Security Vulnerabilities
A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digest_utils of the file mlflow/data/digest_utils.py of the component Dataset Digest Computation. This manipulation causes use of weak hash. It is possible to launch the attack on the local host. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
CVSS Score
1.1
EPSS Score
0.0
Published
2026-06-04
HCL iControl was affected by Weak Input Validation vulnerability. This weakness is caused during implementation of an architectural security tactic. Received input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
CVSS Score
4.3
EPSS Score
0.0
Published
2026-06-04
HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root.
CVSS Score
3.1
EPSS Score
0.0
Published
2026-06-04
HCL iControl was affected by Missing Security Headers vulnerability. which lead to cross-site scripting (XSS) attacks by enabling the built-in XSS filtering mechanisms of modern web browsers.
CVSS Score
3.7
EPSS Score
0.001
Published
2026-06-04
The web administration panel binds broadly to the public IPv6 address space on port [::]:8080 without default firewall limits, making internal API endpoints reachable over the WAN.
CVSS Score
6.9
EPSS Score
0.0
Published
2026-06-04
The registration path /v1/account/register provides no bot mitigation mechanisms, allowing malicious automated systems to flood the database.
CVSS Score
8.8
EPSS Score
0.0
Published
2026-06-04
Fixed AES-128-CBC keys inside the AcerConnect OTA application let attackers forge authorization credentials for arbitrary IMEI numbers. This allows unauthorized actors to list catalog items and extract protected binaries from pre-signed cloud links.
CVSS Score
6.9
EPSS Score
0.0
Published
2026-06-04
The /v1/Plan service relies entirely on a shared global API token for full administrative management, allowing arbitrary creation of zero-cost network access plans.
CVSS Score
9.3
EPSS Score
0.0
Published
2026-06-04
The system Binder boundary accepts unverified pass-through AT commands, giving local applications the power to read baseband files or disable cellular connectivity.
CVSS Score
8.5
EPSS Score
0.0
Published
2026-06-04
High-risk TrustAllCerts routines disable standard TLS certificate validation. Combined with hard-coded DES symmetric encryption keys, a Man-in-the-Middle (MITM) actor could decrypt network traffic.
CVSS Score
9.2
EPSS Score
0.0
Published
2026-06-04