Aimstack Aim

23 CVEs affecting Aimstack Aim. Latest disclosed: 2025-07-22. Critical: 5, High: 12.

Top CVEs affecting Aimstack Aim
CVESeverityScorePublishedSummary
CVE-2024-6396Critical9.82024-07-12A vulnerability in the `_backup_run` function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any file on the host server and exfiltrate ar…
CVE-2024-2195Critical9.82024-04-10A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` endpoint, affe…
CVE-2024-7760Critical9.62025-03-20aimhubio/aim version 3.22.0 contains a Cross-Site Request Forgery (CSRF) vulnerability in the tracking server. The vulnerability is due to overly permissive CO…
CVE-2024-8769Critical9.12025-03-20A vulnerability in the `LockManager.release_locks` function in aimhubio/aim (commit bb76afe) allows for arbitrary file deletion through relative path traversal…
CVE-2024-6829Critical9.12025-03-20A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to exploit the `tarfile.extractall()` function to extract the contents of a maliciously craft…
CVE-2025-51464High8.82025-07-22Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitt…
CVE-2024-2196High8.82024-04-10aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allowing attackers to perform actions such as deleting runs, updating data, and stealing data…
CVE-2021-43775High8.62021-11-23Aim is an open-source, self-hosted machine learning experiment tracking tool. Versions of Aim prior to 3.1.0 are vulnerable to a path traversal attack. By mani…
CVE-2024-8238High8.12025-03-20In version 3.22.0 of aimhubio/aim, the AimQL query language uses an outdated version of the safer_getattr() function from RestrictedPython. This version does n…
CVE-2025-0190High7.52025-03-20In version 3.25.0 of aimhubio/aim, a denial of service vulnerability exists. By tracking a large number of `Text` objects and then querying them simultaneously…
CVE-2025-0189High7.52025-03-20In version 3.25.0 of aimhubio/aim, the tracking server is vulnerable to a denial of service attack. The server overrides the maximum size for websocket message…
CVE-2024-8061High7.52025-03-20In version 3.23.0 of aimhubio/aim, certain methods that request data from external servers do not have set timeouts, causing the server to wait indefinitely fo…
CVE-2024-6851High7.52025-03-20In version 3.22.0 of aimhubio/aim, the LocalFileManager._cleanup function in the aim tracking server accepts a user-specified glob-pattern for deleting files…
CVE-2024-12778High7.52025-03-20A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service (DoS) attack. The issue arises when a large number of tracked metrics are retriev…
CVE-2024-10110High7.52025-03-20In version 3.23.0 of aimhubio/aim, the ScheduledStatusReporter object can be instantiated to run on the main thread of the tracking server, leading to the main…
CVE-2024-6227High7.52024-07-08A vulnerability in aimhubio/aim version 3.19.3 allows an attacker to cause an infinite loop by configuring the remote tracking server to point at itself. This…
CVE-2025-51463High7.02025-07-22Path Traversal in restore_run_backup() in AIM 3.28.0 allows remote attackers to write arbitrary files to the server's filesystem via a crafted backup tar file…
CVE-2025-5321Medium6.32025-05-29A vulnerability classified as critical was found in aimhubio aim up to 3.29.1. This vulnerability affects the function RestrictedPythonQuery of the file /aim/s…
CVE-2024-8101Medium6.12025-03-20A stored cross-site scripting (XSS) vulnerability exists in the Text Explorer component of aimhubio/aim version 3.23.0. The vulnerability arises due to the use…
CVE-2024-12777Medium5.92025-03-20A vulnerability in aimhubio/aim version 3.25.0 allows for a denial of service through the misuse of the sshfs-client. The tracking server, which is single-thre…