CVE-2026-31230

CRITICAL EPSS 38.9%

Published May 12, 20261mo ago · Modified Jun 17, 20261w ago

9.8 CVSS 3.1

Critical

Published May 12, 2026 1mo ago

Last Modified Jun 17, 2026 1w ago

Description

The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a command-line argument injection vulnerability in its Kubeflow component (robustness_evaluation_fgsm_pytorch.py). The script uses the unsafe eval() function to parse string values provided via the --clip_values and --input_shape command-line arguments. This allows an attacker to inject arbitrary Python code into these arguments, which will be executed when eval() is called. The vulnerability can be exploited remotely if an attacker can control these arguments (e.g., through pipeline configuration or automated scripts), leading to arbitrary code execution on the system running the ART evaluation.

CVSS Details

Base Score

9.8

Exploitability

3.9

Impact

5.9

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

38.9% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-88

References 2

github.com https://github.com/Trusted-AI/adversarial-robustness-toolbox
notion.so https://www.notion.so/CVE-2026-31230-35d1e13931888126b624d12769c0e040

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.