CVE-2026-12482: A vulnerability in keras-team/keras version 3.12.0 allows an attacker to craft a malicious tar archive that bypasses the
Summary
Keras version 3.12.0 has a vulnerability where an attacker can create a specially crafted tar archive (a compressed file format) that gets extracted in unintended locations. The problem is that symlinks (shortcuts that point to other files or directories) bypass safety checks that regular files must pass, allowing attackers to read files, overwrite files, or escape the intended extraction directory. This is especially dangerous on Python 3.10 and 3.11.
Vulnerability Details
EPSS: 0.0%
July 14, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-12482
First tracked: July 14, 2026 at 08:08 AM
Classified by LLM (prompt v3) · confidence: 92%