CVE-2026-33865.yaml
1 info: 2 name: mlflow 3 cve: CVE-2026-33865 4 summary: MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts 5 in... 6 details: "MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts\ 7 \ in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes\ 8 \ when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations\ 9 \ on behalf of the victim. \n\nThis issue affects MLflow version through 3.10.1" 10 cvss: '' 11 severity: MEDIUM 12 security_advise: Follow official security advisories and upgrade to the latest patched version. 13 references: 14 - https://cert.pl/en/posts/2026/04/CVE-2026-33865/ 15 - https://github.com/mlflow/mlflow/pull/21435 16 rule: 'version <= "3.10.1"' 17 references: 18 - https://cert.pl/en/posts/2026/04/CVE-2026-33865/ 19 - https://github.com/mlflow/mlflow/pull/21435