CVE-2026-5473

Source
https://cve.org/CVERecord?id=CVE-2026-5473
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-5473.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-5473
Published
2026-04-03T16:30:13.683Z
Modified
2026-07-08T08:13:46.210109443Z
Severity
  • 1.1 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
NASA cFS Pickle pickle.load deserialization
Details

A vulnerability has been found in NASA cFS up to 7.0.0. The impacted element is the function pickle.load of the component Pickle Module. Such manipulation leads to deserialization. The attack needs to be performed locally. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/5xxx/CVE-2026-5473.json",
    "cna_assigner": "VulDB",
    "cwe_ids": [
        "CWE-20",
        "CWE-502"
    ]
}
References

Affected packages

Git / github.com/nasa/cfe

Affected ranges

Type
GIT
Repo
https://github.com/nasa/cfe
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "cpe": "cpe:2.3:a:nasa:core_flight_system:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.0.0"
        }
    ]
}
Type
GIT
Repo
https://github.com/nasa/cfs
Events
Database specific
{
    "cpe": "cpe:2.3:a:nasa:core_flight_system:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "7.0"
        },
        {
            "last_affected": "7.0"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "7.0.0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}

Affected versions

6.*
6.7.0-bv
6.7.3-bv
7.*
7.0
Other
draco-rc1
draco-rc2
draco-rc3
draco-rc4
draco-rc5
equuleus-rc1
v6.*
v6.5.0a
v6.6.0a
v6.8.0-rc1
v6.8.0-rc1+dev393
v7.*
v7.0.0
v7.0.0-multitarget-demo
v7.0.0-rc1
v7.0.0-rc2
v7.0.0-rc3
v7.0.0-rc4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-5473.json"