NVD HIGH: CVE-2026-31222 — The snorkel library thru v0.10.0 contains an insecure deserialization vulnerabil...

Tuesday, May 12, 2026 at 04:16 PM UTC·Source: NIST NVD

Updated: Monday, May 18, 2026 at 05:00 AM UTC

Executive Summary

Analysis

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the Trainer.load() method of the Trainer class. The method loads model checkpoint files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method. CVSS Score: 8.8. Published: 2026-05-12T16:16:14.120.

Indicators of Compromise (1)

CVE (1)

CVE-2026-31222

NVD MITRE CVE

Source Attribution

Originally published by NIST NVD on May 12, 2026. Verified by: NIST.

Related Threats

MEDIUMVulnerability

Hackers Earn $1.3 Million at Pwn2Own Berlin 2026

Participants demonstrated exploits for Windows, Linux, VMware, Nvidia, and AI products. The post Hackers Earn $1.3 Million at Pwn2Own Berlin 2026 appeared first on SecurityWeek .

2h agoSecurityWeek

MEDIUMVulnerability

Former CISA nominee Sean Plankey named US CEO of defense startup

UFORCE, a London-based company founded by Ukrainians, is looking to make drones in America. The post Former CISA nominee Sean Plankey named US CEO of defense startup appeared first on CyberScoop .

2h agoCyberScoop

MEDIUMVulnerability

Weekly Update 504

It's a hot topic, the old "pay or don't pay" for hackers not to leak your data. Since recording this a few days ago, we've had Grafana go with the "no pay" approach , and I've seen a raft

2h agoTroy Hunt