Package impact
PyPI / mlflow
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2025-15036 | critical | 10.0 | 10.0 | 2mo ago | MLFlow path traversal vulnerability | |
| CVE-2025-15379 | critical | 9.8 | 9.8 | 2mo ago | MLflow Command Injection vulnerability | |
| CVE-2026-0596 | critical | — | 9.5 | 2mo ago | Mlflow: Command Injection when serving models with enable_mlserver=True | |
| CVE-2026-2652 | high | 8.6 | 8.6 | 14d ago | MLflow: unauthenticated access to certain FastAPI routes | |
| CVE-2026-2614 | high | 7.5 | 7.5 | 17d ago | MLflow allows an unauthenticated remote attacker to read arbitrary files from the server's filesystem | |
| CVE-2026-2393 | high | 7.1 | 7.1 | 17d ago | MLflow Has a Server-Side Request Forgery (SSRF) Vulnerability | |
| CVE-2025-15381 | high | 7.1 | 7.1 | 2mo ago | MLFlow allows Tracing + Assessments Access |