CVE-2026-31217
CriticalSummary
The _load_model() function in the neural_magic_training.py script of the optimate project allows arbitrary code execution. A user can supply a directory path via the --model command-line argument, which allows reading and executing the module.py file from that directory without validating its content.
Risk Assessment
An attacker controlling the input directory can execute arbitrary Python code in the context of the process running the script, posing a serious security risk to the system.
Recommendation
It is recommended to implement validation and sanitization of the file content before execution to prevent unauthorized code execution.
Original NVD description (English source)
The _load_model() function in the neural_magic_training.py script of the optimate project in commit a6d302f912b481c94370811af6b11402f51d377f (2024-07-21) allows arbitrary code execution. When a user supplies a directory path via the --model command-line argument, the function reads a module.py file from that directory and executes its contents directly using Python's exec() function. This design does not validate or sanitize the file's content, allowing an attacker who controls the input directory to execute arbitrary Python code in the context of the process running the script.

