CVE-2026-12481: A vulnerability in keras-team/keras version 3.14.0 allows for arbitrary code execution due to improper handling of deser
Summary
A vulnerability in Keras (a machine learning library) version 3.14.0 allows attackers to run arbitrary code by exploiting how the Lambda layer deserializes data (converts stored data back into usable form). The bug occurs because the safety check treats an unset value the same as a deliberately disabled one, allowing malicious bytecode (low-level machine instructions) to execute when functions like `keras.layers.deserialize()` are called without proper safety protections.
Vulnerability Details
EPSS: 0.0%
July 3, 2026
Classification
Affected Vendors
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2026-26190: Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus expose
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-12481
First tracked: July 4, 2026 at 02:02 AM
Classified by LLM (prompt v3) · confidence: 95%