ESA CVE Debriefs

HIGH ESA CVE published 2026-06-01

CVE-2026-38950

An unsafe deserialization vulnerability in ESA AnomalyMatch before version 1.3.1 allows local attackers to execute arbitrary code by supplying crafted PyTorch model checkpoint files. The affected software loads model files from session directories using torch.load() without restricting deserialization, enabling malicious object execution during model loading. The vulnerability requires local access and lo [truncated]

CVE-2026-38950