Filtered by vendor Aimhubio
                         Subscriptions
                    
                    
                
                        Filtered by product Aim
                         Subscriptions
                    
                    
                
                    Total
                    8 CVE
                
            | CVE | Vendors | Products | Updated | CVSS v3.1 | 
|---|---|---|---|---|
| CVE-2024-8061 | 2 Aimhubio, Aimstack | 2 Aim, Aim | 2025-10-15 | N/A | 
| In version 3.23.0 of aimhubio/aim, certain methods that request data from external servers do not have set timeouts, causing the server to wait indefinitely for a response. This can lead to a denial of service, as the tracking server does not respond to other requests while waiting. The issue arises in the client used by the `aim` tracking server to communicate with external resources, specifically in the `_run_read_instructions` method and similar calls without timeouts. | ||||
| CVE-2025-5321 | 2 Aimhubio, Aimstack | 2 Aim, Aim | 2025-09-19 | 6.3 Medium | 
| A vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the file /aim/storage/query.py of the component run_view Object Handler. The manipulation of the argument Abfrage leads to erweiterte Rechte. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-51464 | 2 Aimhubio, Aimstack | 2 Aim, Aim | 2025-09-11 | 8.8 High | 
| Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js(). | ||||
| CVE-2024-2195 | 2 Aimhubio, Aimstack | 2 Aim, Aim | 2025-07-29 | N/A | 
| A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` endpoint, affecting versions >= 3.0.0. The vulnerability resides in the `run_search_api` function of the `aim/web/api/runs/views.py` file, where improper restriction of user access to the `RunView` object allows for the execution of arbitrary code via the `query` parameter. This issue enables attackers to execute arbitrary commands on the server, potentially leading to full system compromise. | ||||
| CVE-2024-2196 | 2 Aimhubio, Aimstack | 2 Aim, Aim | 2025-07-29 | N/A | 
| aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data like log records and notes without the user's consent. The vulnerability stems from the lack of CSRF and CORS protection in the aim dashboard. An attacker can exploit this by tricking a user into executing a malicious script that sends unauthorized requests to the aim server, leading to potential data loss and unauthorized data manipulation. | ||||
| CVE-2024-6851 | 2 Aimhubio, Aimstack | 2 Aim, Aim | 2025-07-23 | N/A | 
| In version 3.22.0 of aimhubio/aim, the LocalFileManager._cleanup function in the aim tracking server accepts a user-specified glob-pattern for deleting files. The function does not verify that the matched files are within the directory managed by LocalFileManager, allowing a maliciously crafted glob-pattern to lead to arbitrary file deletion. | ||||
| CVE-2024-12777 | 2 Aimhubio, Aimstack | 2 Aim, Aim | 2025-07-18 | N/A | 
| A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service through the misuse of the sshfs-client. The tracking server, which is single-threaded, can be made unresponsive by requesting it to connect to an unresponsive socket via sshfs. The lack of an additional timeout setting in the sshfs-client causes the server to hang for a significant amount of time, preventing it from responding to other requests. | ||||
| CVE-2024-8863 | 2 Aimhubio, Aimstack | 2 Aim, Aim | 2024-09-20 | 3.5 Low | 
| A vulnerability, which was classified as problematic, was found in aimhubio aim up to 3.24. Affected is the function dangerouslySetInnerHTML of the file textbox.tsx of the component Text Explorer. The manipulation of the argument query leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
                            
                                
                                
                                    Page 1 of 1.