entity-model (>=1.0.0 <=1.0.9), fast-whisper-diarizer (>=0.1.2 <=0.1.32) +24 more potentially affected by CVE-2026-24157 via nemo-toolkit (>=2.0.0rc0 <=2.6.1)

nemo-toolkit PYPI version =2.0.0rc0, =1.0.0, =0.1.2, =0.2.7, =5.1.6, =1.0.0, =0.0.1, =0.0.1, =0.1.1, =0.1.0, =1.0.0, =2.0.8, =1.0.0, =5.0.7 and more Source cves: CVE-2026-24157 Source advisory: SNYK:PYTHON-NEMOTOOLKIT-15912166...

entity-model (>=1.0.0 <=1.0.9), fast-whisper-diarizer (>=0.1.2 <=0.1.32) +24 more potentially affected by CVE-2026-24159 via nemo-toolkit (>=2.0.0rc0 <=2.6.1)

nemo-toolkit PYPI version =2.0.0rc0, =1.0.0, =0.1.2, =0.2.7, =5.1.6, =1.0.0, =0.0.1, =0.0.1, =0.1.1, =0.1.0, =1.0.0, =2.0.8, =1.0.0, =5.0.7 and more Source cves: CVE-2026-24159 Source advisory: SNYK:PYTHON-NEMOTOOLKIT-15912093...

entity-model (>=1.0.0 <=1.0.9), fast-whisper-diarizer (>=0.1.2 <=0.1.32) +29 more potentially affected by CVE-2026-24159 via nemo-toolkit (>=1.23.0 <=2.6.1)

nemo-toolkit PYPI version =1.23.0, =1.0.0, =0.1.2, =0.2.7, =5.1.6, =1.0.0, =0.0.1, =0.0.1, =0.1.1, =0.1.0, =0.1.0, =0.1.0, =0.2.3a1 and more Source cves: CVE-2026-24159 Source advisory: OSV:GHSA-V7V2-M736-CF3C...

Deserialization of Untrusted Data

Overview nemo-toolkit is a NeMo - a toolkit for Conversational AI Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the torch.load checkpoint and model import paths in the nemo collections and checkpoint utilities. An attacker can execute arbitrary code...

Deserialization of Untrusted Data

Overview nemo-toolkit is a NeMo - a toolkit for Conversational AI Affected versions of this package are vulnerable to Deserialization of Untrusted Data the HFCheckpointIO checkpoint-loading process in nemo/lightning/io/hf.py. An attacker can execute arbitrary code on the victim system by supplyin...

fast-whisper-diarizer (>=0.1.2 <=0.1.32), faster-whisper-hotkey (>=0.2.7 <=0.4.3) +16 more potentially affected by CVE-2025-33253 via nemo-toolkit (>=0.10.1 <=2.5.3)

nemo-toolkit PYPI version =0.10.1, =0.1.2, =0.2.7, =1.0.0, =0.0.1, =0.0.1, =0.1.1, =0.1.0, =0.1.0, =0.1.0, =0.0.1, =0.1.0.dev201117, =0.1.0.dev210511 and more Source cves: CVE-2025-33253 Source advisory: OSV:GHSA-HVJW-VP7G-39H5...

fast-whisper-diarizer (>=0.1.2 <=0.1.32), faster-whisper-hotkey (>=0.2.7 <=0.4.3) +15 more potentially affected by CVE-2025-33253 via nemo-toolkit (>=1.23.0 <=2.5.3)

nemo-toolkit PYPI version =1.23.0, =0.1.2, =0.2.7, =1.0.0, =0.0.1, =0.0.1, =0.1.1, =0.1.0, =0.1.0, =0.1.0, =0.0.1, =0.0.3, =0.0.4 and more Source cves: CVE-2025-33253 Source advisory: OSV:GHSA-HVJW-VP7G-39H5...

fast-whisper-diarizer (>=0.1.2 <=0.1.32), faster-whisper-hotkey (>=0.2.7 <=0.4.3) +16 more potentially affected by CVE-2025-33245 via nemo-toolkit (>=0.10.1 <=2.5.3)

nemo-toolkit PYPI version =0.10.1, =0.1.2, =0.2.7, =1.0.0, =0.0.1, =0.0.1, =0.1.1, =0.1.0, =0.1.0, =0.1.0, =0.0.1, =0.1.0.dev201117, =0.1.0.dev210511 and more Source cves: CVE-2025-33245 Source advisory: OSV:GHSA-9379-MWVR-7WXX...

fast-whisper-diarizer (>=0.1.2 <=0.1.32), faster-whisper-hotkey (>=0.2.7 <=0.4.3) +15 more potentially affected by CVE-2025-33245 via nemo-toolkit (>=1.23.0 <=2.5.3)

nemo-toolkit PYPI version =1.23.0, =0.1.2, =0.2.7, =1.0.0, =0.0.1, =0.0.1, =0.1.1, =0.1.0, =0.1.0, =0.1.0, =0.0.1, =0.0.3, =0.0.4 and more Source cves: CVE-2025-33245 Source advisory: OSV:GHSA-9379-MWVR-7WXX...

Deserialization of Untrusted Data

Overview nemo-toolkit is a NeMo - a toolkit for Conversational AI Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the model loading process with weightsonly=False. An attacker can execute arbitrary code, escalate privileges, disclose sensitive information...

CVE-2025-33203

NVIDIA NeMo Agent Toolkit UI for Web contains a vulnerability in the chat API endpoint where an attacker may cause a Server-Side Request Forgery. A successful exploit of this vulnerability may lead to information disclosure and denial of service...

Deserialization of Untrusted Data

Overview nemo-toolkit is a NeMo - a toolkit for Conversational AI Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the deserialization of untrusted data. An attacker can execute arbitrary code and tamper with data by providing specially crafted input th...

fast-whisper-diarizer (>=0.1.2 <=0.1.32), faster-whisper-hotkey (>=0.2.7 <=0.4.3) +7 more potentially affected by CVE-2025-23303 via nemo-toolkit (>=2.0.0rc0 <=2.3.0)

nemo-toolkit PYPI version =2.0.0rc0, =0.1.2, =0.2.7, =1.0.0, =0.1.0, =1.0.0, =1.0.7 Source cves: CVE-2025-23303 Source advisory: SNYK:PYTHON-NEMOTOOLKIT-12089392...

Directory Traversal

Overview nemo-toolkit is a NeMo - a toolkit for Conversational AI Affected versions of this package are vulnerable to Directory Traversal via the model loading process. An attacker can execute arbitrary code and tamper with data by supplying a .nemo file containing maliciously crafted metadata...

fast-whisper-diarizer (>=0.1.2 <=0.1.32), faster-whisper-hotkey (>=0.2.7 <=0.4.3) +7 more potentially affected by CVE-2025-23304 via nemo-toolkit (>=2.0.0rc0 <=2.3.0)

nemo-toolkit PYPI version =2.0.0rc0, =0.1.2, =0.2.7, =1.0.0, =0.1.0, =1.0.0, =1.0.7 Source cves: CVE-2025-23304 Source advisory: SNYK:PYTHON-NEMOTOOLKIT-11953977...

nemo-curator (=0.5.1), neural-sync (>=0.1.0 <=0.1.2) +4 more potentially affected by CVE-2022-22821 via nemo-toolkit (>=0.10.1 <=1.5.1)

nemo-toolkit PYPI version =0.10.1, =0.1.0, =0.1.0, =0.0.1, =0.1.0.dev201117, =0.0.3, =0.0.4 Source cves: CVE-2022-22821 Source advisory: OSV:GHSA-9HG3-HMMF-C3GR...

nemo-curator (=0.5.1), neural-sync (>=0.1.0 <=0.1.2) +3 more potentially affected by CVE-2022-22821 via nemo-toolkit (>=1.23.0 <=1.5.1)

nemo-toolkit PYPI version =1.23.0, =0.1.0, =0.1.0, =0.0.1, =0.0.3, =0.0.4 Source cves: CVE-2022-22821 Source advisory: OSV:GHSA-9HG3-HMMF-C3GR...