Skip to main content

Pyod

1 CVEs product

Monthly

CVE-2026-15529 MEDIUM PATCH This Month

Unsafe deserialization in pyod 3.5.0-3.5.2 exposes the `pyod.utils.persistence.load` function to remote exploitation by authenticated low-privilege users who can manipulate the `path` argument. Rooted in CWE-502 (Deserialization of Untrusted Data), the flaw allows a crafted serialized payload supplied via the path parameter to be deserialized without adequate validation, potentially yielding code execution or data manipulation within the running process. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists; an upstream fix is available as GitHub PR #698, though a formally versioned PyPI release incorporating the patch has not been independently confirmed.

Deserialization Pyod
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.3%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Unsafe deserialization in pyod 3.5.0-3.5.2 exposes the `pyod.utils.persistence.load` function to remote exploitation by authenticated low-privilege users who can manipulate the `path` argument. Rooted in CWE-502 (Deserialization of Untrusted Data), the flaw allows a crafted serialized payload supplied via the path parameter to be deserialized without adequate validation, potentially yielding code execution or data manipulation within the running process. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists; an upstream fix is available as GitHub PR #698, though a formally versioned PyPI release incorporating the patch has not been independently confirmed.

Deserialization Pyod
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy