CVE-2026-28500 ONNX Untrusted Model Repository Warnings Suppressed by silent=True in onnx.hub.load() — Silent Supply-Chain Attack

Open Neural Network Exchange ONNX is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load due to improper logic in the repository trust verification mechanism. While the function is designed to warn users...

CVE-2026-3071

Deserialization of untrusted data in the LanguageModel class of Flair from versions 0.4.1 to latest are vulnerable to arbitrary code execution when loading a malicious model...

CVE-2026-3071

Deserialization of untrusted data in the LanguageModel class of Flair from versions 0.4.1 to latest are vulnerable to arbitrary code execution when loading a malicious model...

`trust_remote_code=False` Bypass in LightGlue Nested Config Resolution (Transformers 5.2.0) Leading to Remote Code Execution During Normal `from_pretrained()` Loading

Description Transformers contains a trust-boundary flaw in the LightGlue loading path. When loading a LightGlue model, LightGlueConfig reads trustremotecode from untrusted model config.json and reuses it for nested AutoConfig.frompretrained... resolution. This allows an attacker-controlled model...

Arbitrary File Write via Path Traversal in Orbax Checkpoint Asset Dict Keys

Description When loading a Keras model from an Orbax checkpoint directory, the writenesteddicttodir function uses dict keys from the checkpoint's asset data directly in os.path.join without any path sanitization. A crafted Orbax checkpoint can include absolute paths or path traversal sequences .....

Keras Has A Local File Disclosure Via HDF5 External Storage During Keras Weight Loading

Summary TensorFlow / Keras continues to honor HDF5 “external storage” and "ExternalLink" features when loading weights. A malicious ".weights.h5" or a ".keras" archive embedding such weights can direct "loadweights" to read from an arbitrary readable filesystem path. The bytes pulled from that pa...

Deserialization of Untrusted Data

Overview nemo-toolkit is a NeMo - a toolkit for Conversational AI Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the model loading process with weightsonly=False. An attacker can execute arbitrary code, escalate privileges, disclose sensitive information...

GHSA-GFMX-QQQH-F38Q Duplicate Advisory: Keras vulnerable to arbitrary file read in the model loading mechanism (HDF5 integration)

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-3m4q-jmj6-r34q. This link is maintained to preserve external references. Original Description Arbitrary file read in the model loading mechanism HDF5 integration in Keras versions 3.0.0 through 3.13.1 on all...

Duplicate Advisory: Keras vulnerable to arbitrary file read in the model loading mechanism (HDF5 integration)

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-3m4q-jmj6-r34q. This link is maintained to preserve external references. Original Description Arbitrary file read in the model loading mechanism HDF5 integration in Keras versions 3.0.0 through 3.13.1 on all...

DEBIAN-CVE-2026-1669

Arbitrary file read in the model loading mechanism HDF5 integration in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references...

CVE-2026-1669

Arbitrary file read in the model loading mechanism HDF5 integration in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references...

CVE-2026-1669

Arbitrary file read in the model loading mechanism HDF5 integration in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references...

CVE-2026-1669

Arbitrary file read in the model loading mechanism HDF5 integration in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references...

CVE-2026-1669

CVE-2026-1669 describes an arbitrary file read in the Keras model loading path via HDF5 external dataset references. Affected versions are Keras 3.0.0 through 3.13.1 on all supported platforms. The vulnerability arises in the HDF5 integration used during model loading, enabling a remote attacker ...

CVE-2026-1669 Arbitrary File Read in Keras via HDF5 External Datasets

Arbitrary file read in the model loading mechanism HDF5 integration in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references...

CVE-2026-1669 Arbitrary File Read in Keras via HDF5 External Datasets

Arbitrary file read in the model loading mechanism HDF5 integration in Keras versions 3.0.0 through 3.13.1 on all supported platforms allows a remote attacker to read local files and disclose sensitive information via a crafted .keras model file utilizing HDF5 external dataset references...

Keras 安全漏洞

Keras is an open-source deep learning framework with multiple backends. Versions of Keras 3.13.1 and earlier contain security vulnerabilities. These vulnerabilities stem from defects in the model loading mechanism HDF5 integration, which could allow remote attackers to read local files through...

PT-2026-7728

Name of the Vulnerable Software and Affected Versions Keras versions 3.0.0 through 3.13.1 Description A flaw exists in the model loading mechanism, specifically within the HDF5 integration of Keras. This issue allows a remote attacker to read local files and potentially disclose sensitive...

CVE-2026-22807

A flaw was found in vLLM, an inference and serving engine for large language models LLMs. This vulnerability allows a remote attacker to achieve arbitrary code execution on the vLLM host during model loading. This occurs because vLLM loads Hugging Face automap dynamic modules without properly...

Azure Linux 3.0 Security Update: keras (CVE-2025-1550)

The version of keras installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-1550 advisory. - The Keras Model.loadmodel function permits arbitrary code execution, even with safemode=True, through a manual...