Lucene search
K

392 matches found

Github Security Blog
Github Security Blog
added 2026/05/11 6:31 p.m.10 views

flash-attention contains an insecure deserialization vulnerability in its checkpoint loading mechanism

The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains an insecure deserialization vulnerability CWE-502 in its checkpoint loading mechanism. The loadcheckpoint function in checkpoint.py and the checkpoint loading code in eval.py use...

7.3CVSS6.1AI score0.00218EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/05/11 5:16 p.m.23 views

CVE-2026-31251

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e 2025-30-21 contains an insecure deserialization vulnerability CWE-502 in its gRPC server component. When the server starts, it loads the speech synthesis model from a user-specified directory using torch.load without enabling the...

7.3CVSS0.00218EPSS
Exploits0References2
NVD
NVD
added 2026/05/11 5:16 p.m.47 views

CVE-2026-31253

The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains an insecure deserialization vulnerability CWE-502 in its checkpoint loading mechanism. The loadcheckpoint function in checkpoint.py and the checkpoint loading code in eval.py use...

7.3CVSS0.00218EPSS
Exploits0References2
NVD
NVD
added 2026/05/11 5:16 p.m.43 views

CVE-2026-31250

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e 2025-30-21 contains an insecure deserialization vulnerability CWE-502 in its averagemodel.py model averaging tool. The script loads PyTorch checkpoint files epoch.pt for model averaging using torch.load without enabling the...

7.3CVSS0.00222EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/11 12:0 a.m.8 views

CVE-2026-31253

The flash-attention training framework thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains an insecure deserialization vulnerability CWE-502 in its checkpoint loading mechanism. The loadcheckpoint function in checkpoint.py and the checkpoint loading code in eval.py use...

6.1AI score0.00218EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/11 12:0 a.m.34 views

CVE-2026-31252

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e 2025-30-21 contains an insecure deserialization vulnerability CWE-502 in its model loading component. The framework uses torch.load to load model weight files e.g., llm.pt, flow.pt, hift.pt without enabling the security-restrictive...

0.00112EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/11 12:0 a.m.34 views

CVE-2026-31251

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e 2025-30-21 contains an insecure deserialization vulnerability CWE-502 in its gRPC server component. When the server starts, it loads the speech synthesis model from a user-specified directory using torch.load without enabling the...

0.00218EPSS
Exploits0References2
CVE
CVE
added 2026/05/11 12:0 a.m.21 views

CVE-2026-31252

CosyVoice Web UI vulnerability (CVE-2026-31252) arises from insecure deserialization (CWE-502) in the model loading component. The framework loads model weight files (e.g., llm.pt, flow.pt, hift.pt) with torch.load() without enabling weights_only=True, permitting arbitrary Python object deseriali...

5.7CVSS6.1AI score0.00112EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.18 views

PT-2026-39635

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e 2025-30-21 contains an insecure deserialization vulnerability CWE-502 in its average model.py model averaging tool. The script loads PyTorch checkpoint files epoch .pt for model averaging using torch.load without enabling the weights...

6.1AI score0.00222EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.11 views

PT-2026-39637

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e 2025-30-21 contains an insecure deserialization vulnerability CWE-502 in its model loading component. The framework uses torch.load to load model weight files e.g., llm.pt, flow.pt, hift.pt without enabling the security-restrictive...

6.1AI score0.00112EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/11 12:0 a.m.7 views

CVE-2026-31250

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e 2025-30-21 contains an insecure deserialization vulnerability CWE-502 in its averagemodel.py model averaging tool. The script loads PyTorch checkpoint files epoch.pt for model averaging using torch.load without enabling the...

6.1AI score0.00222EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/11 12:0 a.m.5 views

CVE-2026-31251

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e 2025-30-21 contains an insecure deserialization vulnerability CWE-502 in its gRPC server component. When the server starts, it loads the speech synthesis model from a user-specified directory using torch.load without enabling the...

6.1AI score0.00218EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/11 12:0 a.m.11 views

CosyVoice 安全漏洞

CosyVoice is an open-source voice generation and AI voice cloning platform developed by FunAudioLLM. CosyVoice has a security vulnerability. This vulnerability stems from the averagemodel.py model averaging tool, which loads checkpoint files using torch.load without enabling the weights-only=True...

7.3CVSS6.2AI score0.00222EPSS
Exploits0References2
CVE
CVE
added 2026/05/11 12:0 a.m.14 views

CVE-2026-31251

CVE-2026-31251 affects CosyVoice’s gRPC server component. During startup, the server loads the speech synthesis model from a user-specified directory via torch.load() without enabling the weights_only=True security parameter, enabling the pickle-based deserialization of arbitrary Python objects. ...

7.3CVSS6.1AI score0.00218EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.14 views

PT-2026-39636

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e 2025-30-21 contains an insecure deserialization vulnerability CWE-502 in its gRPC server component. When the server starts, it loads the speech synthesis model from a user-specified directory using torch.load without enabling the...

6.1AI score0.00218EPSS
Exploits0References3
CVE
CVE
added 2026/05/11 12:0 a.m.28 views

CVE-2026-31253

The CVE-2026-31253 entry concerns the flash-attention training framework. A deserialization flaw exists in the checkpoint loading path (checkpoint.py load_checkpoint and eval.py) where torch.load() is used without weights_only=True, enabling pickle-based object deserialization. This can allow an ...

7.3CVSS6.1AI score0.00218EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/11 12:0 a.m.10 views

CVE-2026-31251

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e 2025-30-21 contains an insecure deserialization vulnerability CWE-502 in its gRPC server component. When the server starts, it loads the speech synthesis model from a user-specified directory using torch.load without enabling the...

6.1AI score0.00218EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/11 12:0 a.m.10 views

CosyVoice 安全漏洞

CosyVoice is an open-source voice generation and AI voice cloning platform developed by FunAudioLLM. There was a security vulnerability in the previous version of CosyVoice. This vulnerability stemmed from the model loading component using torch.load to load model weight files without enabling th...

5.7CVSS6.2AI score0.00112EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/11 12:0 a.m.7 views

CVE-2026-31252

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e 2025-30-21 contains an insecure deserialization vulnerability CWE-502 in its model loading component. The framework uses torch.load to load model weight files e.g., llm.pt, flow.pt, hift.pt without enabling the security-restrictive...

6.1AI score0.00112EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/11 12:0 a.m.7 views

CVE-2026-31252

CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e 2025-30-21 contains an insecure deserialization vulnerability CWE-502 in its model loading component. The framework uses torch.load to load model weight files e.g., llm.pt, flow.pt, hift.pt without enabling the security-restrictive...

6.1AI score0.00112EPSS
Exploits0References2
Rows per page
Query Builder