Skip to main content

Ktransformers

1 CVEs product

Monthly

CVE-2026-26210 CRITICAL POC PATCH Act Now

KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authentication and deserializes incoming messages using pickle.loads() without validation. Attackers can send a crafted pickle payload to the exposed ZMQ socket to execute arbitrary code on the server with the privileges of the ktransformers process.

Deserialization RCE Ktransformers
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authentication and deserializes incoming messages using pickle.loads() without validation. Attackers can send a crafted pickle payload to the exposed ZMQ socket to execute arbitrary code on the server with the privileges of the ktransformers process.

Deserialization RCE Ktransformers
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy