Description
A vulnerability was detected in yzhao062 pyod 3.5.0/3.5.1/3.5.2. Affected is the function pyod.utils.persistence.load of the file pyod/utils/persistence.py. Performing a manipulation of the argument path results in deserialization. The attack can be initiated remotely. The pull request to fix this issue requires some minor changes.
Problem types
Product status
3.5.1
3.5.2
Timeline
| 2026-07-12: | Advisory disclosed |
| 2026-07-12: | VulDB entry created |
| 2026-07-12: | VulDB entry last update |
Credits
Dem0000000 (VulDB User)
VulDB CNA Team
References
github.com/yzhao062/pyod/issues/697
vuldb.com/vuln/377872 (VDB-377872 | yzhao062 pyod persistence.py pyod.utils.persistence.load deserialization)
vuldb.com/vuln/377872/cti (VDB-377872 | CTI Indicators (IOB, IOC, IOA))
vuldb.com/cve/CVE-2026-15529 (CVE-2026-15529 | CVE Analysis and Report)
vuldb.com/submit/854559 (Submit #854559 | Yue Zhao / yzhao062 pyod 3.5.0 through 3.5.2 CWE-502: Deserialization of Untrusted Data)
github.com/yzhao062/pyod/issues/697
github.com/yzhao062/pyod/pull/698
github.com/yzhao062/pyod/