CVE-2026-38950NVD

Description

An issue in ESA AnomalyMatch before 1.3.1 allow attackers to execute arbitrary code via crafted model checkpoint files. The affected components load model files from session directories using torch.load() with unrestricted deserialization.

Severity Level

HIGH (7.8)

Published Date

01/06/2026

Last Modified

01/06/2026

Exploitation Status

????

References

https://github.com/Accenture/AARO-Bugs/blob/master/AARO-CVE-List.md
https://github.com/esa/AnomalyMatch/pull/9
https://imlabs.info/research/security_advisory_esa_anomaly_match_unsafe_deserialization_cve_2026_38950_ivan_markovic_052026.html