NVD HIGH: CVE-2026-31223 — The snorkel library thru v0.10.0 contains a critical insecure deserialization vu...

Tuesday, May 12, 2026 at 04:16 PM UTC·Source: NIST NVD

Updated: Monday, May 18, 2026 at 06:00 AM UTC

Executive Summary

Analysis

The snorkel library thru v0.10.0 contains a critical insecure deserialization vulnerability (CWE-502) in the BaseLabeler.load() method of the BaseLabeler class. The method loads serialized labeler models using the unsafe pickle.load() function on user-supplied file paths without any validation or security controls. Python's pickle module is inherently dangerous for deserializing untrusted data, as it can execute arbitrary code during the deserialization process. A remote attacker can exploit this by providing a maliciously crafted pickle file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method. CVSS Score: 8.8. Published: 2026-05-12T16:16:14.223.

Indicators of Compromise (1)

CVE (1)

CVE-2026-31223

NVD MITRE CVE

Source Attribution

Originally published by NIST NVD on May 12, 2026. Verified by: NIST.

Related Threats

MEDIUMVulnerability

Hackers Earn $1.3 Million at Pwn2Own Berlin 2026

Participants demonstrated exploits for Windows, Linux, VMware, Nvidia, and AI products. The post Hackers Earn $1.3 Million at Pwn2Own Berlin 2026 appeared first on SecurityWeek .

2h agoSecurityWeek

MEDIUMVulnerability

Former CISA nominee Sean Plankey named US CEO of defense startup

UFORCE, a London-based company founded by Ukrainians, is looking to make drones in America. The post Former CISA nominee Sean Plankey named US CEO of defense startup appeared first on CyberScoop .

2h agoCyberScoop

MEDIUMVulnerability

Weekly Update 504

It's a hot topic, the old "pay or don't pay" for hackers not to leak your data. Since recording this a few days ago, we've had Grafana go with the "no pay" approach , and I've seen a raft

2h agoTroy Hunt