CVE-2026-21851

Опубликовано: 07 янв. 2026

Источник: nvd

CVSS3: 5.3

EPSS Низкий

Описание

MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.1, a Path Traversal (Zip Slip) vulnerability exists in MONAI's _download_from_ngc_private() function. The function uses zipfile.ZipFile.extractall() without path validation, while other similar download functions in the same codebase properly use the existing safe_extract_member() function. Commit 4014c8475626f20f158921ae0cf98ed259ae4d59 fixes this issue.

Ссылки

https://github.com/Project-MONAI/MONAI/commit/4014c8475626f20f158921ae0cf98ed259ae4d59
Patch
https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-9rg3-9pvr-6p27
Exploit
Vendor Advisory
Mitigation
https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-9rg3-9pvr-6p27
Exploit
Vendor Advisory
Mitigation

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:project-monai:monai:*:*:*:*:*:*:*:*

Версия до 1.5.1 (включая)

EPSS

Процентиль: 11%

0.00039

Низкий

5.3 Medium

CVSS3

Дефекты

CWE-22

Связанные уязвимости

GHSA-9rg3-9pvr-6p27