pkg:Bitnami/mlflow

All known vulnerabilities

• CRITICAL10.0CVE-2025-15379Command Injection in mlflow/mlflow
  >= 3.8.0, < 3.9.0
• CRITICAL10.0CVE-2024-0520Remote Code Execution due to Full Controlled File Write in mlflow/mlflow
  from 0, < 2.9.1
• CRITICAL10.0CVE-2023-6831Path Traversal: '\..\filename' in mlflow/mlflow
  from 0, < 2.9.2
• CRITICAL10.0CVE-2023-6015MLflow Arbitrary File Upload
  from 0, < 2.8.1
• CRITICAL10.0CVE-2023-6018Remote Code Execution due to Full Controled File Write in mlflow
• CRITICAL10.0CVE-2023-3765Absolute Path Traversal in mlflow/mlflow
  from 0, < 2.5.0
• CRITICAL10.0CVE-2023-2356Relative Path Traversal in mlflow/mlflow
  from 0, < 2.3.1
• CRITICAL9.8CVE-2023-6974Server-Side Request Forgery (SSRF)
  from 0, < 2.9.2
• CRITICAL9.8CVE-2023-6975Path Traversal: '\..\filename'
  from 0, < 2.9.2
• CRITICAL9.8CVE-2023-2780Path Traversal: '\..\filename' in mlflow/mlflow
  from 0, < 2.3.1
• CRITICAL9.8CVE-2023-1177Path Traversal: '\..\filename' in mlflow/mlflow
  from 0, < 2.2.1
• CRITICAL9.6CVE-2026-2611Improper Origin Validation in mlflow/mlflow
  >= 3.9.0, < 3.10.0
• CRITICAL9.6CVE-2026-0596Mlflow: Command Injection when serving models with enable_mlserver=True
  from 0, < 3.11.1
• CRITICAL9.6CVE-2025-15036Path Traversal Vulnerability in mlflow/mlflow
  from 0, < 3.9.0
• CRITICAL9.6CVE-2024-27132Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe.
  from 0, < 2.10.0
• CRITICAL9.6CVE-2024-27133Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset.
  from 0, < 2.10.0
• CRITICAL9.3CVE-2024-3573Local File Inclusion (LFI) via Scheme Confusion in mlflow/mlflow
  from 0, < 2.10.0
• CRITICAL9.1CVE-2023-6014MLflow authentication requirement bypass can allow a user to arbitrarily create an account
• HIGH8.8CVE-2024-37057MLFlow unsafe deserialization
  >= 2.0.0, <= 2.13.1
• HIGH8.8CVE-2024-37061MLFlow improper input validation
  >= 1.11.0, < 2.13.2
• HIGH8.8CVE-2024-37060MLFlow unsafe deserialization
  >= 1.27.0, < 2.13.2
• HIGH8.8CVE-2024-37059MLFlow unsafe deserialization
  >= 0.5.0, < 2.13.2
• HIGH8.8CVE-2024-37058MLFlow unsafe deserialization
  >= 2.5.0, < 2.13.2
• HIGH8.8CVE-2024-37054MLFlow unsafe deserialization
  >= 0.9.0, < 2.13.2
• HIGH8.8CVE-2024-37056MLFlow unsafe deserialization
  >= 1.23.0, < 2.13.2
• HIGH8.8CVE-2024-37052MLFlow unsafe deserialization
  >= 1.1.0, < 2.13.2
• HIGH8.8CVE-2024-37053MLFlow unsafe deserialization
  >= 1.1.0, < 2.13.2
• HIGH8.8CVE-2024-37055MLFlow unsafe deserialization
  >= 1.24.0, < 2.13.2
• HIGH8.8CVE-2023-6976Unrestricted Upload of File with Dangerous Type
  from 0, < 2.9.2
• HIGH8.8CVE-2023-6940Command Injection
  from 0, < 2.9.2
• HIGH8.8CVE-2023-6753Path Traversal in mlflow/mlflow
  from 0, < 2.9.2
• HIGH8.8CVE-2023-6709Improper Neutralization of Special Elements Used in a Template Engine in mlflow/mlflow
  from 0, < 2.9.2
• HIGH8.8CVE-2023-4033OS Command Injection in mlflow/mlflow
  from 0, < 2.6.0
• HIGH8.6CVE-2026-2652Authentication Bypass in mlflow/mlflow
  from 0, < 3.10.0
• HIGH8.2CVE-2022-0736Insecure Temporary File in mlflow/mlflow
  from 0, < 1.23.1
• HIGH8.1CVE-2025-15031Path Traversal Vulnerability in mlflow/mlflow
  from 0, < 3.11.1
• HIGH8.1CVE-2025-14279DNS Rebinding Vulnerability in mlflow/mlflow
  from 0, < 3.5.0
• HIGH8.1CVE-2025-11201MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability
  from 0, < 3.0.0
• HIGH8.1CVE-2025-11200MLflow Weak Password Requirements Authentication Bypass Vulnerability
  from 0, < 2.21.1
• HIGH8.1CVE-2024-1560Path Traversal Vulnerability in mlflow/mlflow
  from 0, < 2.12.2
• HIGH7.5CVE-2026-2614Arbitrary File Read via Prompt Tag Source Validation Bypass in mlflow/mlflow
  from 0, < 3.10.0
• HIGH7.5CVE-2025-14287Command Injection in mlflow/mlflow
  from 0, < 3.7.0
• HIGH7.5CVE-2024-8859Path Traversal in mlflow/mlflow
  >= 2.15.1, < 2.16.0
• HIGH7.5CVE-2024-2928Local File Inclusion (LFI) via URI Fragment Parsing in mlflow/mlflow
  from 0, < 2.11.3
• HIGH7.5CVE-2024-3848Path Traversal Bypass in mlflow/mlflow
  from 0, < 2.12.1
• HIGH7.5CVE-2024-1558Path Traversal Vulnerability in mlflow/mlflow
  from 0, < 2.12.1
• HIGH7.5CVE-2024-1593Path Traversal via Parameter Smuggling in mlflow/mlflow
  from 0, < 2.11.3
• HIGH7.5CVE-2024-1594Local File Read via Path Traversal in mlflow/mlflow
  from 0, < 2.11.3
• HIGH7.5CVE-2024-1483Path Traversal Vulnerability in mlflow/mlflow
  from 0, < 2.12.1
• HIGH7.5CVE-2023-6977Path Traversal: '\..\filename'
  >= 1.0.0, < 2.9.2
• HIGH7.5CVE-2023-6909Path Traversal: '\..\filename' in mlflow/mlflow
  from 0, < 2.9.2
• HIGH7.5CVE-2023-43472Information exposure in MLflow
  from 0, < 2.8.2
• HIGH7.5CVE-2023-30172mflow vulnerable to directory traversal
  from 0, < 2.0.1
• HIGH7.1CVE-2026-2393Server-Side Request Forgery (SSRF) in mlflow/mlflow
  from 0, < 3.9.0
• HIGH7.0CVE-2025-10279Privilege Escalation in mlflow/mlflow
  from 0, < 3.4.0
• HIGH7.0CVE-2024-27134Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf
  from 0, < 2.16.0
• MEDIUM6.5CVE-2023-6568Reflected XSS via Content-Type Header in mlflow/mlflow
  from 0, < 2.9.1
• MEDIUM5.9CVE-2025-0453MLflow Uncontrolled Resource Consumption vulnerability
  >= 2.17.2, < 2.18.0
• MEDIUM5.8CVE-2025-52967MLFlow SSRF via gateway_proxy_handler
  from 0, < 3.1.0
• MEDIUM5.4CVE-2026-33865Stored XSS via unsafe YAML parsing in MLflow
  from 0, < 3.11.1
• MEDIUM5.4CVE-2025-1473CSRF in mlflow/mlflow
  >= 2.17.0, < 2.20.1
• MEDIUM5.4CVE-2024-3099Undefined Behavior in mlflow
• MEDIUM5.4CVE-2024-4263Improper Access Control in mlflow/mlflow
  from 0, < 2.12.1
• MEDIUM5.3CVE-2024-6838Uncontrolled Resource Consumption in mlflow/mlflow
  >= 2.13.2, < 2.14.0
• MEDIUM4.3CVE-2026-33866Authorization Bypass in MLflow AJAX Endpoint
  from 0, < 3.11.1
• LOW3.8CVE-2025-1474Weak Password Requirements in mlflow/mlflow
  from 0, < 2.19.0
• LOW3.3CVE-2023-1176Absolute Path Traversal in mlflow/mlflow
  from 0, < 2.2.2