Home / Vulnerability Intelligence / CVE-2026-31223

CVE-2026-31223 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: May 13, 2026

snorkel - Insecure Deserialization

Published: May 12, 2026Updated: May 13, 2026Remote Exploitable

Overview

snorkel <= 0.10.0 contains an insecure deserialization vulnerability caused by unsafe use of pickle.load() in BaseLabeler.load(), letting remote attackers execute arbitrary code via crafted pickle files, exploit requires attacker to supply malicious file.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Remote attackers can execute arbitrary code on the victim system, potentially leading to full system compromise.

Mitigation

Update to the latest version of snorkel that fixes this vulnerability.

References

https://github.com/snorkel-team/snorkel
https://www.notion.so/CVE-2026-31223-35d1e1393188811ab1d0e4a8a2e67992

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-31223
Severity: High
CVSS Score: 8.8
Type: insecure_deserialization
Status: confirmed

CWE

CWE-502

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H