CVE-2026-31230CRITICAL 9.8EPSS p38.6%

CVE-2026-31230CVE-2026-31230

Description

The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a command-line argument injection vulnerability in its Kubeflow component (robustness_evaluation_fgsm_pytorch.py). The script uses the unsafe eval() function to parse string values provided via the --clip_values and --input_shape command-line arguments. This allows an attacker to inject arbitrary Python code into these arguments, which will be executed when eval() is called. The vulnerability can be exploited remotely if an attacker can control these arguments (e.g., through pipeline configuration or automated scripts), leading to arbitrary code execution on the system running the ART evaluation.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.50% probability of exploitation · percentile 38.6% · 2026-06-19T12:03:05Z
Published2026-05-12
Last modified2026-05-13

Underlying weaknesses· 1

CWE-88

References

  1. https://github.com/Trusted-AI/adversarial-robustness-toolbox
  2. https://www.notion.so/CVE-2026-31230-35d1e13931888126b624d12769c0e040

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Argument Delimiters in a Command ('Argument Injection')cwe-880%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-31228
CVE
CVE-2026-31229
CVE
CVE-2026-38950
CVE
CVE-2026-31214
CVE
CVE-2026-25130
CVE
CVE-2025-14287
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.