VYPR
Vendor

Aimhubio

Products
1
CVEs
6
Across products
6
Status
Private

Products

1

Recent CVEs

6
  • CVE-2024-6396CriJul 12, 2024
    risk 0.68cvss 9.8epss 0.53

    A vulnerability in the `_backup_run` function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any file on the host server and exfiltrate arbitrary data. The vulnerability arises due to improper handling of the `run_hash` and `repo.path` parameters, which can…

  • CVE-2021-43775HigNov 23, 2021
    risk 0.49cvss 8.6epss 0.02

    Aim is an open-source, self-hosted machine learning experiment tracking tool. Versions of Aim prior to 3.1.0 are vulnerable to a path traversal attack. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute…

  • CVE-2025-5321MedMay 29, 2025
    risk 0.41cvss 6.3epss 0.00

    A vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the file /aim/storage/query.py of the component run_view Object Handler. The manipulation of the argument Abfrage leads to erweiterte…

  • CVE-2024-8101MedMar 20, 2025
    risk 0.40cvss 6.1epss 0.00

    A stored cross-site scripting (XSS) vulnerability exists in the Text Explorer component of aimhubio/aim version 3.23.0. The vulnerability arises due to the use of `dangerouslySetInnerHTML` without proper sanitization, allowing arbitrary JavaScript execution when rendering…

  • CVE-2024-8863LowSep 14, 2024
    risk 0.23cvss 3.5epss 0.00

    A vulnerability, which was classified as problematic, was found in aimhubio aim up to 3.24. Affected is the function dangerouslySetInnerHTML of the file textbox.tsx of the component Text Explorer. The manipulation of the argument query leads to cross site scripting. It is…

  • CVE-2025-51464Jul 22, 2025
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation…