Vulnerability	Vulnerable Version
H Arbitrary Code Injection ultralytics is an Ultralytics YOLOv8 for SOTA object detection, multi-object tracking, instance segmentation, pose estimation and image classification. Affected versions of this package are vulnerable to Arbitrary Code Injection via unsafe use of `eval()` on attacker-controllable strings. The `cfg.smart_value` helper, the `string-handling` branch in `utils.checks.check_imgsz`, and the initializer in `utils/triton.py` evaluate arbitrary text with `eval()` (for example, when parsing imgsz or Triton metadata) instead of using a safe parser like `ast.literal_eval()`. An attacker who can influence these inputs can inject and execute arbitrary Python expressions in the context of the running process. How to fix Arbitrary Code Injection? Upgrade `ultralytics` to version 8.3.226 or higher.	[,8.3.226)

Arbitrary Code Injection

ultralytics is an Ultralytics YOLOv8 for SOTA object detection, multi-object tracking, instance segmentation, pose estimation and image classification.

Affected versions of this package are vulnerable to Arbitrary Code Injection via unsafe use of eval() on attacker-controllable strings. The cfg.smart_value helper, the string-handling branch in utils.checks.check_imgsz, and the initializer in utils/triton.py evaluate arbitrary text with eval() (for example, when parsing imgsz or Triton metadata) instead of using a safe parser like ast.literal_eval(). An attacker who can influence these inputs can inject and execute arbitrary Python expressions in the context of the running process.

How to fix Arbitrary Code Injection?

Upgrade ultralytics to version 8.3.226 or higher.

[,8.3.226)

Go back to all versions of this package