{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33865", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2026-03-24T13:13:32.905Z", "datePublished": "2026-04-07T12:57:38.525Z", "dateUpdated": "2026-04-09T13:31:08.842Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com", "defaultStatus": "unaffected", "packageName": "mlfolw", "product": "Mlflow", "repo": "https://github.com/mlflow/", "vendor": "Mlflow", "versions": [{"lessThanOrEqual": "3.10.1", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "S\u0142awomir Zakrzewski (AFINE)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim. <br><br><span style=\"background-color: rgba(214, 214, 214, 0.1);\">This issue affects MLflow version through 3.10.1</span><br>"}], "value": "MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim. \n\nThis issue affects MLflow version through 3.10.1"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.1, "baseSeverity": "MEDIUM", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-04-09T13:31:08.842Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/mlflow/mlflow/pull/21435"}, {"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2026/04/CVE-2026-33865/"}, {"tags": ["exploit", "technical-description"], "url": "https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors"}], "source": {"discovery": "EXTERNAL"}, "title": "Stored XSS via unsafe YAML parsing in MLflow", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T13:10:08.243484Z", "id": "CVE-2026-33865", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T13:10:14.041Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33865", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T13:10:08.243484Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T13:10:10.733Z"}}], "cna": {"title": "Stored XSS via unsafe YAML parsing in MLflow", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "S\u0142awomir Zakrzewski (AFINE)"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/mlflow/", "vendor": "Mlflow", "product": "Mlflow", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.10.1"}], "packageName": "mlfolw", "collectionURL": "https://github.com", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/mlflow/mlflow/pull/21435", "tags": ["patch"]}, {"url": "https://cert.pl/en/posts/2026/04/CVE-2026-33865/", "tags": ["third-party-advisory"]}, {"url": "https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors", "tags": ["exploit", "technical-description"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim. \n\nThis issue affects MLflow version through 3.10.1", "supportingMedia": [{"type": "text/html", "value": "MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim. <br><br><span style=\"background-color: rgba(214, 214, 214, 0.1);\">This issue affects MLflow version through 3.10.1</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-04-09T13:31:08.842Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33865", "state": "PUBLISHED", "dateUpdated": "2026-04-09T13:31:08.842Z", "dateReserved": "2026-03-24T13:13:32.905Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2026-04-07T12:57:38.525Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface. An authenticated attacker can upload a malicious MLmodel file containing a payload that executes when another user views the artifact in the UI. This allows actions such as session hijacking or performing operations on behalf of the victim. \n\nThis issue affects MLflow version through 3.10.1"}], "id": "CVE-2026-33865", "lastModified": "2026-04-09T14:16:30.703", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cvd@cert.pl", "type": "Secondary"}]}, "published": "2026-04-07T13:16:46.840", "references": [{"source": "cvd@cert.pl", "url": "https://afine.com/blogs/attacking-mlflow-how-ml-artifacts-become-attack-vectors"}, {"source": "cvd@cert.pl", "url": "https://cert.pl/en/posts/2026/04/CVE-2026-33865/"}, {"source": "cvd@cert.pl", "url": "https://github.com/mlflow/mlflow/pull/21435"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cvd@cert.pl", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.10.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Mlflow", "source": "cna", "vendor": "Mlflow"}, "product": "mlflow", "vendor": "mlflow"}], "analysis": {"en": {"generated_at": "2026-04-07T19:54:25.620896+00:00", "value": {"mitigation_remediation": ["Upgrade MLflow to version 3.10.2 or later, which contains a safe YAML parsing fix.", "If an upgrade is not immediately feasible, restrict or revoke upload permissions for users who can add MLmodel files, or disable the upload feature until a patch is applied.", "Monitor logs for unusual upload activity and verify that no untrusted YAML files are being processed."], "summary": {"action": "Patch Immediately", "impact": "Stored Cross\u2011Site Scripting via unsafe YAML parsing in MLflow"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all released versions of MLflow up to and including 3.10.1. The affected product is the MLflow tooling used to manage model artifacts and serve the web interface.", "description_and_impact": "MLflow\u2019s web interface processes user\u2011supplied MLmodel files described in YAML. An authenticated attacker can embed a malicious script inside such a file. When another user opens the artifact in the UI, the embedded code runs in that user\u2019s browser, enabling session hijacking or unauthorized actions on their behalf. This is a classic Cross\u2011Site Scripting vulnerability that can compromise confidentiality, integrity and availability for all users who view the artifact.", "risk_and_exploitability": "The CVSS score of 5.1 indicates a moderate severity. Exploitation requires only that the attacker be authenticated to the system so they can upload the malicious artifact, and a second user must subsequently view it in the UI. Because the EPSS score is not available and the issue is not listed in CISA\u2019s KEV catalog, the overall threat rating is moderate but still actionable."}}}}, "created": "2026-04-08T19:37:59.362082+00:00", "updated": "2026-04-08T19:49:32.386803+00:00", "vendors": ["mlflow", "mlflow$PRODUCT$mlflow"]}