What is the CVSS score of CVE-2026-40086?

CVE-2026-40086 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-40086?

Yes, a patch is available for CVE-2026-40086. Update the affected software to the latest version immediately.

Rembg CVE-2026-40086

EUVD-2026-21492 MEDIUM

Path Traversal (CWE-22)

2026-04-10 GitHub_M

GHSA-3wqj-33cg-xc48

Path Traversal Rembg

5.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.3 MEDIUM

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Patch released

Apr 11, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 10, 2026 - 16:30 euvd

EUVD-2026-21492

Analysis Generated

Apr 10, 2026 - 16:30 vuln.today

CVE Published

Apr 10, 2026 - 16:16 nvd

MEDIUM 5.3

DescriptionGitHub Advisory

Rembg is a tool to remove images background. Prior to 2.0.75, a path traversal vulnerability in the rembg HTTP server allows unauthenticated remote attackers to read arbitrary files from the server's filesystem. By sending a crafted request with a malicious model_path parameter, an attacker can force the server to attempt loading any file as an ONNX model, revealing file existence, permissions, and potentially file contents through error messages. This vulnerability is fixed in 2.0.75.

AnalysisAI

Unauthenticated remote attackers can exploit a path traversal vulnerability in rembg's HTTP server (versions prior to 2.0.75) by sending a crafted request with a malicious model_path parameter to read arbitrary files from the server filesystem. The vulnerability allows attackers to enumerate file existence and permissions, and potentially extract file contents through verbose error messages when the server attempts to load arbitrary paths as ONNX models. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	This vulnerability presents a medium-to-low real-world risk despite its moderate CVSS score of 5.3. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker discovers a rembg HTTP server instance exposed on the public internet. The attacker sends a crafted HTTP request with model_path set to a traversal sequence such as ../../../../etc/passwd, causing the server to attempt loading the system password file as an ONNX model. …
Remediation	Vendor-released patch: Upgrade rembg to version 2.0.75 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-40086 vulnerability details – vuln.today

Back

Rembg CVE-2026-40086

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Share

External POC / Exploit Code