CVE-2026-25873

Name of the Vulnerable Software and Affected Versions OmniGen2-RL (affected versions not specified)

Description OmniGen2-RL contains an unauthenticated remote code execution issue in the reward server component. Remote attackers can execute arbitrary commands by sending malicious HTTP POST requests. The root cause is insecure deserialization of request bodies using Python’s pickle module. The vulnerability does not require authentication, simplifying exploitation. The specific HTTP endpoint involved has not been detailed.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.