Anchore Syft vulnerabilities
3 known vulnerabilities affecting anchore/syft.
Total CVEs
3
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2026-31220P2CRITICAL≥ 0, ≤ 0.9.52026-05-12
CVE-2026-31220 [CRITICAL] CWE-94 PySyft server-side arbitrary Python execution after code approval
PySyft server-side arbitrary Python execution after code approval
PySyft (Syft Datasite/Server) versions 0.9.5 and earlier are vulnerable to remote code execution due to insufficient validation and sandboxing of user-submitted code. The system allows low-privileged users to submit Python functions (via @sy.syft_function()) for remote execution on the server. While a code approval mechanism exists,
ghsa
CVE-2023-24827P3HIGHCVSS 7.5v0.69.0v0.69.1+1 more2023-02-07
CVE-2023-24827 [HIGH] CWE-200 CVE-2023-24827: syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from containe
syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. A password disclosure flaw was found in Syft versions v0.69.0 and v0.69.1. This flaw leaks the password stored in the SYFT_ATTEST_PASSWORD environment variable. The `SYFT_ATTEST_PASSWORD` environment variable is for the `syft a
nvd
CVE-2026-33481P4MEDIUMCVSS 5.3fixed in 1.42.32026-03-26
CVE-2026-33481 [MEDIUM] CWE-460 CVE-2026-33481: Syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from containe
Syft is a a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems. Syft versions before v1.42.3 would not properly cleanup temporary storage if the temporary storage was exhausted during a scan. When scanning archives Syft will unpack those archives into temporary storage then inspect the un
nvd