CVE-2026-31220CRITICAL 9.8EPSS p45.5%

CVE-2026-31220CVE-2026-31220

Description

PySyft (Syft Datasite/Server) versions 0.9.5 and earlier are vulnerable to remote code execution due to insufficient validation and sandboxing of user-submitted code. The system allows low-privileged users to submit Python functions (via @sy.syft_function()) for remote execution on the server. While a code approval mechanism exists, the submitted code undergoes no security checks for dangerous operations (e.g., file access, command execution). Once approved, the code is executed within the server process using exec() and eval() functions without proper isolation. A remote attacker can leverage this to execute arbitrary Python code on the server, leading to complete compromise of the server environment.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.63% probability of exploitation · percentile 45.5% · 2026-06-18T12:00:27Z
Published2026-05-12
Last modified2026-05-15

Underlying weaknesses· 1

CWE-94

References

  1. https://github.com/OpenMined/PySyft
  2. https://www.notion.so/CVE-2026-31220-35d1e1393188814186b9e00114a8aba7

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-29902
CVE
CVE-2025-1302
CVE
CVE-2026-31231
CVE
SysAid Server Path Traversal Vulnerability
CVE
CVE-2026-30305
CVE
CVE-2025-41736
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.