{"data":{"id":"42516dd0-6388-46fb-aee5-8eba1901861a","title":"CVE-2026-31249: CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnera","summary":"CosyVoice (a text-to-speech AI tool) has a vulnerability in how it loads PyTorch model files (machine learning data files containing voice embeddings and tokens). The tool uses an unsafe loading method that allows attackers to execute arbitrary code (run any commands they want) on a victim's computer if the victim processes a directory containing a malicious .pt file.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-31249","publishedAt":"2026-05-11T17:16:19.820Z","cveId":"CVE-2026-31249","cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["supply_chain","model_theft"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["CosyVoice"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-05-11T17:16:19.820Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"training_data","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}