Aimstack Aim
23 CVEs affecting Aimstack Aim. Latest disclosed: 2025-07-22. Critical: 5, High: 12.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-6396 | Critical | 9.8 | 2024-07-12 | A vulnerability in the `_backup_run` function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any file on the host server and exfiltrate ar… |
CVE-2024-2195 | Critical | 9.8 | 2024-04-10 | A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` endpoint, affe… |
CVE-2024-7760 | Critical | 9.6 | 2025-03-20 | aimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the tracking server. The vulnerability is due to overly permissive CO… |
CVE-2024-8769 | Critical | 9.1 | 2025-03-20 | A vulnerability in the `LockManager.release_locks` function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal… |
CVE-2024-6829 | Critical | 9.1 | 2025-03-20 | A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to exploit the `tarfile.extractall()` function to extract the contents of a maliciously craft… |
CVE-2025-51464 | High | 8.8 | 2025-07-22 | Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitt… |
CVE-2024-2196 | High | 8.8 | 2024-04-10 | aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data… |
CVE-2021-43775 | High | 8.6 | 2021-11-23 | Aim is an open-source, self-hosted machine learning experiment tracking tool. Versions of Aim prior to 3.1.0 are vulnerable to a path traversal attack. By mani… |
CVE-2024-8238 | High | 8.1 | 2025-03-20 | In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function from RestrictedPython. This version does n… |
CVE-2025-0190 | High | 7.5 | 2025-03-20 | In version 3.25.0 of aimhubio/aim, a denial of service vulnerability exists. By tracking a large number of `Text` objects and then querying them simultaneously… |
CVE-2025-0189 | High | 7.5 | 2025-03-20 | In version 3.25.0 of aimhubio/aim, the tracking server is vulnerable to a denial of service attack. The server overrides the maximum size for websocket message… |
CVE-2024-8061 | High | 7.5 | 2025-03-20 | In version 3.23.0 of aimhubio/aim, certain methods that request data from external servers do not have set timeouts, causing the server to wait indefinitely fo… |
CVE-2024-6851 | High | 7.5 | 2025-03-20 | In version 3.22.0 of aimhubio/aim, the LocalFileManager._cleanup function in the aim tracking server accepts a user-specified glob-pattern for deleting files… |
CVE-2024-12778 | High | 7.5 | 2025-03-20 | A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service (DoS) attack. The issue arises when a large number of tracked metrics are retriev… |
CVE-2024-10110 | High | 7.5 | 2025-03-20 | In version 3.23.0 of aimhubio/aim, the ScheduledStatusReporter object can be instantiated to run on the main thread of the tracking server, leading to the main… |
CVE-2024-6227 | High | 7.5 | 2024-07-08 | A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to cause an infinite loop by configuring the remote tracking server to point at itself. This… |
CVE-2025-51463 | High | 7.0 | 2025-07-22 | Path Traversal in restore_run_backup() in AIM 3.28.0 allows remote attackers to write arbitrary files to the server's filesystem via a crafted backup tar file… |
CVE-2025-5321 | Medium | 6.3 | 2025-05-29 | A vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the file /aim/s… |
CVE-2024-8101 | Medium | 6.1 | 2025-03-20 | A stored cross-site scripting (XSS) vulnerability exists in the Text Explorer component of aimhubio/aim version 3.23.0. The vulnerability arises due to the use… |
CVE-2024-12777 | Medium | 5.9 | 2025-03-20 | A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service through the misuse of the sshfs-client. The tracking server, which is single-thre… |