Vulnerability	Vulnerable Version
H Arbitrary Code Injection ultralytics is an Ultralytics YOLOv8 for SOTA object detection, multi-object tracking, instance segmentation, pose estimation and image classification. Affected versions of this package are vulnerable to Arbitrary Code Injection via unsafe use of `eval()` on attacker-controllable strings. The `cfg.smart_value` helper, the `string-handling` branch in `utils.checks.check_imgsz`, and the initializer in `utils/triton.py` evaluate arbitrary text with `eval()` (for example, when parsing imgsz or Triton metadata) instead of using a safe parser like `ast.literal_eval()`. An attacker who can influence these inputs can inject and execute arbitrary Python expressions in the context of the running process. How to fix Arbitrary Code Injection? Upgrade `ultralytics` to version 8.3.226 or higher.	[,8.3.226)
C Improper Input Validation ultralytics is an Ultralytics YOLOv8 for SOTA object detection, multi-object tracking, instance segmentation, pose estimation and image classification. Affected versions of this package are vulnerable to Improper Input Validation that can lead to command injection and path traversal. If exploited, it could allow unauthorized execution of arbitrary commands and unauthorized access to files on the server. How to fix Improper Input Validation? Upgrade `ultralytics` to version 8.1.0 or higher.	[,8.1.0)

Arbitrary Code Injection

ultralytics is an Ultralytics YOLOv8 for SOTA object detection, multi-object tracking, instance segmentation, pose estimation and image classification.

Affected versions of this package are vulnerable to Arbitrary Code Injection via unsafe use of eval() on attacker-controllable strings. The cfg.smart_value helper, the string-handling branch in utils.checks.check_imgsz, and the initializer in utils/triton.py evaluate arbitrary text with eval() (for example, when parsing imgsz or Triton metadata) instead of using a safe parser like ast.literal_eval(). An attacker who can influence these inputs can inject and execute arbitrary Python expressions in the context of the running process.

How to fix Arbitrary Code Injection?

Upgrade ultralytics to version 8.3.226 or higher.

[,8.3.226)

Improper Input Validation

ultralytics is an Ultralytics YOLOv8 for SOTA object detection, multi-object tracking, instance segmentation, pose estimation and image classification.

Affected versions of this package are vulnerable to Improper Input Validation that can lead to command injection and path traversal. If exploited, it could allow unauthorized execution of arbitrary commands and unauthorized access to files on the server.

How to fix Improper Input Validation?

Upgrade ultralytics to version 8.1.0 or higher.

[,8.1.0)

Go back to all versions of this package