Symlink Vulnerability in Keras Affecting Multiple Python Versions
CVE-2026-12482

3.1LOW

Key Information:

Vendor

Keras-team

Vendor
CVE Published:
14 July 2026

What is CVE-2026-12482?

A vulnerability in Keras version 3.12.0 allows attackers to create malicious tar archives that bypass filtering mechanisms in file_utils.py. This security flaw exists due to insufficient validation of symlink entries, enabling attackers to conduct file read, file overwrite, or directory escape attacks. This issue notably affects Python versions 3.10 and 3.11, where the lack of protective measures against tar path traversal could lead to significant security breaches.

Affected Version(s)

keras-team/keras <= unspecified

References

CVSS V3.0

Score:
3.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.