Home / Vulnerability Intelligence / CVE-2026-3071

CVE-2026-3071 - Vulnerability Analysis

HighCVSS: 8.4

Last Updated: February 27, 2026

Flair - Insecure Deserialization

Published: February 26, 2026Updated: February 27, 2026

Overview

Flair 0.4.1 to latest contains an insecure deserialization caused by loading malicious models in the LanguageModel class, letting attackers execute arbitrary code remotely, exploit requires loading a malicious model.

Severity & Score

Severity: High

CVSS Score: 8.4

EPSS Score: 5.6%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary code remotely by loading a malicious model, potentially compromising the system.

Mitigation

Update to the latest version with deserialization fixes.

References

https://www.hiddenlayer.com/sai-security-advisory/2026-02-flair

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 26, 2026

🟠 CVE-2026-3071 - High (8.4) Deserialization of untrusted data in the LanguageModel class of Flair from versions 0.4.1 to latest are vulnerable to arbitrary code execution when loading a malicious model. 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-3071/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-3071
Severity: High
CVSS Score: 8.4
Type: insecure_deserialization
Status: unconfirmed
EPSS: 5.6%
Social Posts: 1

CWE

CWE-502

CVSS Metrics

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

5.6%Probability of exploitation in the next 30 days