What is the CVSS score of CVE-2026-31235?

CVE-2026-31235 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of imgaug are affected by CVE-2026-31235?

The imgaug library (versions through 0.4.0) contains a critical arbitrary code execution vulnerability in its BackgroundAugmenter class that deserializes untrusted pickle data without validation,…

imgaug CVE-2026-31235

EUVD-2026-29558 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-05-12 mitre

GHSA-g82g-j283-hj97

RCE Python Deserialization N A

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 14, 2026 - 20:22 vuln.today

CVSS changed

May 14, 2026 - 20:22 NVD

9.8 (CRITICAL)

CVE Published

May 12, 2026 - 00:00 nvd

CRITICAL 9.8

CVE Published

May 12, 2026 - 00:00 nvd

UNKNOWN (no severity yet)

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

234 pypi packages depend on imgaug (125 direct, 110 indirect)

Ecosystem-wide dependent count for version 0.4.0.

DescriptionNVD

The imgaug library thru 0.4.0 contains an insecure deserialization vulnerability in its BackgroundAugmenter class within the multicore.py module. The class uses Python's pickle module to deserialize data received via a multiprocessing queue in the _augment_images_worker() method without any safety checks. An attacker who can influence the data placed into this queue (e.g., through social engineering, malicious input scripts, or a compromised shared queue) can provide a malicious pickle payload. When deserialized, this payload can execute arbitrary code in the context of the worker process, leading to remote or local code execution depending on the deployment scenario.

AnalysisAI

Arbitrary code execution in imgaug library (versions through 0.4.0) occurs when the BackgroundAugmenter class deserializes malicious pickle payloads without validation in its multiprocessing worker method. Attackers who can influence queue data-through compromised shared queues, malicious input scripts, or social engineering-can achieve remote or local code execution depending on deployment context. …

RemediationAI

Within 24 hours: Identify all systems and applications using imgaug library versions 0.4.0 and earlier by scanning dependencies in Python environments, container registries, and development repositories. Within 7 days: Implement input validation and sandboxing for any imgaug BackgroundAugmenter usage; isolate affected systems from untrusted input sources and restrict network access to processing workers. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-31235 vulnerability details – vuln.today

Back

imgaug CVE-2026-31235

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code