CVE-2026-31251

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e 2025-30-21 contains an insecure deserialization vulnerability CWE-502 in its gRPC server component. When the server starts, it loads the speech synthesis model from a user-specified directory using torch.load without enabling the...

Deserialization of Untrusted Data

Overview torch is a Tensors and Dynamic neural networks in Python with strong GPU acceleration Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the loadstatedict function, used during unpickling. An attacker can corrupt heap memory by convincing a user to...

CVE-2025-58756

MONAI (Medical Open Network for AI) vulnerability CVE-2025-58756 involves insecure deserialization during model loading. The code path in monai/bundle/scripts.py uses torch.load with weights_only=True for certain loads, but other loading paths can deserialize untrusted content from checkpoints, ...

CVE-2025-58756 MONAI's unsafe torch usage may lead to arbitrary code execution

MONAI Medical Open Network for AI is an AI toolkit for health care imaging. In versions up to and including 1.5.0, in modeldict = torch.loadfullpath, maplocation=torch.devicedevice, weightsonly=True in monai/bundle/scripts.py , weightsonly=True is loaded securely. However, insecure loading method...

PYSEC-2025-9

A remote code execution vulnerability exists in invoke-ai/invokeai versions 5.3.1 through 5.4.2 via the /api/v2/models/install API. The vulnerability arises from unsafe deserialization of model files using torch.load without proper validation. Attackers can exploit this by embedding malicious cod...