CVE-2026-31235CRITICAL 9.8EPSS p37.1%

CVE-2026-31235CVE-2026-31235

Description

The imgaug library thru 0.4.0 contains an insecure deserialization vulnerability in its BackgroundAugmenter class within the multicore.py module. The class uses Python's pickle module to deserialize data received via a multiprocessing queue in the _augment_images_worker() method without any safety checks. An attacker who can influence the data placed into this queue (e.g., through social engineering, malicious input scripts, or a compromised shared queue) can provide a malicious pickle payload. When deserialized, this payload can execute arbitrary code in the context of the worker process, leading to remote or local code execution depending on the deployment scenario.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.47% probability of exploitation · percentile 37.1% · 2026-06-18T12:00:27Z
Published2026-05-12
Last modified2026-05-14

Underlying weaknesses· 1

CWE-502

References

  1. https://github.com/aleju/imgaug
  2. https://www.notion.so/CVE-2026-31235-35d1e139318881efb701d814228424a9

1

TypeTargetConfidenceTier
WeaknessDeserialization of Untrusted Datacwe-5020%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-3060
CVE
CVE-2026-3059
CVE
CVE-2026-26210
CVE
CVE-2026-31214
CVE
CVE-2026-31224
CVE
CVE-2025-33210
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.