Bounties
Partners
Community
Info
aimhubio / aim
Project repository
Aim 💫 — An easy-to-use & supercharged open-source experiment tracker.
Submit a report
FIRST INTERACTION
WITHIN
N/A DAYS
REVIEW
WITHIN
38 DAYS
FIX
WITHIN
N/A DAYS
Sandbox Escape via API Endpoint Leading to Remote Code Execution in Aim
Jun 3rd 2025
superboy-zjc
•
self closed
Arbitrary File Write via Path Traversal in restore_run_backup
Feb 1st 2025
j0x1nx
•
duplicate
High
Stored XSS and CSRF through Pyodide in reports
Feb 13th 2025
patrik-ha
•
pending
Denial of service through tracking and requesting Aim objects through web API
Jan 31st 2025
patrik-ha
•
High
•
$450
High
•
$450
•
CVE-2025-0190
CVE-2025-0190
Denial of service by tracking large images
Jan 30th 2025
patrik-ha
•
High
•
$450
High
•
$450
•
CVE-2025-0189
CVE-2025-0189
Web server DOS through run metrics
Jan 18th 2025
patrik-ha
•
High
•
$450
High
•
$450
•
CVE-2024-12778
CVE-2024-12778
Denial of service through sshfs-client in tracking server
Jan 16th 2025
patrik-ha
•
Medium
•
$75
Medium
•
$75
•
CVE-2024-12777
CVE-2024-12777
Stored XSS in TextExplorer
Jan 13th 2025
patrik-ha
•
duplicate
High
Denial of service through instantiation of ScheduledStatusReporter in tracking s...
Dec 14th 2024
patrik-ha
•
High
•
$450
High
•
$450
•
CVE-2024-10110
CVE-2024-10110
Rce via Unclaimed S3 Bucket Usage And Arbitrary File Overwrite
Dec 5th 2024
aftersnows
•
not applicable
Path Traversal in restore_run_backup()
Aug 30th 2024
jkylekelly
•
self closed
Clickjacking vulnerability
Nov 23rd 2024
tharunavula
•
not applicable
Stored XSS through TEXT EXPLORER
Nov 23rd 2024
aftersnows
•
duplicate
High
XSS in TextBox Component
Nov 16th 2024
lambdasawa
•
duplicate
Critical
Arbitrary file deletion through relative path traversal in tracking server
Nov 15th 2024
patrik-ha
•
Critical
•
$900
Critical
•
$900
•
CVE-2024-8769
CVE-2024-8769
Denial of service due to no timeouts for some tracking server endpoints
Oct 27th 2024
patrik-ha
•
High
•
$450
High
•
$450
•
CVE-2024-8061
CVE-2024-8061
Unrestricted Code Execution via Outdated safer_getattr()
Oct 20th 2024
baroncrowley
•
Medium
•
$75
Medium
•
$75
•
CVE-2024-8238
CVE-2024-8238
Stored XSS in Text Explorer via tracked texts
Oct 18th 2024
0x999-x
•
High
•
$450
High
•
$450
•
CVE-2024-8101
CVE-2024-8101
CSRF through tracking server
Sep 28th 2024
patrik-ha
•
High
•
$450
High
•
$450
•
CVE-2024-7760
CVE-2024-7760
Arbitrary file deletion through tracking server
Sep 19th 2024
patrik-ha
•
High
•
$450
High
•
$450
•
CVE-2024-6851
CVE-2024-6851
Arbitrary file overwrite through tarfile-extraction
Aug 2nd 2024
patrik-ha
•
Critical
•
$900
Critical
•
$900
•
CVE-2024-6829
CVE-2024-6829
Cross-site Request Forgery on Every Endpoint
Jul 17th 2024
pinkdraconian
•
duplicate
High
Stored XSS through run logs
Jul 12th 2024
patrik-ha
•
High
•
$450
High
•
$450
•
CVE-2024-6578
CVE-2024-6578
Denial of service by pointing tracking server at itself
Jul 8th 2024
patrik-ha
•
High
•
$450
High
•
$450
•
CVE-2024-6227
CVE-2024-6227
Arbitrary file overwrite and arbitrary data exfiltration
Jul 12th 2024
patrik-ha
•
Critical
•
$900
Critical
•
$900
•
CVE-2024-6396
CVE-2024-6396
Arbitrary file/directory deletion
Jul 12th 2024
patrik-ha
•
Medium
•
$75
Medium
•
$75
•
CVE-2024-6483
CVE-2024-6483
Remote Code Execution still in Aim Web API in aimhubio/aim (serious)
Mar 29th 2024
wh0amitz
•
duplicate
Critical
CSRF allows to delete runs
Mar 11th 2024
h2oa
•
informative
High
Frameable response (potential Clickjacking)
Mar 11th 2024
h2oa
•
informative
Medium
CSRF allows to delete tags
Mar 11th 2024
h2oa
•
informative
Medium
A user can remove notes despite it is not possible through the UI
Mar 5th 2024
acciobugs
•
informative
Medium
CSRF allows to delete runs and perform other operations
Mar 2nd 2024
nerrorsec
•
High
•
$1350
High
•
$1350
•
CVE-2024-2196
CVE-2024-2196
Remote Code Execution in Aim Web API
Mar 2nd 2024
fa2y
•
Critical
•
$2700
Critical
•
$2700
•
CVE-2024-2195
CVE-2024-2195
Sandbox escape via various forms of "format".
Feb 13th 2024
ready-research
•
informative
Critical
SQL injection attack on aim database.
Oct 18th 2023
andy53
•
spam
CRITICAL
$0
HIGH
$0
MEDIUM
$0
LOW
$0
