A vulnerability was found in Bytedance InfiniStore up to 0.2.33. The impacted element is the function purge_kv_map in the library /src/infinistore.h of the component KV Map Handler. Performing a manipulation results in inefficient algorithmic complexity. The attack requires a local approach. The exploit has been made public and could be used. The project was informed of the problem early through an issue [truncated]
CVE-2026-40518 is a HIGH severity vulnerability in Bytedance DeerFlow before commit 2176b2b. It allows for path traversal and arbitrary file write via bootstrap-mode custom-agent creation. The vulnerability exists due to a bypass in agent name validation, enabling attackers to supply traversal-style values or absolute paths as the agent name. This can influence directory creation and write files outside t [truncated]
CVE-2026-32859 describes a stored cross-site scripting issue in ByteDance DeerFlow’s artifacts API. The vulnerability affects versions prior to commit 5dbb362, where malicious HTML or script content uploaded as an artifact can later execute in a viewer’s browser context. Because the payload is stored and triggered on view, the main risks are session compromise, credential theft, and unauthorized actions i [truncated]