cvedb.io
CVE-2026-31223
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2026-05-12T16:16:14.223 · Last modified 2026-06-17T10:33:27.617

Summary

The snorkel library thru v0.10.0 contains a critical insecure deserialization vulnerability (CWE-502) in the BaseLabeler.load() method of the BaseLabeler class. The method loads serialized labeler models using the unsafe pickle.load() function on user-supplied file paths without any validation or security controls. Python's pickle module is inherently dangerous for deserializing untrusted data, as it can execute arbitrary code during the deserialization process. A remote attacker can exploit this by providing a maliciously crafted pickle file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.

Affected products

snorkel — snorkel

Does this affect you?

Add your gear to cvedb and we'll alert you only when snorkel ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.