CVE-2026-3071: Deserialization of untrusted data in the LanguageModel class of Flair from versions 0.4.1 to latest are vulnerable to ar
highvulnerability
security
Summary
CVE-2026-3071 is a vulnerability in Flair (a machine learning library) versions 0.4.1 and later that allows arbitrary code execution (running unauthorized commands on a system) when loading a malicious model file. The problem occurs because the LanguageModel class deserializes untrusted data (converts data from an external file without checking if it's safe), which can be exploited by attackers who provide specially crafted model files.
Vulnerability Details
CVSS Score
8.4(high)
EPSS (30-day exploit probability)
EPSS: 0.1%
Classification
Attack Type
Model Theft
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
HuggingFace
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-3071
First tracked: February 26, 2026 at 11:07 AM
Classified by LLM (prompt v3) · confidence: 85%