15 matches found
CVE-2026-31237
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 through its predict method. When a user provides a dataset file path to the predict method, the framework automatically determines the file format. If the file is a pickle .pkl file, it is loaded using...
CVE-2026-31238
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 in its model serving component. When starting a model server with the ludwig serve command, the framework loads model weight files using torch.load without enabling the security-restrictive weightsonly=True...
Deserialization of Untrusted Data
Overview ludwig is a Declarative machine learning: End-to-end machine learning pipelines using data-driven configurations. Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the model serving process. An attacker can execute arbitrary code on the system by...
GHSA-WCR3-GM9F-F87Q Ludwig framework is vulnerable to insecure deserialization through its predict() method.
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 through its predict method. When a user provides a dataset file path to the predict method, the framework automatically determines the file format. If the file is a pickle .pkl file, it is loaded using...
GHSA-XP5Q-5Q7G-Q26R Ludwig framework is vulnerable to insecure deserialization in its model serving component
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 in its model serving component. When starting a model server with the ludwig serve command, the framework loads model weight files using torch.load without enabling the security-restrictive weightsonly=True...
Ludwig framework is vulnerable to insecure deserialization in its model serving component
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 in its model serving component. When starting a model server with the ludwig serve command, the framework loads model weight files using torch.load without enabling the security-restrictive weightsonly=True...
Ludwig framework is vulnerable to insecure deserialization through its predict() method.
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 through its predict method. When a user provides a dataset file path to the predict method, the framework automatically determines the file format. If the file is a pickle .pkl file, it is loaded using...
EUVD-2026-29561
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 in its model serving component. When starting a model server with the ludwig serve command, the framework loads model weight files using torch.load without enabling the security-restrictive weightsonly=True...
CVE-2026-31238
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 in its model serving component. When starting a model server with the ludwig serve command, the framework loads model weight files using torch.load without enabling the security-restrictive weightsonly=True...
CVE-2026-31237
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 through its predict method. When a user provides a dataset file path to the predict method, the framework automatically determines the file format. If the file is a pickle .pkl file, it is loaded using...
CVE-2026-31238
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 in its model serving component. When starting a model server with the ludwig serve command, the framework loads model weight files using torch.load without enabling the security-restrictive weightsonly=True...
CVE-2026-31238
The Ludwig framework (up to 0.10.4) is vulnerable to insecure deserialization (CWE-502) in its model serving component. Starting a model server (ludwig serve) loads model weight files with torch.load() without enabling weights_only=True, allowing deserialization of arbitrary Python objects via pi...
PT-2026-40125
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 in its model serving component. When starting a model server with the ludwig serve command, the framework loads model weight files using torch.load without enabling the security-restrictive weights only=True...
PT-2026-40124
The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization CWE-502 through its predict method. When a user provides a dataset file path to the predict method, the framework automatically determines the file format. If the file is a pickle .pkl file, it is loaded using pandas.read...
CVE-2026-31237
The Ludwig framework (up to version 0.10.4) is reported to be vulnerable to insecure deserialization (CWE-502) in its predict() function. If a user supplies a dataset file path to predict(), Ludwig attempts to determine the file format and, when encountering a pickle (.pkl) file, loads it via pan...