CVE-2026-34447

MEDIUM5.5EPSS 0.01%

ONNX: External Data Symlink Traversal

發布日:2026/4/1修改日:2026/5/20

描述

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is a symlink traversal vulnerability in external data loading allows reading files outside the model directory. This issue has been patched in version 1.21.0.

受影響套件(3)

Debian/onnxfrom 0
PyPI/onnxfrom 0, < 1.21.0
PyPI/onnxfrom 0, < 1.21.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-34447
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2026-34447
PATCHhttps://github.com/onnx/onnx
WEBhttps://github.com/onnx/onnx/security/advisories/GHSA-p433-9wv8-28xj