CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Github Security Blog•added 2026/05/11 6:31 p.m.•6 views

flash-attention contains an insecure deserialization vulnerability in its checkpoint loading mechanism

7.3CVSS6.1AI score0.00047EPSS

Exploits0References4Affected Software1

EUVD•added 2026/05/11 6:31 p.m.•6 views

EUVD-2026-29100

NVD•added 2026/05/11 6:16 p.m.•4 views

CVE-2026-41256

jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter file such as . followed by \x00 and arbitrary suffix compiles and executes as only the prefix before...

5.5CVSS0.00013EPSS

Exploits1References1

OSV•added 2026/05/11 6:16 p.m.•0 views

UBUNTU-CVE-2026-44777

jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two otherwise valid modules include each other...

6.8CVSS5.8AI score0.00013EPSS

Exploits1References3

Vulnrichment•added 2026/05/11 5:23 p.m.•7 views

CVE-2026-44777 jq: stack overflow in module loading on mutual `include`

jq is a command-line JSON processor. In 1.8.2rc1 and earlier, the ordinary module loader recurses without cycle detection when two otherwise valid modules include each other...

6.8CVSS5.8AI score0.00013EPSS

Exploits1References1

NVD•added 2026/05/11 5:16 p.m.•8 views

CVE-2026-31253

7.3CVSS0.00047EPSS

NVD•added 2026/05/11 5:16 p.m.•5 views

CVE-2026-31252

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e 2025-30-21 contains an insecure deserialization vulnerability CWE-502 in its model loading component. The framework uses torch.load to load model weight files e.g., llm.pt, flow.pt, hift.pt without enabling the security-restrictive...

5.7CVSS0.00017EPSS

Snyk•added 2026/05/11 4:20 p.m.•5 views

Server-side Request Forgery (SSRF)

Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the urlUpload function. An attacker can access internal network resources and sensitive metadata by submitting a crafted URL containing .tar.gz that bypasses...

7.7CVSS5.9AI score0.00032EPSS

Snyk•added 2026/05/11 4:20 p.m.•6 views

Server-side Request Forgery (SSRF)

Overview @budibase/backend-core is a Budibase backend core libraries used in server and worker Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the urlUpload function. An attacker can access internal network resources and sensitive metadata by submitting a...

7.7CVSS5.9AI score0.00032EPSS

Github Security Blog•added 2026/05/11 2:57 p.m.•9 views

python-liquid: Absolute paths escape filesystem loader search path

Impact The built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and render arbitrary files via the % include % and % render % tags. Targeted files...

8.2CVSS5.9AI score0.0009EPSS

Exploits0References2Affected Software1

Vulnrichment•added 2026/05/11 12:0 a.m.•6 views

CVE-2026-31253

Vulnrichment•added 2026/05/11 12:0 a.m.•4 views

CVE-2026-31252

6.1AI score0.00017EPSS

ATTACKERKB•added 2026/05/11 12:0 a.m.•4 views

CVE-2026-31250

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e 2025-30-21 contains an insecure deserialization vulnerability CWE-502 in its averagemodel.py model averaging tool. The script loads PyTorch checkpoint files epoch.pt for model averaging using torch.load without enabling the...

CNNVD•added 2026/05/11 12:0 a.m.•4 views

FlashAttention 安全漏洞

FlashAttention is an efficient and memory-efficient attention mechanism implementation tool open-sourced by Dao AI Lab. There is a security vulnerability in FlashAttention, which stems from the checkpoint loading mechanism using torch.load to load checkpoint files without enabling the...

7.3CVSS6.2AI score0.00047EPSS

ATTACKERKB•added 2026/05/11 12:0 a.m.•4 views

CVE-2026-31253

Positive Technologies•added 2026/05/11 12:0 a.m.•6 views

PT-2026-39638

The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains an insecure deserialization vulnerability CWE-502 in its checkpoint loading mechanism. The load checkpoint function in checkpoint.py and the checkpoint loading code in eval.py use...

ATTACKERKB•added 2026/05/11 12:0 a.m.•5 views

CVE-2026-31252

6.1AI score0.00017EPSS

Cvelist•added 2026/05/11 12:0 a.m.•26 views

CVE-2026-31251

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e 2025-30-21 contains an insecure deserialization vulnerability CWE-502 in its gRPC server component. When the server starts, it loads the speech synthesis model from a user-specified directory using torch.load without enabling the...

0.00041EPSS

CVE•added 2026/05/11 12:0 a.m.•6 views

CVE-2026-31253

The CVE-2026-31253 entry concerns the flash-attention training framework. A deserialization flaw exists in the checkpoint loading path (checkpoint.py load_checkpoint and eval.py) where torch.load() is used without weights_only=True, enabling pickle-based object deserialization. This can allow an ...

7.3CVSS6.1AI score0.00047EPSS