Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/onnx@1.20.0rc1

Type pypi

Namespace

Name onnx

Version 1.20.0rc1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.21.0

Latest_non_vulnerable_version 1.21.0

Affected_by_vulnerabilities

url VCID-5319-x8g7-qbew

vulnerability_id VCID-5319-x8g7-qbew

summary Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. Prior to version 1.21.0, there is a symlink traversal vulnerability in external data loading allows reading files outside the model directory. This issue has been patched in version 1.21.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-34447

reference_id

reference_type

scores

value	5e-05
scoring_system	epss
scoring_elements	0.00261
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-34447

reference_url

https://github.com/onnx/onnx

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/onnx/onnx

reference_url

https://github.com/onnx/onnx/security/advisories/GHSA-p433-9wv8-28xj

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-01T19:14:28Z/

url

https://github.com/onnx/onnx/security/advisories/GHSA-p433-9wv8-28xj

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-34447

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-34447

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132608
reference_id	1132608
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132608

reference_url

https://github.com/advisories/GHSA-p433-9wv8-28xj

reference_id

GHSA-p433-9wv8-28xj

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-p433-9wv8-28xj

fixed_packages

url	pkg:pypi/onnx@1.21.0
purl	pkg:pypi/onnx@1.21.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/onnx@1.21.0

aliases CVE-2026-34447, GHSA-p433-9wv8-28xj, PYSEC-2026-104

risk_score 2.5

exploitability 0.5

weighted_severity 5.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5319-x8g7-qbew

url VCID-ssfy-y61v-mkfm

vulnerability_id VCID-ssfy-y61v-mkfm

summary Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28500.json

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-28500.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-28500

reference_id

reference_type

scores

value	0.00011
scoring_system	epss
scoring_elements	0.01552
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-28500

reference_url

https://github.com/onnx/onnx

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/onnx/onnx

reference_url

https://github.com/onnx/onnx/security/advisories/GHSA-hqmj-h5c6-369m

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:08:46Z/

url

https://github.com/onnx/onnx/security/advisories/GHSA-hqmj-h5c6-369m

reference_url

https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-28500.md

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-18T14:08:46Z/

url

https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-28500.md

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-28500

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-28500

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131209
reference_id	1131209
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1131209

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2448518
reference_id	2448518
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2448518

reference_url

https://github.com/advisories/GHSA-hqmj-h5c6-369m

reference_id

GHSA-hqmj-h5c6-369m

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-hqmj-h5c6-369m

fixed_packages

url pkg:pypi/onnx@1.21.0rc1

purl pkg:pypi/onnx@1.21.0rc1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-5319-x8g7-qbew

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/onnx@1.21.0rc1

url	pkg:pypi/onnx@1.21.0
purl	pkg:pypi/onnx@1.21.0
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/onnx@1.21.0

aliases CVE-2026-28500, GHSA-hqmj-h5c6-369m, PYSEC-2026-103

risk_score 4.1

exploitability 0.5

weighted_severity 8.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ssfy-y61v-mkfm

Fixing_vulnerabilities

Risk_score 4.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/onnx@1.20.0rc1

Package Instance