Skip to main content

Allegroai Clearml

1 CVEs product

Monthly

CVE-2026-8387 LOW PATCH Monitor

Zip slip (relative path traversal) in ClearML's StorageManager._extract_to_cache() allows a network-positioned attacker to write arbitrary files to the host filesystem, with confirmed RCE potential via cron job injection, SSH authorized_keys overwrite, or web shell deployment. Affected are all versions up to and including 1.16.5; the official CVSS score of 2.4 with I:L severely understates the real-world impact given the documented RCE paths. No KEV listing and no EPSS data were provided, but the presence of a public bounty report and a confirmed fix commit indicates the issue is verified. The fix is available in version 2.1.6.

Path Traversal RCE Allegroai Clearml
NVD GitHub
CVSS 3.0
2.4
EPSS
0.4%
EPSS 0% CVSS 2.4
LOW PATCH Monitor

Zip slip (relative path traversal) in ClearML's StorageManager._extract_to_cache() allows a network-positioned attacker to write arbitrary files to the host filesystem, with confirmed RCE potential via cron job injection, SSH authorized_keys overwrite, or web shell deployment. Affected are all versions up to and including 1.16.5; the official CVSS score of 2.4 with I:L severely understates the real-world impact given the documented RCE paths. No KEV listing and no EPSS data were provided, but the presence of a public bounty report and a confirmed fix commit indicates the issue is verified. The fix is available in version 2.1.6.

Path Traversal RCE Allegroai Clearml
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy