THREAT SENTINEL
Back to Dashboard
Hacking IncidentsCritical

CVE-2025-15036: Critical Severity Vulnerability Disclosed

Monday, March 30, 2026
Global
NVD

Summary

A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extractio

Threat Analysis

**Threat Overview:** A path traversal vulnerability exists in the `extract_archive_to_dir` function within the `mlflow/pyfunc/dbconnect_artifact_cache.py` file of the mlflow/mlflow repository. This vulnerability, present in versions before v3.7.0, arises due to the lack of validation of tar member paths during extractio

**CVE ID:** CVE-2025-15036 **CVSS Score:** 9.6 (CRITICAL)

**Recommended Mitigations:** - Review and apply vendor security updates - Monitor for signs of exploitation - Implement network segmentation and access controls - Enable logging and monitoring for affected systems

Last updated: Mar 30, 2026, 08:22 AM

Daily Intelligence

Stay Ahead of Threats

Subscribe to receive daily threat briefings delivered to your inbox. Be the first to know about emerging security risks.

No spamUnsubscribe anytimeDaily at 9 AM