CVE-2026-31222: The snorkel library thru v0.10.0 contains an insecure deserialization vulnerability (CWE-502) in the Trainer.load() meth
highvulnerability
security
Summary
The snorkel library up to version 0.10.0 has a vulnerability in its Trainer.load() method that unsafely deserializes (converts saved data back into objects) model files using torch.load() without security protections. An attacker can craft a malicious model file that executes arbitrary code (RCE, remote code execution) when a user loads it with this method.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
May 12, 2026
Classification
Attack Type
Model Theft
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
HuggingFace
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-31222
First tracked: May 12, 2026 at 02:07 PM
Classified by LLM (prompt v3) · confidence: 92%