PatchSiren

bytedance CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

LOW bytedance CVE published 2026-06-05

CVE-2026-11312

A vulnerability was found in Bytedance InfiniStore up to 0.2.33. The impacted element is the function purge_kv_map in the library /src/infinistore.h of the component KV Map Handler. Performing a manipulation results in inefficient algorithmic complexity. The attack requires a local approach. The exploit has been made public and could be used. The project was informed of the problem early through an issue [truncated]

HIGH bytedance CVE published 2026-04-17

CVE-2026-40518

CVE-2026-40518 is a HIGH severity vulnerability in Bytedance DeerFlow before commit 2176b2b. It allows for path traversal and arbitrary file write via bootstrap-mode custom-agent creation. The vulnerability exists due to a bypass in agent name validation, enabling attackers to supply traversal-style values or absolute paths as the agent name. This can influence directory creation and write files outside t [truncated]

MEDIUM ByteDance CVE published 2026-03-27

CVE-2026-32859

CVE-2026-32859 describes a stored cross-site scripting issue in ByteDance DeerFlow’s artifacts API. The vulnerability affects versions prior to commit 5dbb362, where malicious HTML or script content uploaded as an artifact can later execute in a viewer’s browser context. Because the payload is stored and triggered on view, the main risks are session compromise, credential theft, and unauthorized actions i [truncated]