Lucene search
K

70 matches found

OSV
OSV
added 3 days ago6 views

PYSEC-2026-404 Ludwig framework is vulnerable to insecure deserialization through its predict() method.

The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 through its predict method. When a user provides a dataset file path to the predict method, the framework automatically determines the file format. If the file is a pickle .pkl file, it is loaded using...

9.8CVSS6.5AI score0.006EPSS
Exploits0References5
OSV
OSV
added 3 days ago4 views

PYSEC-2026-405 Ludwig framework is vulnerable to insecure deserialization in its model serving component

The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 in its model serving component. When starting a model server with the ludwig serve command, the framework loads model weight files using torch.load without enabling the security-restrictive weightsonly=True...

9.8CVSS6.5AI score0.00497EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.17 views

PT-2026-43664

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Ludwig You QuickWebP Compress / Optimize Images & Convert WebP | SEO Friendly quickwebp allows Path Traversal.This issue affects QuickWebP Compress / Optimize Images & Convert WebP | SEO Friendly: from n...

9.9CVSS5.8AI score0.00336EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/05/15 1:57 a.m.11 views

CVE-2026-31237

The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 through its predict method. When a user provides a dataset file path to the predict method, the framework automatically determines the file format. If the file is a pickle .pkl file, it is loaded using...

9.8CVSS6.3AI score0.006EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/15 1:57 a.m.9 views

CVE-2026-31238

The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 in its model serving component. When starting a model server with the ludwig serve command, the framework loads model weight files using torch.load without enabling the security-restrictive weightsonly=True...

9.8CVSS6.3AI score0.00497EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/12 7:25 p.m.7 views

Deserialization of Untrusted Data

Overview ludwig is a Declarative machine learning: End-to-end machine learning pipelines using data-driven configurations. Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the model serving process. An attacker can execute arbitrary code on the system by...

9.8CVSS6.2AI score0.00497EPSS
Exploits0References2
OSV
OSV
added 2026/05/12 6:30 p.m.6 views

GHSA-XP5Q-5Q7G-Q26R Ludwig framework is vulnerable to insecure deserialization in its model serving component

The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 in its model serving component. When starting a model server with the ludwig serve command, the framework loads model weight files using torch.load without enabling the security-restrictive weightsonly=True...

9.8CVSS6.3AI score0.00497EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/12 6:30 p.m.11 views

EUVD-2026-29561

The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 in its model serving component. When starting a model server with the ludwig serve command, the framework loads model weight files using torch.load without enabling the security-restrictive weightsonly=True...

6.3AI score0.00497EPSS
Exploits0References3
vulnersOsv
vulnersOsv
added 2026/05/12 6:30 p.m.5 views

change-analyzer (>=0.14.0 <=0.16.1), mindsdb (>=0.9.1.0 <=1.3.1) potentially affected by CVE-2026-31237 via ludwig (>=0.17.5 <=0.5.5)

ludwig PYPI version =0.17.5, =0.14.0, =0.9.1.0, =1.3.1 Source cves: CVE-2026-31237 Source advisory: SNYK:PYTHON-LUDWIG-17057195...

9.8CVSS5.4AI score0.006EPSS
Exploits0
Github Security Blog
Github Security Blog
added 2026/05/12 6:30 p.m.13 views

Ludwig framework is vulnerable to insecure deserialization in its model serving component

The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 in its model serving component. When starting a model server with the ludwig serve command, the framework loads model weight files using torch.load without enabling the security-restrictive weightsonly=True...

9.8CVSS6.3AI score0.00497EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/12 6:30 p.m.9 views

Ludwig framework is vulnerable to insecure deserialization through its predict() method.

The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 through its predict method. When a user provides a dataset file path to the predict method, the framework automatically determines the file format. If the file is a pickle .pkl file, it is loaded using...

9.8CVSS6.3AI score0.006EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/05/12 6:30 p.m.6 views

GHSA-WCR3-GM9F-F87Q Ludwig framework is vulnerable to insecure deserialization through its predict() method.

The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 through its predict method. When a user provides a dataset file path to the predict method, the framework automatically determines the file format. If the file is a pickle .pkl file, it is loaded using...

9.8CVSS6.3AI score0.006EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/12 6:30 p.m.8 views

Deserialization of Untrusted Data

Overview ludwig is a Declarative machine learning: End-to-end machine learning pipelines using data-driven configurations. Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the predict method. An attacker can execute arbitrary code by supplying a maliciousl...

9.8CVSS6.1AI score0.006EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/12 6:30 p.m.12 views

EUVD-2026-29560

The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 through its predict method. When a user provides a dataset file path to the predict method, the framework automatically determines the file format. If the file is a pickle .pkl file, it is loaded using...

6.3AI score0.006EPSS
Exploits0References3
NVD
NVD
added 2026/05/12 6:16 p.m.9 views

CVE-2026-31237

The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 through its predict method. When a user provides a dataset file path to the predict method, the framework automatically determines the file format. If the file is a pickle .pkl file, it is loaded using...

9.8CVSS0.006EPSS
Exploits0References2
NVD
NVD
added 2026/05/12 6:16 p.m.8 views

CVE-2026-31238

The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 in its model serving component. When starting a model server with the ludwig serve command, the framework loads model weight files using torch.load without enabling the security-restrictive weightsonly=True...

9.8CVSS0.00497EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/12 12:0 a.m.32 views

CVE-2026-31237

The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 through its predict method. When a user provides a dataset file path to the predict method, the framework automatically determines the file format. If the file is a pickle .pkl file, it is loaded using...

0.006EPSS
Exploits0References2
CVE
CVE
added 2026/05/12 12:0 a.m.17 views

CVE-2026-31238

The Ludwig framework (up to 0.10.4) is vulnerable to insecure deserialization (CWE-502) in its model serving component. Starting a model server (ludwig serve) loads model weight files with torch.load() without enabling weights_only=True, allowing deserialization of arbitrary Python objects via pi...

9.8CVSS6.3AI score0.00497EPSS
Exploits0References2
CVE
CVE
added 2026/05/12 12:0 a.m.15 views

CVE-2026-31237

The Ludwig framework (up to version 0.10.4) is reported to be vulnerable to insecure deserialization (CWE-502) in its predict() function. If a user supplies a dataset file path to predict(), Ludwig attempts to determine the file format and, when encountering a pickle (.pkl) file, loads it via pan...

9.8CVSS6.3AI score0.006EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.10 views

PT-2026-40125

Name of the Vulnerable Software and Affected Versions Ludwig framework versions prior to 0.10.5 Description The model serving component is subject to insecure deserialization. When initiating a model server via the ludwig serve command, the framework utilizes the torch.load function to load model...

9.8CVSS6.5AI score0.00497EPSS
Exploits0References7
Rows per page
Query Builder