CVE-2026-31217CRITICAL 9.8EPSS p34.0%

CVE-2026-31217CVE-2026-31217

Description

The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) allows arbitrary code execution. When a user supplies a directory path via the --model command-line argument, the function reads a module.py file from that directory and executes its contents directly using Python's exec() function. This design does not validate or sanitize the file's content, allowing an attacker who controls the input directory to execute arbitrary Python code in the context of the process running the script.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.43% probability of exploitation · percentile 34.0% · 2026-06-19T12:03:05Z
Published2026-05-12
Last modified2026-05-26

Underlying weaknesses· 1

CWE-94

References

  1. https://github.com/nebuly-ai/optimate
  2. https://www.notion.so/CVE-2026-31217-35d1e13931888179ae40dea5258d2db9

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-31219
CVE
CVE-2026-31218
CVE
CVE-2026-31236
CVE
CVE-2025-1550
CVE
CVE-2026-31214
CVE
CVE-2026-38950
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.