What is the CVSS score of CVE-2026-11816?

CVE-2026-11816 has a CVSS 3.0 base score of 8.1 (High). CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Keras are affected by CVE-2026-11816?

Keras versions prior to 3.14.0 contain a path traversal vulnerability allowing remote attackers to write arbitrary files outside the intended extraction directory when processing malicious model…. A patch is available.

How to fix or mitigate CVE-2026-11816?

Within 24 hours: Audit all systems running Keras to identify versions in use and which applications load model archives. Within 7 days: Deploy Keras 3.14.0 or later to staging environments and validate model loading workflows. Within 30 days: Complete production rollout across all systems and implement strict validation on external model sources.

Keras CVE-2026-11816

EUVD-2026-36244 HIGH

Path Traversal (CWE-22)

2026-06-11 security@huntr.dev

GHSA-hqp4-2352-xf5r

Path Traversal Python Docker

8.1

CVSS 3.0 · Vendor: huntr

Severity by source

Vendor (huntr) PRIMARY

8.1 HIGH

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

vuln.today AI

7.6 HIGH

Network-delivered malicious archive, no privileges, requires victim to load it (UI:R); arbitrary file write gives I:H, modest read/availability impact via overwriting configs and datasets.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (huntr).

CVSS VectorVendor: huntr

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch available

Jun 11, 2026 - 16:16 EUVD

Source Code Evidence Fetched

Jun 11, 2026 - 14:30 vuln.today

Analysis Generated

Jun 11, 2026 - 14:30 vuln.today

CVE Published

Jun 11, 2026 - 14:16 cve.org

HIGH 8.1

DescriptionCVE.org

Keras versions prior to 3.14.0 are vulnerable to a path traversal issue in the archive extraction utilities located in keras/src/utils/file_utils.py. The functions filter_safe_tarinfos() and filter_safe_zipinfos() validate archive member paths against the process current working directory (CWD) instead of the actual extraction destination. When the process runs with CWD set to /, which is common in Docker containers, CI/CD runners, and Jupyter environments, the validation boundary becomes the filesystem root, allowing traversal paths to bypass the security check. Additionally, the zip filter contains a bug that causes an AttributeError when a blocked entry is encountered, leading to incomplete extraction. Furthermore, Python 3.11 installations lack the filter="data" safety net, leaving them entirely reliant on the flawed CWD-based filter. Exploitation of this vulnerability can result in arbitrary file writes outside the intended extraction directory, enabling attackers to overwrite configuration files, inject malicious code, or corrupt machine learning datasets and pipelines.

Articles & Coverage 1

News 6 New Python Vulnerabilities - 1 Critical, 5 High, 3 With POC Jun 12, 2026

AnalysisAI

Path traversal in Keras archive extraction utilities prior to version 3.14.0 allows remote attackers to write files outside the intended extraction directory when a victim loads a malicious model archive. The flaw stems from validating archive member paths against the process current working directory rather than the actual extraction destination, which collapses to the filesystem root in common Docker, CI/CD, and Jupyter setups. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Host malicious .keras/.h5 archive

Delivery

Victim loads model in containerized pipeline

Exploit

CWD-based filter validates against `/`

Install

Traversal entries pass safety check

Files written outside extraction dir

Execute

Overwrite config or inject code

Impact

Pipeline executes attacker payload

Recon

Host malicious .keras/.h5 archive

Delivery

Victim loads model in containerized pipeline

Exploit

CWD-based filter validates against `/`

Install

Traversal entries pass safety check

Files written outside extraction dir

Execute

Overwrite config or inject code

Impact

Pipeline executes attacker payload

Vulnerability AssessmentAI

Exploitation	Victim must invoke Keras archive extraction (e.g., `load_model`) on an attacker-controlled archive - this is the UI:R requirement. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The provided CVSS 3.0 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N, score 8.1) reasonably reflects that the attack requires a victim to load a malicious archive (UI:R) but otherwise needs no privileges. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker publishes a malicious Keras model file (a crafted zip/tar archive) on a model hub, Hugging Face mirror, or shared S3 bucket containing entries with `../../../` traversal sequences pointing to paths like `/root/.ssh/authorized_keys` or `/etc/cron.d/`. A data scientist or CI job calls `keras.models.load_model()` on the archive inside a Docker container running as root with CWD `/`, and the extraction silently writes the attacker's payload outside the intended directory. …
Remediation	Upgrade Keras to 3.14.0 or later, which reworks `filter_safe_zipinfos()` and `filter_safe_tarinfos()` to take the actual extraction `path` as `base_dir` (see commit 2465b6657b02c8eed308759b7e800e295ae01888); released patched version not independently confirmed beyond the description's '3.14.0' string, so verify the tagged release before pinning. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all systems running Keras to identify versions in use and which applications load model archives. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48039 CRITICAL Act Now POC

9.1 Jun 11

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac

CVE-2026-45833 CRITICAL Act Now

9.4 Jun 12

Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the U

CVE-2026-48031 CRITICAL Act Now

9.1 Jun 10

Authentication bypass in dhax/go-base Go REST API boilerplate (versions prior to commit cc82b974, merged May 17, 2026) a

CVE-2026-11393 HIGH This Week

8.8 Jun 08

Remote code execution in AWS AgentCore CLI before v0.14.2 allows authenticated attackers to inject Python code via craft

CVE-2026-20251 HIGH This Week

8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil

CVE-2026-11816 vulnerability details – vuln.today

Back