CVE-2026-26210 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: April 23, 2026
KTransformers - Insecure Deserialization
Published: April 23, 2026Updated: April 23, 2026Remote Exploitable
Overview
KTransformers through 0.5.3 contains an insecure deserialization vulnerability caused by unvalidated use of pickle.loads() in the balance_serve backend mode's ZMQ ROUTER socket, letting remote attackers execute arbitrary code with ktransformers process privileges, exploit requires access to the exposed ZMQ socket.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Attackers can execute arbitrary code on the server with the privileges of the ktransformers process, potentially leading to full system compromise.
Mitigation
Update to the latest version of KTransformers.
References
Related Resources
Details
- CVE ID
- CVE-2026-26210
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- insecure_deserialization
- Status
- new
CWE
- CWE-502
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H