2.9 LOW
- CVSS version (CVSS): 4.0
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): High (H)
- Attack Requirement (AT): None (N)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Vulnerable System Impact Confidentiality (VC): Low (L)
- Vulnerable System Impact Integrity (VI): None (N)
- Vulnerable System Impact Availability (VA): None (N)
- Subsequent System Impact Confidentiality (SC): None (N)
- Subsequent System Impact Integrity (SI): None (N)
- Subsequent System Impact Availability (SA): None (N)
- Exploit Maturity (E): POC (P)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): High (H)
- Modified Attack Requirement (MAT): None (N)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
- Modified Vulnerable System Impact Integrity (MVI): None (N)
- Modified Vulnerable System Impact Availability (MVA): None (N)
- Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
- Modified Subsequent System Impact Integrity (MSI): Negligible (N)
- Modified Subsequent System Impact Availability (MSA): Negligible (N)
- Safety (S): Not Defined (X)
- Automatable (AU): Not Defined (X)
- Recovery (R): Not Defined (X)
- Value Density (V): Not Defined (X)
- Vulnerability Response Effort (RE): Not Defined (X)
- Provider Urgency (U): Not Defined (X)
- Confidentiality Req. (CR): Not Defined (X)
- Integrity Req. (IR): Not Defined (X)
- Availability Req. (AR): Not Defined (X)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse ignored
-
@LeSuisse
ignored
16 packages
- exodus
- exomizer
- hexo-cli
- xfce.exo
- exonerate
- libexosip
- xfce4-exo
- exoscale-cli
- pkgsRocm.exo
- flexoptix-app
- haskellPackages.exon
- haskellPackages.exomizer
- terraform-providers.exoscale
- indi-3rdparty.indi-bresserexos2
- haskellPackages.exotic-list-monads
- terraform-providers.exoscale_exoscale
- @LeSuisse restored package pkgsRocm.exo
- @LeSuisse accepted
- @LeSuisse published on GitHub
exo-explore exo Vision Feature Cache vision.py _image_cache_key weak hash
A security flaw has been discovered in exo-explore exo up to 1.0.71. Affected is the function _image_cache_key of the file src/exo/worker/engines/mlx/vision.py of the component Vision Feature Cache. The manipulation results in use of weak hash. It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is told to be difficult. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance.
References
-
VDB-376321 | exo-explore exo Vision Feature Cache vision.py _image_cache_key weak hash vdb-entrytechnical-description
-
-
Ignored references (4)
-
Submit #848737 | exo-explore exo 1.0.71 Use of Weak Hash third-party-advisory
-
CVE-2026-14738 | CVE Analysis and Report third-party-advisory
-
Affected products
- ==1.0.10
- ==1.0.12
- ==1.0.17
- ==1.0.34
- ==1.0.1
- ==1.0.42
- ==1.0.54
- ==1.0.41
- ==1.0.56
- ==1.0.61
- ==1.0.64
- ==1.0.5
- ==1.0.9
- ==1.0.3
- ==1.0.2
- ==1.0.46
- ==1.0.59
- ==1.0.27
- ==1.0.26
- ==1.0.23
- ==1.0.50
- ==1.0.11
- ==1.0.57
- ==1.0.67
- ==1.0.49
- ==1.0.63
- ==1.0.51
- ==1.0.20
- ==1.0.35
- ==1.0.24
- ==1.0.69
- ==1.0.8
- ==1.0.4
- ==1.0.58
- ==1.0.21
- ==1.0.62
- ==1.0.28
- ==1.0.30
- ==1.0.25
- ==1.0.37
- ==1.0.44
- ==1.0.32
- ==1.0.47
- ==1.0.31
- ==1.0.68
- ==1.0.13
- ==1.0.15
- ==1.0.36
- ==1.0.33
- ==1.0.53
- ==1.0.18
- ==1.0.52
- ==1.0.48
- ==1.0.14
- ==1.0.6
- ==1.0.40
- ==1.0.70
- ==1.0.16
- ==1.0.45
- ==1.0.66
- ==1.0.39
- ==1.0.43
- ==1.0.29
- ==1.0.0
- ==1.0.55
- ==1.0.60
- ==1.0.71
- ==1.0.19
- ==1.0.7
- ==1.0.22
- ==1.0.38
- ==1.0.65
Matching in nixpkgs
pkgs.exo
Run your own AI cluster at home with everyday devices
Ignored packages (15)
pkgs.exodus
Top-rated cryptocurrency wallet with Trezor integration and built-in Exchange
pkgs.exomizer
Compress archives that can still be unpacked by 8-bit systems
pkgs.hexo-cli
Command line interface for Hexo
pkgs.xfce.exo
Application library for Xfce
pkgs.exonerate
Generic tool for sequence alignment
pkgs.libexosip
Library that hides the complexity of using the SIP protocol
pkgs.xfce4-exo
Application library for Xfce
pkgs.exoscale-cli
Command-line tool for everything at Exoscale: compute, storage, dns
pkgs.flexoptix-app
Configure FLEXOPTIX Universal Transceivers in seconds
-
nixos-unstable 5.57.0-latest
- nixpkgs-unstable 5.57.0-latest
- nixos-unstable-small 5.57.0-latest
-
nixos-26.05 5.57.0-latest
- nixos-26.05-small 5.57.0-latest
- nixpkgs-26.05-darwin 5.57.0-latest
pkgs.haskellPackages.exon
Customizable quasiquote interpolation
pkgs.haskellPackages.exomizer
Compression and decompression in the exomizer format
pkgs.terraform-providers.exoscale
None
pkgs.indi-3rdparty.indi-bresserexos2
Third party drivers for the INDI astronomical software suite
-
nixos-unstable 3rdparty-indi-bresserexos2-2.2.0
- nixpkgs-unstable 3rdparty-indi-bresserexos2-2.2.0
- nixos-unstable-small 3rdparty-indi-bresserexos2-2.2.0
-
nixos-26.05 3rdparty-indi-bresserexos2-2.2.0
- nixos-26.05-small 3rdparty-indi-bresserexos2-2.2.0
- nixpkgs-26.05-darwin 3rdparty-indi-bresserexos2-2.2.0
pkgs.haskellPackages.exotic-list-monads
Non-standard monads on lists and non-empty lists
Package maintainers
-
@GaetanLepage Gaetan Lepage <gaetan@glepage.com>