{"url":"http://public2.vulnerablecode.io/api/packages/24911?format=json","purl":"pkg:pypi/nvflare@2.1.2","type":"pypi","namespace":"","name":"nvflare","version":"2.1.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.7.2","latest_non_vulnerable_version":"2.7.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/82725?format=json","vulnerability_id":"VCID-1dyc-w4vr-87fg","summary":"NVIDIA NVFlare Dashboard contains a vulnerability in the user management and authentication system where an unauthenticated attacker may cause authorization bypass through user-controlled key. A successful exploit of this vulnerability may lead to privilege escalation, data tampering, information disclosure, code execution, and denial of service.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24178","reference_id":"","reference_type":"","scores":[{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48546","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.48527","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00248","scoring_system":"epss","scoring_elements":"0.4839","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24178"},{"reference_url":"https://github.com/advisories/GHSA-jqp3-qrgh-4846","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jqp3-qrgh-4846"},{"reference_url":"https://github.com/NVIDIA/NVFlare","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NVIDIA/NVFlare"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nvflare/PYSEC-2026-100.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nvflare/PYSEC-2026-100.yaml"},{"reference_url":"https://nvidia.custhelp.com/app/answers/detail/a_id/5819","reference_id":"5819","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:42:52Z/"}],"url":"https://nvidia.custhelp.com/app/answers/detail/a_id/5819"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24178","reference_id":"CVE-2026-24178","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:42:52Z/"}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24178"},{"reference_url":"https://www.cve.org/CVERecord?id=CVE-2026-24178","reference_id":"CVERecord?id=CVE-2026-24178","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:42:52Z/"}],"url":"https://www.cve.org/CVERecord?id=CVE-2026-24178"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/92617?format=json","purl":"pkg:pypi/nvflare@2.7.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nvflare@2.7.2"}],"aliases":["CVE-2026-24178","GHSA-jqp3-qrgh-4846","PYSEC-2026-100"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1dyc-w4vr-87fg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/211275?format=json","vulnerability_id":"VCID-qwpq-4ac7-qkhk","summary":"NVFLARE unsafe deserialization due to Pickle","references":[{"reference_url":"http://packetstormsecurity.com/files/171483/NVFLARE-Unsafe-Deserialization.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/171483/NVFLARE-Unsafe-Deserialization.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-34668","reference_id":"","reference_type":"","scores":[{"value":"0.2245","scoring_system":"epss","scoring_elements":"0.95977","published_at":"2026-06-13T12:55:00Z"},{"value":"0.2245","scoring_system":"epss","scoring_elements":"0.95963","published_at":"2026-06-11T12:55:00Z"},{"value":"0.2245","scoring_system":"epss","scoring_elements":"0.95975","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-34668"},{"reference_url":"https://github.com/NVIDIA/NVFlare","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NVIDIA/NVFlare"},{"reference_url":"https://github.com/NVIDIA/NVFlare/commit/6cde16f3f4711583ae4d896dfcc125d25c7d5b0d","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NVIDIA/NVFlare/commit/6cde16f3f4711583ae4d896dfcc125d25c7d5b0d"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nvflare/PYSEC-2022-257.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nvflare/PYSEC-2022-257.yaml"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/remote/51051.txt","reference_id":"CVE-2022-34668","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/remote/51051.txt"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-34668","reference_id":"CVE-2022-34668","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-34668"},{"reference_url":"https://github.com/advisories/GHSA-6qv6-q77g-7qm6","reference_id":"GHSA-6qv6-q77g-7qm6","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6qv6-q77g-7qm6"},{"reference_url":"https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-6qv6-q77g-7qm6","reference_id":"GHSA-6qv6-q77g-7qm6","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-6qv6-q77g-7qm6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/26073?format=json","purl":"pkg:pypi/nvflare@2.1.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1dyc-w4vr-87fg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nvflare@2.1.4"}],"aliases":["CVE-2022-34668","GHSA-6qv6-q77g-7qm6","PYSEC-2022-257"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qwpq-4ac7-qkhk"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/210856?format=json","vulnerability_id":"VCID-4k7s-bxw9-4qer","summary":"Unsafe deserialisation in the PKI implementation scheme of NVFlare","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31604","reference_id":"","reference_type":"","scores":[{"value":"0.02435","scoring_system":"epss","scoring_elements":"0.8555","published_at":"2026-06-13T12:55:00Z"},{"value":"0.02435","scoring_system":"epss","scoring_elements":"0.85489","published_at":"2026-06-11T12:55:00Z"},{"value":"0.02435","scoring_system":"epss","scoring_elements":"0.8554","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31604"},{"reference_url":"https://github.com/NVIDIA/NVFlare","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NVIDIA/NVFlare"},{"reference_url":"https://github.com/NVIDIA/NVFlare/commit/fd018eea9dff925a765079a94c2f017920fcda67","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NVIDIA/NVFlare/commit/fd018eea9dff925a765079a94c2f017920fcda67"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nvflare/PYSEC-2022-231.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nvflare/PYSEC-2022-231.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31604","reference_id":"CVE-2022-31604","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31604"},{"reference_url":"https://github.com/advisories/GHSA-rcxc-3w2m-mp8h","reference_id":"GHSA-rcxc-3w2m-mp8h","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rcxc-3w2m-mp8h"},{"reference_url":"https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-rcxc-3w2m-mp8h","reference_id":"GHSA-rcxc-3w2m-mp8h","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-rcxc-3w2m-mp8h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/24911?format=json","purl":"pkg:pypi/nvflare@2.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1dyc-w4vr-87fg"},{"vulnerability":"VCID-qwpq-4ac7-qkhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nvflare@2.1.2"}],"aliases":["CVE-2022-31604","GHSA-rcxc-3w2m-mp8h","GMS-2022-2730","PYSEC-2022-231"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4k7s-bxw9-4qer"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/210857?format=json","vulnerability_id":"VCID-vgy5-cuxd-uud2","summary":"Unsafe yaml deserialization in NVFlare","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31605","reference_id":"","reference_type":"","scores":[{"value":"0.02435","scoring_system":"epss","scoring_elements":"0.8555","published_at":"2026-06-13T12:55:00Z"},{"value":"0.02435","scoring_system":"epss","scoring_elements":"0.85489","published_at":"2026-06-11T12:55:00Z"},{"value":"0.02435","scoring_system":"epss","scoring_elements":"0.8554","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31605"},{"reference_url":"https://github.com/NVIDIA/NVFlare","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NVIDIA/NVFlare"},{"reference_url":"https://github.com/NVIDIA/NVFlare/commit/4de9782697ecb12f39bcae83221bd8d3498959be","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NVIDIA/NVFlare/commit/4de9782697ecb12f39bcae83221bd8d3498959be"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nvflare/PYSEC-2022-232.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nvflare/PYSEC-2022-232.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31605","reference_id":"CVE-2022-31605","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31605"},{"reference_url":"https://github.com/advisories/GHSA-hrf3-622q-8366","reference_id":"GHSA-hrf3-622q-8366","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hrf3-622q-8366"},{"reference_url":"https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-hrf3-622q-8366","reference_id":"GHSA-hrf3-622q-8366","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-hrf3-622q-8366"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/24911?format=json","purl":"pkg:pypi/nvflare@2.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1dyc-w4vr-87fg"},{"vulnerability":"VCID-qwpq-4ac7-qkhk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nvflare@2.1.2"}],"aliases":["CVE-2022-31605","GHSA-hrf3-622q-8366","GMS-2022-2629","PYSEC-2022-232"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vgy5-cuxd-uud2"}],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nvflare@2.1.2"}