Skip to main content

Pytorch Lightning

7 CVEs product

Monthly

CVE-2026-58659 HIGH POC PATCH This Week

Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious checkpoint file to execute arbitrary code. The flaw lives in the _load_state routine, which imports and calls the module path named in a checkpoint's _instantiator hyperparameter, letting a crafted .ckpt bypass torch's weights_only=True safeguard when LightningModule.load_from_checkpoint is invoked. Reported by VulnCheck, it is fixed in commit d710d68 (PR #21832) via an instantiator allowlist, and publicly available exploit code exists though it is not listed in CISA KEV.

Checkpoint RCE Pytorch Lightning
NVD GitHub
CVSS 4.0
8.4
CVE-2024-8020 PyPI HIGH POC This Week

A vulnerability in lightning-ai/pytorch-lightning version 2.3.2 allows an attacker to cause a denial of service by sending an unexpected POST request to the `/api/v1/state` endpoint of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Pytorch Lightning Pytorch AI / ML Red Hat
NVD
CVSS 3.0
7.5
EPSS
0.1%
CVE-2024-8019 PyPI CRITICAL POC PATCH Act Now

In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the `LightningApp` when running on a Windows host. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Microsoft RCE File Upload Pytorch Lightning Windows +2
NVD GitHub
CVSS 3.1
9.1
EPSS
1.1%
CVE-2024-5980 PyPI CRITICAL POC PATCH MAL Act Now

A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal Pytorch Lightning
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2024-5452 PyPI CRITICAL POC PATCH THREAT MAL Act Now

A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Pytorch Lightning
NVD GitHub
CVSS 3.1
9.8
EPSS
26.5%
CVE-2022-0845 PyPI CRITICAL POC PATCH Act Now

Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Pytorch Lightning
NVD GitHub
CVSS 3.1
9.8
EPSS
1.0%
CVE-2021-4118 PyPI HIGH POC PATCH This Week

pytorch-lightning is vulnerable to Deserialization of Untrusted Data. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization Pytorch Lightning
NVD GitHub
CVSS 3.1
7.8
EPSS
1.0%
CVSS 8.4
HIGH POC PATCH This Week

Remote code execution in PyTorch Lightning through 2.6.5 allows an attacker who can get a victim to load a malicious checkpoint file to execute arbitrary code. The flaw lives in the _load_state routine, which imports and calls the module path named in a checkpoint's _instantiator hyperparameter, letting a crafted .ckpt bypass torch's weights_only=True safeguard when LightningModule.load_from_checkpoint is invoked. Reported by VulnCheck, it is fixed in commit d710d68 (PR #21832) via an instantiator allowlist, and publicly available exploit code exists though it is not listed in CISA KEV.

Checkpoint RCE Pytorch Lightning
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

A vulnerability in lightning-ai/pytorch-lightning version 2.3.2 allows an attacker to cause a denial of service by sending an unexpected POST request to the `/api/v1/state` endpoint of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Pytorch Lightning Pytorch +2
NVD
EPSS 1% CVSS 9.1
CRITICAL POC PATCH Act Now

In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the `LightningApp` when running on a Windows host. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Microsoft RCE File Upload +4
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Path Traversal Pytorch Lightning
NVD GitHub
EPSS 26% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Pytorch Lightning
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE Code Injection Pytorch Lightning
NVD GitHub
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

pytorch-lightning is vulnerable to Deserialization of Untrusted Data. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Deserialization Pytorch Lightning
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy