PYSEC-2026-507

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/pytorch-lightning/PYSEC-2026-507.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-507
Aliases
Published
2026-06-29T11:50:34.262484Z
Modified
2026-06-29T12:15:38.821502583Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Summary
PyTorch Lightning path traversal vulnerability
Details

In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the LightningApp when running on a Windows host. The vulnerability occurs at the /api/v1/upload_file/ endpoint, allowing an attacker to write or overwrite arbitrary files by providing a crafted filename. This can lead to potential remote code execution (RCE) by overwriting critical files or placing malicious files in sensitive locations.

References

Affected packages

PyPI / pytorch-lightning

Package

Name
pytorch-lightning
View open source insights on deps.dev
Purl
pkg:pypi/pytorch-lightning

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.4.0

Affected versions

0.*
0.0.2
0.2
0.2.2
0.2.3
0.2.4
0.2.4.1
0.2.5
0.2.5.1
0.2.5.2
0.2.6
0.3
0.3.1
0.3.2
0.3.3
0.3.4
0.3.4.1
0.3.5
0.3.6
0.3.6.1
0.3.6.3
0.3.6.4
0.3.6.5
0.3.6.6
0.3.6.7
0.3.6.8
0.3.6.9
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.5.0
0.5.1
0.5.1.2
0.5.1.3
0.5.2
0.5.2.1
0.5.3
0.5.3.1
0.5.3.2
0.5.3.3
0.6.0
0.7.1
0.7.3
0.7.5
0.7.6
0.8.1
0.8.3
0.8.4
0.8.5
0.9.0
0.10.0
1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.2.0rc0
1.2.0rc1
1.2.0rc2
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.3.0rc1
1.3.0rc2
1.3.0rc3
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.7.post0
1.3.8
1.4.0rc0
1.4.0rc1
1.4.0rc2
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9
1.5.0rc0
1.5.0rc1
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9
1.5.10
1.5.10.post0
1.6.0rc0
1.6.0rc1
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.5.post0
1.7.0rc0
1.7.0rc1
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.8.0rc0
1.8.0rc1
1.8.0rc2
1.8.0
1.8.0.post1
1.8.1
1.8.2
1.8.3
1.8.3.post0
1.8.3.post1
1.8.3.post2
1.8.4
1.8.4.post0
1.8.5
1.8.5.post0
1.8.6
1.9.0rc0
1.9.0
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
2.*
2.0.0rc0
2.0.0
2.0.1
2.0.1.post0
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.9.post0
2.1.0rc0
2.1.0rc1
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.2.0rc0
2.2.0
2.2.0.post0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.3.0
2.3.1
2.3.2
2.3.3

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/pytorch-lightning/PYSEC-2026-507.yaml"