fl-manager-components-datasets-torch (=0.1.0), fl-manager-components-formatters-pillow (=0.1.0) +11 more potentially affected by CVE-2026-24178 via nvflare (>=2.2.0 <=2.7.1)

nvflare PYPI version =2.2.0, =0.1.0, =0.2.0, =3.1.27, =3.1.27, =3.1.29, =3.1.31 Source cves: CVE-2026-24178 Source advisory: SNYK:PYTHON-NVFLARE-16318747...

2404-segmentation-pipeline (>=0.1.0 <=1.0.0), abdomenatlas (>=0.1.0 <=0.1.1) +130 more potentially affected by unknown CVE via monai (>=1.0.0 <=1.5.2)

monai PYPI version =1.0.0, =0.1.0, =0.1.0, =0.0.1, =1.0.0, =0.0.0, =11.1.0, =0.9.0, =1.0.0, =1.1.0, =0.1.0, =0.0.1, =0.1.0, =2.0.1, =2.2.1 and more Source cves: unknown CVE Source advisory: SNYK:PYTHON-MONAI-15928871...

GHSA-89GG-P5R5-Q6R4 MONAI: Unsafe functions lead to pickle deserialization rce

Summary The algofrompickle function in monai/auto3dseg/utils.py causes pickle.loadsdatabytes to be executed, and it does not perform any validation on the input parameters. This ultimately leads to insecure deserialization and can result in code execution vulnerabilities. Details poc import pickl...

MONAI: Unsafe functions lead to pickle deserialization rce

Summary The algofrompickle function in monai/auto3dseg/utils.py causes pickle.loadsdatabytes to be executed, and it does not perform any validation on the input parameters. This ultimately leads to insecure deserialization and can result in code execution vulnerabilities. Details poc import pickl...

Deserialization of Untrusted Data

Overview monai is an AI Toolkit for Healthcare Imaging Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the algofrompickle function in monai/auto3dseg/utils.py. An attacker can execute arbitrary code by providing a crafted pickle file that is deserialized...

Path Traversal

MONAI is vulnerable to a Path Traversal. The vulnerability is due to the use of zipfile.ZipFile.extractall without proper path validation in the downloadfromngcprivate function, which allows an attacker to craft a malicious ZIP archive that writes files outside the intended extraction directory a...

CVE-2026-21851

MONAI Medical Open Network for AI is an AI toolkit for health care imaging. In versions up to and including 1.5.1, a Path Traversal Zip Slip vulnerability exists in MONAI's downloadfromngcprivate function. The function uses zipfile.ZipFile.extractall without path validation, while other similar...

CVE-2026-21851

MONAI Medical Open Network for AI is an AI toolkit for health care imaging. In versions up to and including 1.5.1, a Path Traversal Zip Slip vulnerability exists in MONAI's downloadfromngcprivate function. The function uses zipfile.ZipFile.extractall without path validation, while other similar...

CVE-2026-21851

MONAI has a Path Traversal (Zip Slip) vulnerability in its NGC private bundle download path. In MONAI

CVE-2026-21851 MONAI has Path Traversal (Zip Slip) in NGC Private Bundle Download

MONAI Medical Open Network for AI is an AI toolkit for health care imaging. In versions up to and including 1.5.1, a Path Traversal Zip Slip vulnerability exists in MONAI's downloadfromngcprivate function. The function uses zipfile.ZipFile.extractall without path validation, while other similar...

CVE-2026-21851 MONAI has Path Traversal (Zip Slip) in NGC Private Bundle Download

MONAI Medical Open Network for AI is an AI toolkit for health care imaging. In versions up to and including 1.5.1, a Path Traversal Zip Slip vulnerability exists in MONAI's downloadfromngcprivate function. The function uses zipfile.ZipFile.extractall without path validation, while other similar...

EUVD-2026-1039

MONAI Medical Open Network for AI is an AI toolkit for health care imaging. In versions up to and including 1.5.1, a Path Traversal Zip Slip vulnerability exists in MONAI's downloadfromngcprivate function. The function uses zipfile.ZipFile.extractall without path validation, while other similar...

MONAI 路径遍历漏洞

MONAI is a medical imaging AI toolkit open-sourced by Project MONAI. A path traversal vulnerability exists in MONAI 1.5.1 and earlier versions, which stems from the downloadfromngcprivate function using zipfile.ZipFile.extractall without path validation, which could lead to a path traversal attac...

PT-2026-2101

Name of the Vulnerable Software and Affected Versions MONAI versions up to and including 1.5.1 Description MONAI Medical Open Network for AI is an AI toolkit for health care imaging. A Path Traversal Zip Slip issue exists in the download from ngc private function. This function utilizes...

2404-segmentation-pipeline (>=0.1.0 <=1.0.0), abdomenatlas (>=0.1.0 <=0.1.1) +43 more potentially affected by CVE-2026-21851 via monai (>=1.0.0 <=1.5.1)

monai PYPI version =1.0.0, =0.1.0, =0.1.0, =0.0.1, =1.0.0, =0.0.0, =0.0.1, =2.0.1, =0.1.5, =0.4.2, =1.0.12, =0.0.5, =0.0.6 - emphysemaseg =0.1.0 and more Source cves: CVE-2026-21851 Source advisory: SNYK:PYTHON-MONAI-14892724...

MONAI has Path Traversal (Zip Slip) in NGC Private Bundle Download

Summary A Path Traversal Zip Slip vulnerability exists in MONAI's downloadfromngcprivate function. The function uses zipfile.ZipFile.extractall without path validation, while other similar download functions in the same codebase properly use the existing safeextractmember function. This appears t...

GHSA-9RG3-9PVR-6P27 MONAI has Path Traversal (Zip Slip) in NGC Private Bundle Download

Summary A Path Traversal Zip Slip vulnerability exists in MONAI's downloadfromngcprivate function. The function uses zipfile.ZipFile.extractall without path validation, while other similar download functions in the same codebase properly use the existing safeextractmember function. This appears t...

Directory Traversal

Overview monai is an AI Toolkit for Healthcare Imaging Affected versions of this package are vulnerable to Directory Traversal via the downloadfromngcprivate function. An attacker can write files outside the intended extraction directory by providing a crafted ZIP archive containing path traversa...

Deserialization Of Untrusted Data

monai is vulnerable to Unsafe Deserialization. The vulnerability is due to the pickleoperations function automatically deserializing dictionary key-value pairs with a specific suffix without any validation, An attackers can supply crafted pickle payloads to execute arbitrary code when those value...

EUVD-2025-27191

Malicious code in bioql PyPI...