repository icon
keras-team / keras Project repository

Deep Learning for humans

Submit a report

FIRST INTERACTION

WITHIN19 DAYS

REVIEW

WITHIN19 DAYS

FIX

WITHINN/A DAYS

Stored XSS in KerasFileEditor via Unsanitized HDF5 Dataset Names
pwnriad7
self closed
Arbitrary file write to RCE via symbolic-link directory traversal in keras.utils...
linziyuu
self closed
Pickle deserialization in KerasSaveable._unpickle_model() hardcodes safe_mode=Fa...
rajat4722
self closed
test
linziyuu
self closed
Arbitrary File Read via HDF5 model_config.json Path Traversal in Keras (CVE-2026...
clawdbartell-wq
not applicable
[RCE] Unsafe torch.load(weights_only=False) in Keras torch_utils.py
ngaturjiwo77-hue
self closed
test
nihcod
self closed
Unsafe Lambda Layer Deserialization in Keras (CVE-2025-9905)
quintessence-proof
spam
Arbitrary Code Execution via Attacker-Controlled `module` in `importlib.import_m...
microwaveovens-yay
self closed
RCE via marshal.loads in func_load when loading untrusted Keras models
galanzi2580-wq
self closed
PATH_TRAVERSAL in pip_build.py
muraveyapp
spam
INSECURE_DESER in python_utils.py
muraveyapp
spam
Export-time Allocation Denial of Service via Malicious input_signature in Keras
galanzi2580-wq
self closed
Deserialization Memory Bomb via __numpy__ and __tensor__ JSON Keys in serializat...
galanzi2580-wq
spam
Safe‑mode bypass in TorchModuleWrapper.from_config() allows unsafe torch.load()...
pwnriad7
self closed
INSECURE_DESER in python_utils.py
muraveyapp
spam
Arbitrary local-file disclosure via symlinks in the asset tree of keras.saving.l...
linziyuu
self closed
keras.saving.load_model('evil.keras'): zip-slip path traversal via startswith()...
l69d
duplicate
High
keras.saving.load_model() with Orbax checkpoint: arbitrary file write via unsani...
l69d
duplicate
High
Unauthenticated RCE and Path Traversal in Keras Model Deserialization
c4rbn
self closed
Incomplete patch for CVE-2025-12060/12638 — Path Traversal via prefix-collision...
coopershield
duplicate
Medium
Remote Code Execution (RCE) via Insecure Deserialization of Python Bytecode in K...
mr3l1k
spam
Path Traversal in Orbax Checkpoint Asset Loader Allows Arbitrary File Write (saf...
11x-x11
duplicate
High
Prefix-confusion in `is_path_in_dir` enables write-outside-extraction-directory...
jonathan-paparo
duplicate
Medium
Arbitrary Code Execution via marshal.loads() in func_load() when loading untrust...
jaydubya09
spam
Arbitrary File Write via Path Traversal in _extract_archive
h3gurdh-png
spam
Incomplete Fix CVE-2026-1669: Arbitrary File Read via HDF5 External Storage in l...
hi-im-glitchless
duplicate
Medium
Incomplete fix for CVE-2026-1669: legacy .h5 loader still permits HDF5 external-...
khanhdlq
duplicate
Medium
Zip-Slip in `extract_open_archive` — `startswith(base_dir)` prefix match accepts...
ibondarenko1
duplicate
High
Arbitrary file write via attacker-controlled keys in _write_nested_dict_to_dir d...
trapsafe
duplicate
High
Constrained Path Traversal in `keras.utils.get_file` Allows Cache Directory Pois...
jinyimeng01
informative
High
Incomplete Fix CVE-2026-1669 - Arbitrary File Read via HDF5 VDS External Links K...
9to5ai
self closed
Incomplete Fix CVE-2026-1669 - Arbitrary File Read via HDF5 VDS External Links K...
9to5ai
self closed
Incomplete Fix CVE-2026-1669 - Arbitrary File Read via HDF5 VDS External Links K...
9to5ai
self closed
Incomplete Fix CVE-2026-1669 - Arbitrary File Read via HDF5 VDS External Links K...
9to5ai
self closed
Incomplete Fix CVE-2026-1669 - Arbitrary File Read via HDF5 Virtual Datasets Ext...
9to5ai
self closed
Incomplete Fix CVE-2026-1669 - Arbitrary File Read via HDF5 VDS External Links K...
9to5ai
self closed
is_path_in_dir uses startswith instead of commonpath — sibling-prefix bypass all...
white-hat-lab
duplicate
High
Incomplete fix for CVE-2026-1669 in Keras 3.14.0: model.load_weights() still acc...
sark4
informative
Medium
test
sark4
self closed
filter_safe_tarinfos() startswith prefix check bypassable on Python < 3.12, enab...
shadowbyte1
duplicate
Medium
HDF5 external-storage datasets allow local file disclosure via legacy load route...
shadowbyte1
duplicate
Medium
Remote Code Execution via Insecure Marshal Deserialization in Keras Utility
finddabugs
not applicable
Arbitrary Code Execution via Insecure Deserialization of Lambda Layers in load_m...
finddabugs
duplicate
High
Incomplete Fix for CVE-2026-1669: Legacy H5 Format Path Missing External Storage...
toobunbo
duplicate
High
Keras tar extraction allows write outside current extraction directory(Tar-Slip)
asim-qazi
duplicate
High
Bypass of filter_safe_tarinfos via empty-name tar member in extract_open_archive
psdat123
duplicate
High