What the vulnerability does
01Description
An attacker can overwrite any file on the server hosting MLflow without any authentication.
CVSS base score
10.0/10
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Key dates
02Disclosure timeline
November 16, 2023
CVE published
August 2, 2024
Record updated
External resources
03References
Related vulnerabilities
04Related CVE
CVE-2025-1676 hzmanyun Education and Training System pdf2swf os command injection
CVE-2024-21786
CVE-2025-4230 PAN-OS: Authenticated Admin Command Injection Vulnerability Through CLI
CVE-2026-5690 Totolink A7100RU cstecgi.cgi setRemoteCfg os command injection
CVE-2026-32311 Command Injection and Docker container escape allows root on host machine
