{"data":{"id":"c328deb8-9b1d-4d24-bac4-d6265fd4b460","title":"CVE-2025-14287: A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/","summary":"MLflow versions before v3.7.0 contain a command injection vulnerability (a flaw where attackers insert malicious commands into input that gets executed) in the sagemaker module. An attacker can exploit this by passing a malicious container image name through the `--container` parameter, which the software unsafely inserts into shell commands and runs, allowing arbitrary command execution on affected systems.","solution":"Update MLflow to version v3.7.0 or later.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-14287","publishedAt":"2026-03-16T14:17:55.610Z","cveId":"CVE-2025-14287","cweIds":["CWE-94"],"cvssScore":null,"cvssSeverity":null,"severity":"critical","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["MLflow"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00071,"patchAvailable":null,"disclosureDate":"2026-03-16T14:17:55.610Z","capecIds":["CAPEC-242"],"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}