PyTorch Lightning through 2.6.5, fixed in commit d710d68, contains a remote code execution vulnerability in the loadstate function that imports and executes attacker-controlled module names from checkpoint instantiator hyperparameters. Attackers can craft malicious checkpoint files that bypass weightsonly=True protections to execute arbitrary code when LightningModule.loadfromcheckpoint is called.
{
"cwe_ids": [
"CWE-470"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58659.json",
"cna_assigner": "VulnCheck"
}