VYPR
Vendor

Vantage6

Products
2
CVEs
23
Across products
23
Status
Private

Products

2

Recent CVEs

23
View all 23 CVEs →
  • CVE-2026-5070MedApr 16, 2026
    risk 0.42cvss 6.4epss 0.00

    The Vantage theme for WordPress is vulnerable to Stored Cross-Site Scripting via Gallery block text content in versions up to, and including, 1.20.32 due to insufficient output escaping in the gallery template. This makes it possible for authenticated attackers, with…

  • CVE-2024-32969LowMay 23, 2024
    risk 0.11cvss 2.7epss 0.00

    vantage6 is an open-source infrastructure for privacy preserving analysis. Collaboration administrators can add extra organizations to their collaboration that can extend their influence. For example, organizations that they include can then create new users for which they know…

  • CVE-2026-54533Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Impact Malicious algorithms can potentially access other algorithms input and output files. ### Patches Todo ### Workarounds Verify and restrict the algorithm containers that are allowed to run on your node. See [here](https://docs.vantage6.ai/usage/running-the-node/securit…

  • CVE-2026-54445Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Impact Vantage6 currently provides an initial user with username `root` and password `root`. This is not ideal for the following reasons: - Attackers know that almost all vantage6 servers have a user with username `root` that probably has admin rights - The initial password…

  • CVE-2024-27928Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Impact If an attacker hacks into a vantage6 user's email account, they can 1) reset the password via email and then 2) reset the 2FA token via email. This way they reduce 2FA to 1FA (email access). Note that most email providers require 2FA to access email, so this issue…

  • CVE-2025-43866Jun 12, 2025
    risk 0.00cvss epss 0.00

    vantage6 is an open-source infrastructure for privacy preserving analysis. The JWT secret key in the vantage6 server is auto-generated unless defined by the user. The auto-generated key is a UUID1, which is not cryptographically secure as it is predictable to some extent. This…

  • CVE-2025-43863Jun 12, 2025
    risk 0.00cvss epss 0.00

    vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. If attacker gets access to an authenticated session, they can try to brute-force the user password by using the change…

  • CVE-2024-24562Mar 14, 2024
    risk 0.00cvss epss 0.00

    vantage6-UI is the official user interface for the vantage6 server. In affected versions a number of security headers are not set. This issue has been addressed in commit `68dfa6614` which is expected to be included in future releases. Users are advised to upgrade when a new…

  • CVE-2024-23823Mar 14, 2024
    risk 0.00cvss epss 0.00

    vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of…

  • CVE-2024-24770Mar 14, 2024
    risk 0.00cvss epss 0.00

    vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. Much like GHSA-45gq-q4xh-cp53, it is possible to find which usernames exist in vantage6 by calling the API routes…

  • CVE-2024-22200Jan 30, 2024
    risk 0.00cvss epss 0.00

    vantage6-UI is the User Interface for vantage6. The docker image used to run the UI leaks the nginx version. To mitigate the vulnerability, users can run the UI as an angular application. This vulnerability was patched in 4.2.0.

  • CVE-2024-22193Jan 30, 2024
    risk 0.00cvss epss 0.00

    The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may…

  • CVE-2024-21671Jan 30, 2024
    risk 0.00cvss epss 0.00

    The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. …

  • CVE-2024-21653Jan 30, 2024
    risk 0.00cvss epss 0.00

    The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the…

  • CVE-2024-21649Jan 30, 2024
    risk 0.00cvss epss 0.01

    The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Prior to 4.2.0, authenticated users could inject code into algorithm environment variables, resulting in remote code execution. …

  • CVE-2023-47631Nov 14, 2023
    risk 0.00cvss epss 0.00

    vantage6 is a framework to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). In affected versions a node does not check if an image is allowed to run if a `parent_id` is set. A malicious party that breaches the…

  • CVE-2023-41882Oct 11, 2023
    risk 0.00cvss epss 0.00

    vantage6 is privacy preserving federated learning infrastructure. The endpoint /api/collaboration/{id}/task is used to collect all tasks from a certain collaboration. To get such tasks, a user should have permission to view the collaboration and to view the tasks in it. However,…

  • CVE-2023-41881Oct 11, 2023
    risk 0.00cvss epss 0.00

    vantage6 is privacy preserving federated learning infrastructure. When a collaboration is deleted, the linked resources (such as tasks from that collaboration) should be deleted. This is partly to manage data properly, but also to prevent a potential (but unlikely) side-effect…

  • CVE-2023-28635Oct 11, 2023
    risk 0.00cvss epss 0.00

    vantage6 is privacy preserving federated learning infrastructure. Prior to version 4.0.0, malicious users may try to get access to resources they are not allowed to see, by creating resources with integers as names. One example where this is a risk, is when users define which…

  • CVE-2023-23930Oct 11, 2023
    risk 0.00cvss epss 0.01

    vantage6 is privacy preserving federated learning infrastructure. Versions prior to 4.0.0 use pickle, which has known security issue, as a default serialization module but that has known security issues. All users of vantage6 that post tasks with the default serialization are…