CVE-2026-31226CRITICAL 9.8EPSS p63.0%

CVE-2026-31226CVE-2026-31226

Description

The TinyZero project thru commit 6652a63c57fa7e5ccde3fc9c598c7176ff15b839 (2025-58-24) contains a critical command injection vulnerability (CWE-78) in its HDFS file operation utilities. The vulnerability arises from the unsafe construction and execution of shell commands via os.system() without proper input sanitization or escaping. User-controlled input (such as file paths) is directly interpolated into shell command strings using f-strings within the _copy() function. An attacker can inject arbitrary OS commands by supplying a specially crafted path parameter through the Hydra configuration framework. This leads to remote code execution with the privileges of the user running the TinyZero training process.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS1.16% probability of exploitation · percentile 63.0% · 2026-06-18T12:00:27Z
Published2026-05-12
Last modified2026-05-19

Underlying weaknesses· 1

CWE-78

References

  1. https://github.com/Jiayi-Pan/TinyZero
  2. https://www.notion.so/CVE-2026-31226-35d1e139318881d19af5d63095c74579

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-23654
CVE
CVE-2026-31236
CVE
CVE-2026-3960
CVE
CVE-2025-6507
CVE
CVE-2026-0768
CVE
CVE-2026-33588
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.