CVE-2026-11816

Keras versions prior to 3.14.0 are vulnerable to a path traversal issue in the archive extraction utilities located in keras/src/utils/fileutils.py. The functions filtersafetarinfos and filtersafezipinfos validate archive member paths against the process current working directory CWD instead of t...

Keras 路径遍历漏洞

Keras is an open-source deep learning framework developed by Keras. Versions of Keras prior to 3.14.0 contained a path traversal vulnerability. This vulnerability stemmed from a path traversal issue in the archive extraction tool. The functions filtersafetarinfos and filtersafezipinfos used to...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in keras-3.13.1-py3-none-any.whl

Summary IBM Watson Discovery Cartridge affected by vulnerability in keras-3.13.1-py3-none-any.whl Vulnerability Details CVEID:CVE-2026-1669 DESCRIPTION: Arbitrary file read in the model loading mechanism HDF5 integration in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a...

adpred (=1.3.2), bacpipe (>=1.2.0 <=1.3.2.dev0) +16 more potentially affected by CVE-2026-0897 via keras (>=3.0.0 <=3.12.0)

keras PYPI version =3.0.0, =1.2.0, =0.1.0, =0.0.4, =0.4.7, =1.0.3, =0.0.28, =0.2.0, =2.4.0, =0.1.0, =0.1.1, =14.0.0, =14.1.0 and more Source cves: CVE-2026-0897 Source advisory: OSV:GHSA-MGX6-5CF9-RR43...

GHSA-MGX6-5CF9-RR43 Keras vulnerable to DoS via Malicious .keras Model (HDF5 Shape Bomb Causes Petabyte Allocation in KerasFileEditor)

Summary Keras’s model loader KerasFileEditor unsafely loads user-supplied .keras model files containing HDF5-based weight files without performing any validation on HDF5 dataset metadata. An attacker can craft a .keras archive containing a valid model.weights.h5 file whose dataset declares an...

Linux Distros Unpatched Vulnerability : CVE-2026-1462

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability in the TFSMLayer class of the keras package, version 3.13.0, allows attacker- controlled TensorFlow SavedModels to be loaded during...

CVE-2026-1462

A flaw was found in the keras package. This vulnerability allows an attacker to execute unauthorized code on a victim's system. It occurs when a victim loads a specially crafted .keras model, even if the safemode security feature is active. The issue arises because the keras package can...

adpred (=1.3.2), bacpipe (>=1.2.0 <=1.3.2.dev0) +16 more potentially affected by CVE-2026-1462 via keras (>=3.0.0 <=3.12.0)

keras PYPI version =3.0.0, =1.2.0, =0.1.0, =0.0.4, =0.4.7, =1.0.3, =0.0.28, =0.2.0, =2.4.0, =0.1.0, =0.1.1, =14.0.0, =14.1.0 and more Source cves: CVE-2026-1462 Source advisory: SNYK:PYTHON-KERAS-16032293...

Deserialization of Untrusted Data

Overview keras is a Keras is a high-level neural networks API for Python.. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the TFSMLayer class. An attacker can execute arbitrary code by providing a malicious TensorFlow SavedModel during deserialization of...

a2grunnerp (>=0.1.0 <=0.1.8), a62-emotion (>=0.9.2 <=0.11.4) +1271 more potentially affected by CVE-2026-1462 via keras (>=1.2.1 <=3.13.1)

keras PYPI version =1.2.1, =0.1.0, =0.9.2, =1.0.1, =0.1.0, =1.1.2, =0.0.8, =0.0.1, =7.13.1, =0.0.1, =0.0.2 and more Source cves: CVE-2026-1462 Source advisory: OSV:GHSA-4F3F-G24H-FR8M...

EUVD-2026-21970

A vulnerability in the TFSMLayer class of the keras package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of .keras models, even when safemode=True. This bypasses the security guarantees of safemode and enables arbitrary attacker-controlled...

Keras has an untrusted deserialization vulnerability

A vulnerability in the TFSMLayer class of the keras package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of .keras models, even when safemode=True. This bypasses the security guarantees of safemode and enables arbitrary attacker-controlled...

DEBIAN-CVE-2026-1462

A vulnerability in the TFSMLayer class of the keras package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of .keras models, even when safemode=True. This bypasses the security guarantees of safemode and enables arbitrary attacker-controlled...

UBUNTU-CVE-2026-1462

A vulnerability in the TFSMLayer class of the keras package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of .keras models, even when safemode=True. This bypasses the security guarantees of safemode and enables arbitrary attacker-controlled...

Directory Traversal

Keras is vulnerable to Directory Traversal. The vulnerability is due to unsafe extraction of tar archives in keras.utils.getfile without proper filtering during extraction, which allows an attacker to bypass path validation and write files outside the intended directory...

Security Bulletin: IBM Maximo Application Suite - Maximo AI Service uses multiple third party dependencies which are vulnerable to multiple CVEs.

Summary IBM Maximo Application Suite - Maximo AI Service uses "torch-2.9.1-cp311-cp311-manylinux228x8664.whl, keras-3.12.0-py3-none-any.whl, hibernate-core-6.6.36.Final.jar" dependencies which are vulnerable to "CVE-2025-2998, CVE-2025-2999, CVE-2025-55552, CVE-2025-63396, CVE-2026-0897,...

Incomplete Fix for CVE-2026-1669: HDF5 External Storage File Disclosure in Legacy H5 Loading

Description Keras 3 patched CVE-2026-1669 HDF5 External Storage File Disclosure in the new .keras and .weights.h5 loading paths by adding verifydataset to check for dataset.external in H5IOStore. However, the legacy .h5 loading path keras/src/legacy/saving/legacyh5format.py was not patched. This...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in keras-2.13.1-py3-none-any.whl

Summary IBM Watson Discovery Cartridge affected by vulnerability in keras-2.13.1-py3-none-any.whl Vulnerability Details CVEID:CVE-2025-9906 DESCRIPTION: The Keras Model.loadmodel method can be exploited to achieve arbitrary code execution, even with safemode=True. One can create a specially craft...

Keras Has A Local File Disclosure Via HDF5 External Storage During Keras Weight Loading

Summary TensorFlow / Keras continues to honor HDF5 “external storage” and "ExternalLink" features when loading weights. A malicious ".weights.h5" or a ".keras" archive embedding such weights can direct "loadweights" to read from an arbitrary readable filesystem path. The bytes pulled from that pa...

adpred (=1.3.2), bacpipe (>=1.2.0 <=1.3.2.dev0) +16 more potentially affected by CVE-2026-1669 via keras (>=3.0.0 <=3.12.0)

keras PYPI version =3.0.0, =1.2.0, =0.1.0, =0.0.4, =0.4.7, =1.0.3, =0.0.28, =0.2.0, =2.4.0, =0.1.0, =0.1.1, =14.0.0, =14.1.0 and more Source cves: CVE-2026-1669 Source advisory: OSV:GHSA-3M4Q-JMJ6-R34Q...