CVE-2026-6859 Instructlab: instructlab: arbitrary code execution due to hardcoded `trust_remote_code=true`

A flaw was found in InstructLab. The linuxtrain.py script hardcodes trustremotecode=True when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run ilab train/download/generate with a specially crafted malicious model...

PYSEC-2026-103

Open Neural Network Exchange ONNX is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load due to improper logic in the repository trust verification mechanism. While the function is designed to warn users...

UBUNTU-CVE-2026-28500

Open Neural Network Exchange ONNX is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load due to improper logic in the repository trust verification mechanism. While the function is designed to warn users...

Deserialization of Untrusted Data

Overview nemo-toolkit is a NeMo - a toolkit for Conversational AI Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the model loading process with weightsonly=False. An attacker can execute arbitrary code, escalate privileges, disclose sensitive information...

MessagePack for Java Vulnerable to Remote DoS via Malicious EXT Payload Allocation

Summary Affected Components: org.msgpack.core.MessageUnpacker.readPayload org.msgpack.core.MessageUnpacker.unpackValue org.msgpack.value.ExtensionValue.getData A denial-of-service vulnerability exists in MessagePack for Java when deserializing .msgpack files containing EXT32 objects with...

CVE-2026-21452

CVE-2026-21452 affects MessagePack for Java prior to 0.9.11. During deserialization of .msgpack files containing EXT32 objects with attacker-controlled payload lengths, ExtensionValue.getData() allocates a byte array based on the declared length without upper-bound checks, enabling remote DoS via...

CVE-2025-33212

NVIDIA NeMo Framework contains a vulnerability in model loading that could allow an attacker to exploit improper control mechanisms if a user loads a maliciously crafted file. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, and...

CVE-2025-33212

NVIDIA NeMo Framework contains a vulnerability in model loading that could allow an attacker to exploit improper control mechanisms if a user loads a maliciously crafted file. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, and...

CVE-2025-33212

NVIDIA NeMo Framework contains a vulnerability in model loading that could allow an attacker to exploit improper control mechanisms if a user loads a maliciously crafted file. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, and...

EUVD-2025-24608

Malicious code in bioql PyPI...

EUVD-2025-13509

Malicious code in bioql PyPI...

CVE-2025-8747

A safe mode bypass vulnerability in the Model.loadmodel method in Keras versions 3.0.0 through 3.10.0 allows an attacker to achieve arbitrary code execution by convincing a user to load a specially crafted .keras model archive...

PT-2025-19749 · Unknown · Retrieval-Based-Voice-Conversion-Webui

Name of the Vulnerable Software and Affected Versions: Retrieval-based-Voice-Conversion-WebUI versions 2.2.231006 and prior Description: Retrieval-based-Voice-Conversion-WebUI is a voice changing framework based on VITS. The ckpt path1 variable takes user input, such as a path to a model, and...

CVE-2024-53880

NVIDIA Triton Inference Server contains a vulnerability in the model loading API, where a user could cause an integer overflow or wraparound error by loading a model with an extra-large file size that overflows an internal variable. A successful exploit of this vulnerability might lead to denial ...

CVE-2025-24357

The CVE-2025-24357 issue centers on vLLM’s hf_model_weights_iterator (vllm/model_executor/weight_utils.py) which loads checkpoints via torch.load with weights_only defaulting to False. If malicious pickle data is unpickled, arbitrary code could execute on the host. This vulnerability is highlight...

CVE-2024-56456

Vulnerability of input parameters not being verified during glTF model loading in the 3D engine module Impact: Successful exploitation of this vulnerability may affect availability...

CVE-2024-3660

A arbitrary code injection vulnerability in TensorFlow's Keras framework 2.13 allows attackers to execute arbitrary code with the same permissions as the application using a model that allow arbitrary code irrespective of the application...

Apache MXNet 安全漏洞

Apache MXNet is an open source deep learning software framework from the Apache Apache Foundation in the United States. It is used for training and deploying deep neural networks. A security vulnerability exists in Apache MXNet incubating versions prior to 1.9.1, which stems from the use of regul...

GHSA-H67M-XG8F-FXCF Deadlock in mutually recursive `tf.function` objects

Impact The code behind tf.function API can be made to deadlock when two tf.function decorated Python functions are mutually recursive: python import tensorflow as tf @tf.function def fun1num: if num == 1: return printnum fun2num-1 @tf.function def fun2num: if num == 0: return printnum fun1num-1...