VDB
GCVE-110-OSM-2026-2486
GCVE-110-OSM-2026-2486
Advisory PublishedCVSS 5.4/10
Suspicious package detected. Behaviors: data exfiltration.
Payload: pypi/databricks-feature-lookup@1.13.0/databricks/feature_store/lookup_engine/async_refill_engine.py
Secondary files: pypi/databricks-feature-lookup@1.13.0/databricks/feature_store/lookup_engine/lookup_legacy_brickstore_http_engine.py
IOCs:
- urls: https://bit.ly/3BGBBFF., https://docs.google.com/document/d/1x_V9GshlnoAAFFCuDsXWdJVtop9MG2HWTUo5IK_1mEw, https://docs.google.com/document/d/1cG7PDWHld-WwD2UWp7v80KJT7lXOvvO0wNyKuZG2VQ8/edit#heading=h.24cgj83368tv, https://docs.google.com/document/d/1CvdYWUDqEsv69YVv1S9Co2vx-akEaki3v_H3Q2ZMDmo/edit#bookmark=id.qdunvvvuke0e, https://src.dev.databricks.com/databricks/runtime@78d071a6bb90371c937490f81f50f969ca020450/-/blob/sql/catalyst/src/main/scala/org/apache/spark/sql/util/ArrowUtils.scala?L39:3 (+2 more)
- domains: logging.INFO, entities.cloud, bit.ly, prometheus.io, ml.dev (+6 more)
- payloadFileHash: da8780885deebc3840ce051962e153784d28f1080f6c7afcb791b8a233a49926
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | databricks-feature-lookup | all (affected) | — |
Browse GCVE Records
73,685 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.