CVE-2026-38950: An issue in ESA AnomalyMatch before 1.3.1 allow attackers to execute arbitrary code via crafted model checkpoint files.
highvulnerability
security
Summary
CVE-2026-38950 is a vulnerability in ESA AnomalyMatch before version 1.3.1 that allows attackers to run arbitrary code by uploading malicious model checkpoint files. The problem occurs because the software uses torch.load() with unrestricted deserialization (a process that converts saved data back into code without safety checks), which can execute malicious code hidden in crafted model files.
Solution / Mitigation
Update to ESA AnomalyMatch version 1.3.1 or later.
Vulnerability Details
CVSS Score
7.8(high)
EPSS (30-day exploit probability)
EPSS: 0.0%
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
local
Attack Complexity
low
Privileges Required
low
User Interaction
none
Disclosure Date
June 1, 2026
Classification
Attack Type
Model TheftSupply Chain
Attack SophisticationModerate
Impact (CIA+S)
confidentiality
Taxonomy References
Affected Vendors
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-38950
First tracked: June 2, 2026 at 02:08 AM
Classified by LLM (prompt v3) · confidence: 85%