EUVD-2025-22763

Malicious code in bioql PyPI...

EUVD-2025-23967

Malicious code in bioql PyPI...

CVE-2025-54886

skops is a Python library which helps users share and ship their scikit-learn based models. In versions 0.12.0 and below, the Card.getmodel does not contain any logic to prevent arbitrary code execution. The Card.getmodel function supports both joblib and skops for model loading. When loading...

CVE-2025-54886 skops: Card.get_model does not block arbitrary code execution

skops is a Python library which helps users share and ship their scikit-learn based models. In versions 0.12.0 and below, the Card.getmodel does not contain any logic to prevent arbitrary code execution. The Card.getmodel function supports both joblib and skops for model loading. When loading...

Skops 代码问题漏洞

Skops is a Python library from the Skops project that helps share scikit-learn-based models and put them into production. A code issue vulnerability exists in Skops 0.12.0 and earlier versions that stems from the Card.getmodel function not preventing arbitrary code execution, which could lead to ...

GHSA-378X-6P4F-8JGM SKOPS Card.get_model happily allows arbitrary code execution

Summary The Card class of skops, used for model documentation and sharing, allows arbitrary code execution. When a file other than .zip is provided to the Card class during instantiation, the internally invoked Card.getmodel method silently falls back to joblib without warning. Unlike the .skops...

SKOPS Card.get_model happily allows arbitrary code execution

Summary The Card class of skops, used for model documentation and sharing, allows arbitrary code execution. When a file other than .zip is provided to the Card class during instantiation, the internally invoked Card.getmodel method silently falls back to joblib without warning. Unlike the .skops...

CVE-2025-54413

A flaw was found in skops. An inconsistency in MethodNode allows access to unexpected object fields through dot notation when a specially crafted model file is loaded. This issue allows arbitrary code execution at load time...

CVE-2025-54412

A flaw was found in skops. An inconsistency in OperatorFuncNode can hide the execution of untrusted operator methods when a specially crafted model file is loaded. This issue allows arbitrary code execution at load time...

CVE-2025-54413

skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain an inconsistency in MethodNode, which can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at loa...

CVE-2025-54413 skops' MethodNode can access unexpected object fields through dot notation, leading to arbitrary code execution at load time

skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain an inconsistency in MethodNode, which can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at loa...

CVE-2025-54412 skops' Inconsistent Trusted Type Validation Enables Hidden `operator` Methods Execution

skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain a inconsistency in the OperatorFuncNode which can be exploited to hide the execution of untrusted operator methods. This can then be used in a code reuse attack to invoke...

CVE-2025-54412 skops' Inconsistent Trusted Type Validation Enables Hidden `operator` Methods Execution

skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain a inconsistency in the OperatorFuncNode which can be exploited to hide the execution of untrusted operator methods. This can then be used in a code reuse attack to invoke...

CVE-2025-54412

Skops (Python) CVE-2025-54412 involves an inconsistency in OperatorFuncNode validation that can let an attacker craft a model file which, while appearing to trust certain types, actually executes operator.call and arbitrary code during load. Affected versions: 0.11.0 and earlier; fixed in 0.12.0....

CVE-2024-37065

Deserialization of untrusted data can occur in versions 0.6 or newer of the skops python library, enabling a maliciously crafted model to run arbitrary code on an end user's system when loaded...

CVE-2024-37065

Deserialization of untrusted data can occur in versions 0.6 or newer of the skops python library, enabling a maliciously crafted model to run arbitrary code on an end user's system when loaded...