VIR Vulnerability Intelligence Relay

CVE-2026-31217

critical
Published 2026-05-12 · Modified 2026-05-26
CVSS v3
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2
VIR risk
9.8

Description

The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) allows arbitrary code execution. When a user supplies a directory path via the --model command-line argument, the function reads a module.py file from that directory and executes its contents directly using Python's exec() function. This design does not validate or sanitize the file's content, allowing an attacker who controls the input directory to execute arbitrary Python code in the context of the process running the script.

Predictions

Exploit likelihood
97%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://www.notion.so/CVE-2026-31217-35d1e13931888179ae40dea5258d2db9

Application impact
VendorProductVersionsFixed
nebulyoptimate2024-07-21

References

CWEs

CWE-94

Verify integrity in audit chain (admin only). AS-IS.