{"data":{"id":"fdb5cfed-0332-4f2f-91e0-d7c28e55caa8","title":"CVE-2026-38950: An issue in ESA AnomalyMatch before 1.3.1 allow attackers to execute arbitrary code via crafted model checkpoint files. ","summary":"CVE-2026-38950 is a vulnerability in ESA AnomalyMatch before version 1.3.1 that allows attackers to run arbitrary code by uploading malicious model checkpoint files. The problem occurs because the software uses torch.load() with unrestricted deserialization (a process that converts saved data back into code without safety checks), which can execute malicious code hidden in crafted model files.","solution":"Update to ESA AnomalyMatch version 1.3.1 or later.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-38950","publishedAt":"2026-06-01T17:16:59.257Z","cveId":"CVE-2026-38950","cweIds":["CWE-502"],"cvssScore":"7.8","cvssSeverity":"high","severity":"high","attackType":["model_theft","supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["ESA AnomalyMatch"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"local","attackComplexity":"low","privilegesRequired":"low","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-06-01T17:16:59.257Z","capecIds":["CAPEC-586"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"model","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":["AML.T0010"]}}