Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 15 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | PyTorch Lightning through 2.6.5, fixed in commit d710d68, contains a remote code execution vulnerability in the _load_state function that imports and executes attacker-controlled module names from checkpoint _instantiator hyperparameters. Attackers can craft malicious checkpoint files that bypass weights_only=True protections to execute arbitrary code when LightningModule.load_from_checkpoint is called. | |
| Title | PyTorch Lightning Arbitrary Code Execution via _instantiator Hyperparameter | |
| First Time appeared |
Lightningai
Lightningai pytorch Lightning |
|
| Weaknesses | CWE-470 | |
| CPEs | cpe:2.3:a:lightningai:pytorch_lightning:*:*:*:*:*:python:*:* | |
| Vendors & Products |
Lightningai
Lightningai pytorch Lightning |
|
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-15T17:02:40.640Z
Reserved: 2026-07-01T21:54:37.946Z
Link: CVE-2026-58659
No data.
No data.
No data.
OpenCVE Enrichment
No data.