cvedb.io
CVE-2026-31224
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2026-05-12T16:16:14.327 · Last modified 2026-06-17T10:33:27.770

Summary

The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the MultitaskClassifier.load() method of the MultitaskClassifier class. The method loads model weight files using torch.load() without enabling the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted model file, leading to arbitrary code execution on the victim's system when the file is loaded via the vulnerable method.

Affected products

snorkel — snorkel

Does this affect you?

Add your gear to cvedb and we'll alert you only when snorkel ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.