2.9 LOW
- CVSS version (CVSS): 4.0
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): High (H)
- Attack Requirement (AT): None (N)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Vulnerable System Impact Confidentiality (VC): Low (L)
- Vulnerable System Impact Integrity (VI): None (N)
- Vulnerable System Impact Availability (VA): None (N)
- Subsequent System Impact Confidentiality (SC): None (N)
- Subsequent System Impact Integrity (SI): None (N)
- Subsequent System Impact Availability (SA): None (N)
- Exploit Maturity (E): POC (P)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): High (H)
- Modified Attack Requirement (MAT): None (N)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
- Modified Vulnerable System Impact Integrity (MVI): None (N)
- Modified Vulnerable System Impact Availability (MVA): None (N)
- Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
- Modified Subsequent System Impact Integrity (MSI): Negligible (N)
- Modified Subsequent System Impact Availability (MSA): Negligible (N)
- Safety (S): Not Defined (X)
- Automatable (AU): Not Defined (X)
- Recovery (R): Not Defined (X)
- Value Density (V): Not Defined (X)
- Vulnerability Response Effort (RE): Not Defined (X)
- Provider Urgency (U): Not Defined (X)
- Confidentiality Req. (CR): Not Defined (X)
- Integrity Req. (IR): Not Defined (X)
- Availability Req. (AR): Not Defined (X)
Activity log
- Created suggestion
exo-explore exo Vision Feature Cache vision.py _image_cache_key weak hash
A security flaw has been discovered in exo-explore exo up to 1.0.71. Affected is the function _image_cache_key of the file src/exo/worker/engines/mlx/vision.py of the component Vision Feature Cache. The manipulation results in use of weak hash. It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is told to be difficult. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance.
References
-
VDB-376321 | exo-explore exo Vision Feature Cache vision.py _image_cache_key weak hash vdb-entrytechnical-description
-
-
CVE-2026-14738 | CVE Analysis and Report third-party-advisory
-
Submit #848737 | exo-explore exo 1.0.71 Use of Weak Hash third-party-advisory
-
-
Affected products
- ==1.0.15
- ==1.0.38
- ==1.0.64
- ==1.0.24
- ==1.0.68
- ==1.0.49
- ==1.0.6
- ==1.0.3
- ==1.0.21
- ==1.0.31
- ==1.0.35
- ==1.0.52
- ==1.0.8
- ==1.0.43
- ==1.0.17
- ==1.0.9
- ==1.0.32
- ==1.0.37
- ==1.0.23
- ==1.0.18
- ==1.0.1
- ==1.0.11
- ==1.0.19
- ==1.0.46
- ==1.0.44
- ==1.0.28
- ==1.0.57
- ==1.0.65
- ==1.0.34
- ==1.0.70
- ==1.0.14
- ==1.0.66
- ==1.0.42
- ==1.0.22
- ==1.0.25
- ==1.0.30
- ==1.0.2
- ==1.0.67
- ==1.0.54
- ==1.0.48
- ==1.0.55
- ==1.0.59
- ==1.0.12
- ==1.0.69
- ==1.0.51
- ==1.0.56
- ==1.0.13
- ==1.0.50
- ==1.0.62
- ==1.0.26
- ==1.0.45
- ==1.0.27
- ==1.0.47
- ==1.0.41
- ==1.0.39
- ==1.0.29
- ==1.0.36
- ==1.0.61
- ==1.0.60
- ==1.0.71
- ==1.0.63
- ==1.0.53
- ==1.0.16
- ==1.0.20
- ==1.0.4
- ==1.0.33
- ==1.0.58
- ==1.0.0
- ==1.0.7
- ==1.0.5
- ==1.0.10
- ==1.0.40
Matching in nixpkgs
pkgs.exo
Run your own AI cluster at home with everyday devices
pkgs.exodus
Top-rated cryptocurrency wallet with Trezor integration and built-in Exchange
pkgs.exomizer
Compress archives that can still be unpacked by 8-bit systems
pkgs.hexo-cli
Command line interface for Hexo
pkgs.xfce.exo
Application library for Xfce
pkgs.exonerate
Generic tool for sequence alignment
pkgs.libexosip
Library that hides the complexity of using the SIP protocol
pkgs.xfce4-exo
Application library for Xfce
pkgs.exoscale-cli
Command-line tool for everything at Exoscale: compute, storage, dns
pkgs.pkgsRocm.exo
Run your own AI cluster at home with everyday devices
pkgs.flexoptix-app
Configure FLEXOPTIX Universal Transceivers in seconds
-
nixos-unstable 5.57.0-latest
- nixpkgs-unstable 5.57.0-latest
- nixos-unstable-small 5.57.0-latest
-
nixos-26.05 5.57.0-latest
- nixos-26.05-small 5.57.0-latest
- nixpkgs-26.05-darwin 5.57.0-latest
pkgs.haskellPackages.exon
Customizable quasiquote interpolation
pkgs.haskellPackages.exomizer
Compression and decompression in the exomizer format
pkgs.terraform-providers.exoscale
None
pkgs.indi-3rdparty.indi-bresserexos2
Third party drivers for the INDI astronomical software suite
-
nixos-unstable 3rdparty-indi-bresserexos2-2.2.0
- nixpkgs-unstable 3rdparty-indi-bresserexos2-2.2.0
- nixos-unstable-small 3rdparty-indi-bresserexos2-2.2.0
-
nixos-26.05 3rdparty-indi-bresserexos2-2.2.0
- nixos-26.05-small 3rdparty-indi-bresserexos2-2.2.0
- nixpkgs-26.05-darwin 3rdparty-indi-bresserexos2-2.2.0
pkgs.haskellPackages.exotic-list-monads
Non-standard monads on lists and non-empty lists
Package maintainers
-
@GaetanLepage Gaetan Lepage <gaetan@glepage.com>
-
@Craftzman7 Crafter <crafter@crafter.rocks>
-
@rople380 rople380
-
@mmahut Marek Mahut <marek.mahut@gmail.com>
-
@MatthewCroughan Matthew Croughan <matt@croughan.sh>
-
@bzizou Bruno Bzeznik <Bruno@bzizou.net>
-
@viraptor Stanisław Pitucha <nix@viraptor.info>
-
@helsinki-Jo Joachim Ernst <joachim.ernst@helsinki-systems.de>
-
@dasJ Janne Heß <janne@hess.ooo>
-
@returntoreality Linus Karl <linus@lotz.li>
-
@sheepforce Phillip Seeber <phillip.seeber@googlemail.com>
-
@romildo José Romildo Malaquias <malaquias@gmail.com>
-
@bobby285271 Bobby Rong <rjl931189261@126.com>
-
@muscaln Mustafa Çalışkan <muscaln@protonmail.com>