CVE-2026-31217

Name of the Vulnerable Software and Affected Versions optimate versions prior to commit a6d302f912b481c94370811af6b11402f51d377f

Description The load model() function in the neural magic training.py script allows arbitrary code execution. When a directory path is supplied via the --model command-line argument, the function reads a module.py file from that directory and executes its contents using the exec() function. Because the content of the file is not validated or sanitized, an attacker who controls the input directory can execute arbitrary Python code within the process context.

Recommendations Update to a version of optimate released after commit a6d302f912b481c94370811af6b11402f51d377f. As a temporary workaround, avoid providing untrusted directory paths to the --model command-line argument.