CVE-2026-31223: The snorkel library thru v0.10.0 contains a critical insecure deserialization vulnerability (CWE-502) in the BaseLabeler
criticalvulnerability
security
Summary
The snorkel library (a machine learning tool for data labeling) versions up to 0.10.0 has a critical vulnerability in its BaseLabeler.load() method, which uses pickle.load() (a Python function that converts saved data back into usable objects) on user files without checking if they're safe. An attacker can create a malicious file that executes harmful code on a victim's computer when the file is loaded.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
May 12, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-31223
First tracked: May 12, 2026 at 02:07 PM
Classified by LLM (prompt v3) · confidence: 95%