VDB
KO
MEDIUM 5.3

PYSEC-2026-1091

Aim Relative Path Traversal vulnerability

Details

A vulnerability in the `runs/delete-batch` endpoint of aimhubio/aim version 3.19.3 allows for arbitrary file or directory deletion through path traversal. The endpoint does not mitigate path traversal when handling user-specified run-names, which are used to specify log/metadata files for deletion. This can be exploited to delete arbitrary files or directories, potentially causing denial of service or data loss.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / aim
Introduced in: 0

No fixed version published yet for aim (pip). Pin to a known-safe version or switch to an alternative.

References