Skip to main content

Self Rag

1 CVEs product

Monthly

CVE-2026-15535 LOW POC PATCH Monitor

Unsafe deserialization in AkariAsai self-rag's `Indexer.deserialize_from` function exposes any deployment that processes externally supplied FAISS index files to potential arbitrary code execution. The vulnerability resides in `retrieval_lm/src/index.py` and is triggered when the `index_meta.faiss` argument is manipulated with a crafted payload - a classic CWE-502 pattern where Python's serialization routines (typically pickle) blindly instantiate attacker-controlled objects. A publicly available proof-of-concept exists per GitHub issue #105, elevating the practical risk beyond the moderate CVSS 4.0 score of 5.3. No active exploitation has been confirmed by CISA KEV, and the project maintainer had not formally responded to the disclosure at time of reporting.

Deserialization Self Rag
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
EPSS 0% CVSS 2.1
LOW POC PATCH Monitor

Unsafe deserialization in AkariAsai self-rag's `Indexer.deserialize_from` function exposes any deployment that processes externally supplied FAISS index files to potential arbitrary code execution. The vulnerability resides in `retrieval_lm/src/index.py` and is triggered when the `index_meta.faiss` argument is manipulated with a crafted payload - a classic CWE-502 pattern where Python's serialization routines (typically pickle) blindly instantiate attacker-controlled objects. A publicly available proof-of-concept exists per GitHub issue #105, elevating the practical risk beyond the moderate CVSS 4.0 score of 5.3. No active exploitation has been confirmed by CISA KEV, and the project maintainer had not formally responded to the disclosure at time of reporting.

Deserialization Self Rag
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy