NVD HIGH: CVE-2026-31221 — PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization...

Tuesday, May 12, 2026 at 04:16 PM UTC·Source: NIST NVD

Updated: Monday, May 18, 2026 at 05:00 AM UTC

Executive Summary

Analysis

PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoint loading mechanism. The LightningModule.load_from_checkpoint() method, which is commonly used to load saved model states, internally calls torch.load() without setting the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted checkpoint file, leading to arbitrary code execution on the victim's system when the file is loaded. CVSS Score: 7.8. Published: 2026-05-12T16:16:14.020.

Indicators of Compromise (1)

CVE (1)

CVE-2026-31221

NVD MITRE CVE

Source Attribution

Originally published by NIST NVD on May 12, 2026. Verified by: NIST.

Related Threats

MEDIUMVulnerability

Hackers Earn $1.3 Million at Pwn2Own Berlin 2026

Participants demonstrated exploits for Windows, Linux, VMware, Nvidia, and AI products. The post Hackers Earn $1.3 Million at Pwn2Own Berlin 2026 appeared first on SecurityWeek .

2h agoSecurityWeek

MEDIUMVulnerability

Former CISA nominee Sean Plankey named US CEO of defense startup

UFORCE, a London-based company founded by Ukrainians, is looking to make drones in America. The post Former CISA nominee Sean Plankey named US CEO of defense startup appeared first on CyberScoop .

2h agoCyberScoop

MEDIUMVulnerability

Weekly Update 504

It's a hot topic, the old "pay or don't pay" for hackers not to leak your data. Since recording this a few days ago, we've had Grafana go with the "no pay" approach , and I've seen a raft

2h agoTroy Hunt