Home / Vulnerability Intelligence / CVE-2026-1462

CVE-2026-1462 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: April 13, 2026

Keras - Insecure Deserialization

Published: April 13, 2026Updated: April 13, 2026Remote Exploitable

Overview

Keras 3.13.0 contains an insecure deserialization vulnerability caused by unconditional loading of external TensorFlow SavedModels in TFSMLayer during .keras model deserialization, letting attackers execute arbitrary code during model inference, exploit requires loading attacker-controlled models.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Attackers can execute arbitrary code during model inference with victim's privileges, potentially compromising the system.

Mitigation

Update to the latest version of Keras where this issue is fixed.

References

https://github.com/keras-team/keras/commit/b6773d3decaef1b05d8e794458e148cb362f163f
https://huntr.com/bounties/7e78d6f1-6977-4300-b595-e81bdbda331c

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-1462
Severity: High
CVSS Score: 8.8
Type: insecure_deserialization
Status: new

CWE

CWE-502

CVSS Metrics

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H