CVE-2026-31226
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-05-12

Last updated on: 2026-05-19

Assigner: MITRE

Description
The TinyZero project thru commit 6652a63c57fa7e5ccde3fc9c598c7176ff15b839 (2025-58-24) contains a critical command injection vulnerability (CWE-78) in its HDFS file operation utilities. The vulnerability arises from the unsafe construction and execution of shell commands via os.system() without proper input sanitization or escaping. User-controlled input (such as file paths) is directly interpolated into shell command strings using f-strings within the _copy() function. An attacker can inject arbitrary OS commands by supplying a specially crafted path parameter through the Hydra configuration framework. This leads to remote code execution with the privileges of the user running the TinyZero training process.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-12
Last Modified
2026-05-19
Generated
2026-06-10
EPSS Evaluated
2026-06-08
NVD
CVE-2026-31226
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
AI Quick Actions have not been generated yet.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31226. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart