Vulnerability Database

309,237

Total vulnerabilities in the database

CVE-2024-27133

Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields.

Published: Feb 23, 2024
Updated: Nov 16, 2025
CVE: CVE-2024-27133
GHSA: GHSA-3v79-q7ph-j75h
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
mlflow	-	2.10.0
lfprojects / mlflow	-	2.9.2.x

https://github.com/mlflow/mlflow/commit/c43823750bffa5b6abcc086683b15a068513b67b
https://github.com/mlflow/mlflow/commit/cfa71879a884cc3520e23ccab998c9aa78fdf2b1
https://github.com/mlflow/mlflow/pull/10893
https://research.jfrog.com/vulnerabilities/mlflow-untrusted-dataset-xss-jfsa-2024-000631932
https://research.jfrog.com/vulnerabilities/mlflow-untrusted-dataset-xss-jfsa-2024-000631932/

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo