{"data":{"id":"7edabf7e-8978-4169-962f-d155601b0874","title":"GHSA-ghq9-vc6f-8qjf: TorchGeo Remote Code Execution Vulnerability","summary":"TorchGeo versions 0.4–0.6.0 had a critical vulnerability where the `eval` function (a Python function that executes code from text input) was used in the model weight API, allowing attackers to run arbitrary commands on systems using the library. Any platform exposing TorchGeo's get_weight() or trainers functions publicly was at risk.","solution":"The `eval` statement was replaced with a fixed enum lookup (a safer way to match input to predefined options). Users are encouraged to upgrade to TorchGeo 0.6.1 or newer. For unpatched versions, input validation and sanitization (checking and cleaning user input before processing) can be used to avoid the vulnerability.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-ghq9-vc6f-8qjf","publishedAt":"2026-04-01T00:03:56.000Z","cveId":"CVE-2024-49048","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["torchgeo@>= 0.4, <= 0.6.0 (fixed: 0.6.1)"],"affectedVendors":["Microsoft"],"affectedVendorsRaw":["TorchGeo","Microsoft"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.005,"patchAvailable":true,"disclosureDate":"2026-04-01T00:03:56.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":["AML.T0010"]}}