CVE-2026-25873 | Teknoloji dünyasından en güncel haberleri ve güvenlikle ilgili gelişmeleri takip edin.

OmniGen2-RL contains an unauthenticated remote code execution vulnerability in the reward server component that allows remote attackers to execute arbitrary com…
Critical CVSS: 9.3

CVE-2026-25873

OmniGen2-RL contains an unauthenticated remote code execution vulnerability in the reward server component that allows remote attackers to execute arbitrary commands by sending malicious HTTP POST requests. Attackers can exploit insecure pickle deserialization of request bodies to achieve code execution on the host system running the exposed service.
Vendor
-
Product
-
CWE
CWE-502
Yayın Tarihi
2026-03-18 21:16:25
Güncelleme
2026-03-19 13:25:00
Source Identifier
disclosure@vulncheck.com
KEV Date Added
-

Kategoriler

CWE-502 CRITICAL 2026

Referanslar

https://arxiv.org/abs/2506.18871 https://chocapikk.com/posts/2026/omnigen2-pickle-rce/ https://github.com/VectorSpaceLab/OmniGen2/blob/3a13017e532f9f309a38bca571fd62200a6415c5/OmniGen2-RL/reward_server/reward_proxy.py#L208 https://github.com/VectorSpaceLab/OmniGen2/blob/3a13017e532f9f309a38bca571fd62200a6415c5/OmniGen2-RL/reward_server/reward_proxy.py#L224 https://github.com/VectorSpaceLab/OmniGen2/blob/3a13017e532f9f309a38bca571fd62200a6415c5/OmniGen2-RL/reward_server/reward_server.py#L118 https://github.com/VectorSpaceLab/OmniGen2/pull/139 https://www.vulncheck.com/advisories/omnigen2-rl-reward-server-unsafe-deserialization-rce