cbcvebase.

Project-Monai Monai vulnerabilities

4 known vulnerabilities affecting project-monai/monai.

Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH3MEDIUM1

Vulnerabilities

Page 1 of 1
CVE-2025-58756P2HIGHCVSS 8.8≤ 1.5.02025-09-09
CVE-2025-58756 [HIGH] CWE-502 CVE-2025-58756: MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.0, in `model_dict = torch.load(full_path, map_location=torch.device(device), weights_only=True)` in monai/bundle/scripts.py , `weights_only=True` is loaded securely. However, insecure loading methods still exist elsewhere in the project, su
ghsanvdosv
CVE-2025-58755P3HIGHCVSS 8.8≤ 1.5.02025-09-09
CVE-2025-58755 [HIGH] CWE-22 CVE-2025-58755: MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. The extractall functio MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. The extractall function `zip_file.extractall(output_dir)` is used directly to process compressed files. It is used in many places in the project. In versions up to and including 1.5.0, when the Zip file containing malicious content is decompressed, it overwrites the system fi
ghsanvdosv
CVE-2025-58757P3HIGHCVSS 8.8≤ 1.5.02025-09-09
CVE-2025-58757 [HIGH] CWE-502 CVE-2025-58757: MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.0, the `pickle_operations` function in `monai/data/utils.py` automatically handles dictionary key-value pairs ending with a specific suffix and deserializes them using `pickle.loads()` . This function also lacks any security measures. The d
ghsanvdosv
CVE-2026-21851P4MEDIUMCVSS 5.3≤ 1.5.12026-01-07
CVE-2026-21851 [MEDIUM] CWE-22 CVE-2026-21851: MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.1, a Path Traversal (Zip Slip) vulnerability exists in MONAI's `_download_from_ngc_private()` function. The function uses `zipfile.ZipFile.extractall()` without path validation, while other similar download functions in the same codebase p
ghsanvdosv