{"url":"http://public2.vulnerablecode.io/api/packages/28236?format=json","purl":"pkg:pypi/nvflare@2.0.15","type":"pypi","namespace":"","name":"nvflare","version":"2.0.15","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.7.2","latest_non_vulnerable_version":"2.7.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36134?format=json","vulnerability_id":"VCID-ckay-6d62-ekb6","summary":"NVFLARE, versions prior to 2.1.2, contains a vulnerability in its utils module, where YAML files are loaded via yaml.load() instead of yaml.safe_load(). The deserialization of Untrusted Data, may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31605","reference_id":"","reference_type":"","scores":[{"value":"0.02435","scoring_system":"epss","scoring_elements":"0.85439","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31605"},{"reference_url":"https://github.com/NVIDIA/NVFlare","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NVIDIA/NVFlare"},{"reference_url":"https://github.com/NVIDIA/NVFlare/commit/4de9782697ecb12f39bcae83221bd8d3498959be","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NVIDIA/NVFlare/commit/4de9782697ecb12f39bcae83221bd8d3498959be"},{"reference_url":"https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-hrf3-622q-8366","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-hrf3-622q-8366"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nvflare/PYSEC-2022-232.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nvflare/PYSEC-2022-232.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31605","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31605"},{"reference_url":"https://github.com/advisories/GHSA-hrf3-622q-8366","reference_id":"GHSA-hrf3-622q-8366","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-hrf3-622q-8366"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28242?format=json","purl":"pkg:pypi/nvflare@2.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-hent-veuq-mfga"},{"vulnerability":"VCID-hqup-r5bc-z3gk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nvflare@2.1.2"}],"aliases":["CVE-2022-31605","GHSA-hrf3-622q-8366","GMS-2022-2629","PYSEC-2022-232"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ckay-6d62-ekb6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37306?format=json","vulnerability_id":"VCID-hent-veuq-mfga","summary":"NVIDIA NVFlare Dashboard contains a vulnerability in the user management and authentication system where an unauthenticated attacker may cause authorization bypass through user-controlled key. A successful exploit of this vulnerability may lead to privilege escalation, data tampering, information disclosure, code execution, and denial of service.","references":[{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24178","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:42:52Z/"}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24178"},{"reference_url":"https://nvidia.custhelp.com/app/answers/detail/a_id/5819","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:42:52Z/"}],"url":"https://nvidia.custhelp.com/app/answers/detail/a_id/5819"},{"reference_url":"https://www.cve.org/CVERecord?id=CVE-2026-24178","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-04-29T13:42:52Z/"}],"url":"https://www.cve.org/CVERecord?id=CVE-2026-24178"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49946?format=json","purl":"pkg:pypi/nvflare@2.7.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nvflare@2.7.2"}],"aliases":["CVE-2026-24178","PYSEC-2026-100"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hent-veuq-mfga"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36175?format=json","vulnerability_id":"VCID-hqup-r5bc-z3gk","summary":"NVFLARE, versions prior to 2.1.4, contains a vulnerability that deserialization of Untrusted Data due to Pickle usage may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.","references":[{"reference_url":"http://packetstormsecurity.com/files/171483/NVFLARE-Unsafe-Deserialization.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/171483/NVFLARE-Unsafe-Deserialization.html"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-34668","reference_id":"","reference_type":"","scores":[{"value":"0.2245","scoring_system":"epss","scoring_elements":"0.95941","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-34668"},{"reference_url":"https://github.com/NVIDIA/NVFlare","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NVIDIA/NVFlare"},{"reference_url":"https://github.com/NVIDIA/NVFlare/commit/6cde16f3f4711583ae4d896dfcc125d25c7d5b0d","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NVIDIA/NVFlare/commit/6cde16f3f4711583ae4d896dfcc125d25c7d5b0d"},{"reference_url":"https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-6qv6-q77g-7qm6","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-6qv6-q77g-7qm6"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nvflare/PYSEC-2022-257.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nvflare/PYSEC-2022-257.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-34668","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-34668"},{"reference_url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/remote/51051.txt","reference_id":"CVE-2022-34668","reference_type":"exploit","scores":[],"url":"https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/python/remote/51051.txt"},{"reference_url":"https://github.com/advisories/GHSA-6qv6-q77g-7qm6","reference_id":"GHSA-6qv6-q77g-7qm6","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-6qv6-q77g-7qm6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28924?format=json","purl":"pkg:pypi/nvflare@2.1.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-hent-veuq-mfga"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nvflare@2.1.4"}],"aliases":["CVE-2022-34668","GHSA-6qv6-q77g-7qm6","PYSEC-2022-257"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hqup-r5bc-z3gk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36135?format=json","vulnerability_id":"VCID-wps3-9req-s7bt","summary":"NVFLARE, versions prior to 2.1.2, contains a vulnerability in its PKI implementation module, where The CA credentials are transported via pickle and no safe deserialization. The deserialization of Untrusted Data may allow an unprivileged network attacker to cause Remote Code Execution, Denial Of Service, and Impact to both Confidentiality and Integrity.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31604","reference_id":"","reference_type":"","scores":[{"value":"0.02435","scoring_system":"epss","scoring_elements":"0.85439","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-31604"},{"reference_url":"https://github.com/NVIDIA/NVFlare","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NVIDIA/NVFlare"},{"reference_url":"https://github.com/NVIDIA/NVFlare/commit/fd018eea9dff925a765079a94c2f017920fcda67","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NVIDIA/NVFlare/commit/fd018eea9dff925a765079a94c2f017920fcda67"},{"reference_url":"https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-rcxc-3w2m-mp8h","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NVIDIA/NVFlare/security/advisories/GHSA-rcxc-3w2m-mp8h"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/nvflare/PYSEC-2022-231.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/nvflare/PYSEC-2022-231.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31604","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31604"},{"reference_url":"https://github.com/advisories/GHSA-rcxc-3w2m-mp8h","reference_id":"GHSA-rcxc-3w2m-mp8h","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-rcxc-3w2m-mp8h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/28242?format=json","purl":"pkg:pypi/nvflare@2.1.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-hent-veuq-mfga"},{"vulnerability":"VCID-hqup-r5bc-z3gk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nvflare@2.1.2"}],"aliases":["CVE-2022-31604","GHSA-rcxc-3w2m-mp8h","GMS-2022-2730","PYSEC-2022-231"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wps3-9req-s7bt"}],"fixing_vulnerabilities":[],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/nvflare@2.0.15"}