PT-2026-22151 · Flair · Flair
Esteban Tonglet
·
Published
2026-02-26
·
Updated
2026-03-03
·
CVE-2026-3071
CVSS v3.1
8.4
High
| Vector | AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Flair versions 0.4.1 through latest
Description
The deserialization of untrusted data in the
LanguageModel class can lead to arbitrary code execution when loading a malicious model.Recommendations
Versions prior to 0.4.1 are not affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
RCE
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Flair