow/pull/21435
Reference id Reference type URL
https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors
https://api.first.org/data/v1/epss?cve=CVE-2026-33865
https://cert.pl/en/posts/2026/04/CVE-2026-33865/
https://github.com/mlflow/mlflow/pull/21435
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://cert.pl/en/posts/2026/04/CVE-2026-33865/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/mlflow/mlflow/pull/21435
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.0132
EPSS Score 0.00011
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T20:37:51.880462+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/mlflow/PYSEC-2026-93.yaml 38.6.0