Vantage6
by Vantage6
Source repositories
CVEs (21)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-5070 | Med | 0.42 | 6.4 | 0.00 | Apr 16, 2026 | The Vantage theme for WordPress is vulnerable to Stored Cross-Site Scripting via Gallery block text content in versions up to, and including, 1.20.32 due to insufficient output escaping in the gallery template. This makes it possible for authenticated attackers, with… | ||
| CVE-2024-32969 | Low | 0.11 | 2.7 | 0.00 | May 23, 2024 | vantage6 is an open-source infrastructure for privacy preserving analysis. Collaboration administrators can add extra organizations to their collaboration that can extend their influence. For example, organizations that they include can then create new users for which they know… | ||
| CVE-2026-54533 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Impact Malicious algorithms can potentially access other algorithms input and output files. ### Patches Todo ### Workarounds Verify and restrict the algorithm containers that are allowed to run on your node. See [here](https://docs.vantage6.ai/usage/running-the-node/securit… | |||
| CVE-2026-54445 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Impact Vantage6 currently provides an initial user with username `root` and password `root`. This is not ideal for the following reasons: - Attackers know that almost all vantage6 servers have a user with username `root` that probably has admin rights - The initial password… | |||
| CVE-2024-27928 | 0.00 | — | 0.00 | Jun 5, 2026 | ### Impact If an attacker hacks into a vantage6 user's email account, they can 1) reset the password via email and then 2) reset the 2FA token via email. This way they reduce 2FA to 1FA (email access). Note that most email providers require 2FA to access email, so this issue… | |||
| CVE-2025-43866 | 0.00 | — | 0.00 | Jun 12, 2025 | vantage6 is an open-source infrastructure for privacy preserving analysis. The JWT secret key in the vantage6 server is auto-generated unless defined by the user. The auto-generated key is a UUID1, which is not cryptographically secure as it is predictable to some extent. This… | |||
| CVE-2025-43863 | 0.00 | — | 0.00 | Jun 12, 2025 | vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. If attacker gets access to an authenticated session, they can try to brute-force the user password by using the change… | |||
| CVE-2024-23823 | 0.00 | — | 0.00 | Mar 14, 2024 | vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of… | |||
| CVE-2024-24770 | 0.00 | — | 0.00 | Mar 14, 2024 | vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. Much like GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in vantage6 by calling the API routes… | |||
| CVE-2024-22193 | 0.00 | — | 0.00 | Jan 30, 2024 | The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may… | |||
| CVE-2024-21671 | 0.00 | — | 0.00 | Jan 30, 2024 | The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. … | |||
| CVE-2024-21653 | 0.00 | — | 0.00 | Jan 30, 2024 | The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the… | |||
| CVE-2024-21649 | 0.00 | — | 0.01 | Jan 30, 2024 | The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. … | |||
| CVE-2023-47631 | 0.00 | — | 0.00 | Nov 14, 2023 | vantage6 is a framework to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). In affected versions a node does not check if an image is allowed to run if a `parent_id` is set. A malicious party that breaches the… | |||
| CVE-2023-41882 | 0.00 | — | 0.00 | Oct 11, 2023 | vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However,… | |||
| CVE-2023-41881 | 0.00 | — | 0.00 | Oct 11, 2023 | vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect… | |||
| CVE-2023-28635 | 0.00 | — | 0.00 | Oct 11, 2023 | vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which… | |||
| CVE-2023-23930 | 0.00 | — | 0.01 | Oct 11, 2023 | vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are… | |||
| CVE-2023-23929 | 0.00 | — | 0.01 | Mar 3, 2023 | vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0. | |||
| CVE-2023-22738 | 0.00 | — | 0.00 | Mar 1, 2023 | vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Assigning existing users to a different organizations is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization… |
- risk 0.42cvss 6.4epss 0.00
The Vantage theme for WordPress is vulnerable to Stored Cross-Site Scripting via Gallery block text content in versions up to, and including, 1.20.32 due to insufficient output escaping in the gallery template. This makes it possible for authenticated attackers, with…
- risk 0.11cvss 2.7epss 0.00
vantage6 is an open-source infrastructure for privacy preserving analysis. Collaboration administrators can add extra organizations to their collaboration that can extend their influence. For example, organizations that they include can then create new users for which they know…
- CVE-2026-54533Jun 5, 2026risk 0.00cvss —epss 0.00
### Impact Malicious algorithms can potentially access other algorithms input and output files. ### Patches Todo ### Workarounds Verify and restrict the algorithm containers that are allowed to run on your node. See [here](https://docs.vantage6.ai/usage/running-the-node/securit…
- CVE-2026-54445Jun 5, 2026risk 0.00cvss —epss 0.00
### Impact Vantage6 currently provides an initial user with username `root` and password `root`. This is not ideal for the following reasons: - Attackers know that almost all vantage6 servers have a user with username `root` that probably has admin rights - The initial password…
- CVE-2024-27928Jun 5, 2026risk 0.00cvss —epss 0.00
### Impact If an attacker hacks into a vantage6 user's email account, they can 1) reset the password via email and then 2) reset the 2FA token via email. This way they reduce 2FA to 1FA (email access). Note that most email providers require 2FA to access email, so this issue…
- CVE-2025-43866Jun 12, 2025risk 0.00cvss —epss 0.00
vantage6 is an open-source infrastructure for privacy preserving analysis. The JWT secret key in the vantage6 server is auto-generated unless defined by the user. The auto-generated key is a UUID1, which is not cryptographically secure as it is predictable to some extent. This…
- CVE-2025-43863Jun 12, 2025risk 0.00cvss —epss 0.00
vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. If attacker gets access to an authenticated session, they can try to brute-force the user password by using the change…
- CVE-2024-23823Mar 14, 2024risk 0.00cvss —epss 0.00
vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of…
- CVE-2024-24770Mar 14, 2024risk 0.00cvss —epss 0.00
vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. Much like GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in vantage6 by calling the API routes…
- CVE-2024-22193Jan 30, 2024risk 0.00cvss —epss 0.00
The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may…
- CVE-2024-21671Jan 30, 2024risk 0.00cvss —epss 0.00
The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. …
- CVE-2024-21653Jan 30, 2024risk 0.00cvss —epss 0.00
The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the…
- CVE-2024-21649Jan 30, 2024risk 0.00cvss —epss 0.01
The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. …
- CVE-2023-47631Nov 14, 2023risk 0.00cvss —epss 0.00
vantage6 is a framework to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). In affected versions a node does not check if an image is allowed to run if a `parent_id` is set. A malicious party that breaches the…
- CVE-2023-41882Oct 11, 2023risk 0.00cvss —epss 0.00
vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However,…
- CVE-2023-41881Oct 11, 2023risk 0.00cvss —epss 0.00
vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect…
- CVE-2023-28635Oct 11, 2023risk 0.00cvss —epss 0.00
vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which…
- CVE-2023-23930Oct 11, 2023risk 0.00cvss —epss 0.01
vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are…
- CVE-2023-23929Mar 3, 2023risk 0.00cvss —epss 0.01
vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Currently, the refresh token is valid indefinitely. The refresh token should get a validity of 24-48 hours. A fix was released in version 3.8.0.
- CVE-2023-22738Mar 1, 2023risk 0.00cvss —epss 0.00
vantage6 is a privacy preserving federated learning infrastructure for secure insight exchange. Assigning existing users to a different organizations is currently possible. It may lead to unintended access: if a user from organization A is accidentally assigned to organization…
Page 1 of 2