CVE Catalog

CVE-2026-14738

LowCVSS 3.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.21%

11th percentile — higher than 11% of all known CVEs

Summary

A weak hash function was found in the Vision Feature Cache component of exo-explore exo up to version 1.0.71, specifically in the _image_cache_key function. The vulnerability allows remote attacks but is difficult to exploit due to high complexity. A public exploit is available, and a fix is pending acceptance.

Risk Assessment

The organization is at risk of remote attacks exploiting the weak hash in the image cache, potentially leading to data integrity breaches or unauthorized access. High attack complexity reduces risk, but the public exploit increases urgency.

Recommendation

Immediately apply the fix from the pending pull request or upgrade exo-explore exo to a version above 1.0.71 once released. Until then, restrict access to the vulnerable component.

Original NVD description (English source)

A security flaw has been discovered in exo-explore exo up to 1.0.71. Affected is the function _image_cache_key of the file src/exo/worker/engines/mlx/vision.py of the component Vision Feature Cache. The manipulation results in use of weak hash. It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is told to be difficult. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS