{"data":{"id":"be911a1b-4345-4f64-8c7f-1cd667971b0d","title":"CVE-2026-31224: The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the MultitaskClassifier","summary":"The snorkel library (a tool for machine learning data labeling) versions up to 0.10.0 has a security flaw in its MultitaskClassifier.load() method that allows arbitrary code execution (running any commands an attacker wants on your computer). The problem occurs because the method uses torch.load() without the weights_only=True security setting, which means it can deserialize (reconstruct) malicious Python objects from model files that an attacker provides.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-31224","publishedAt":"2026-05-12T16:16:14.327Z","cveId":"CVE-2026-31224","cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"critical","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Snorkel AI","snorkel library"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-05-12T16:16:14.327Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"model","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}