CVE-2021-39207
8.4 HIGHparlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets
Published: 2021-09-10 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 8.4 HIGH
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
- CWE
- CWE-502
Affected products
| Vendor | Product |
|---|---|
| parlai |
Description
parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. In affected versions the package is vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitary code execution. This security bug is patched by avoiding unsafe loader users should update to version above v1.1.0. If upgrading is not possible then users can change the Loader used to SafeLoader as a workaround. See commit 507d066ef432ea27d3e201da08009872a2f37725 for details.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-39207
- [Patch]https://github.com/facebookresearch/ParlAI/commit/4374fa2aba383db6526ab36e939eb1cf8ef99879
- [Patch]https://github.com/facebookresearch/ParlAI/commit/507d066ef432ea27d3e201da08009872a2f37725
- [Patch]https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg
- [Patch]https://github.com/facebookresearch/ParlAI/commit/4374fa2aba383db6526ab36e939eb1cf8ef99879
- [Patch]https://github.com/facebookresearch/ParlAI/commit/507d066ef432ea27d3e201da08009872a2f37725
- [Patch]https://github.com/facebookresearch/ParlAI/security/advisories/GHSA-m87f-9fvv-2mgg
Related CVEs
Same CWE
- CVE-2026-48775 — LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite) (6.8 MEDIUM)
- CVE-2026-10748 — An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating s...
- CVE-2026-24228 — NVIDIA NeMo Framework for Linux contains a vulnerability where an attacker may cause deserialization of untrusted data (7.8 HIGH)
- CVE-2026-48853 — Deserialization of Untrusted Data and Allocation of Resources Without Limits or Throttling vulnerabilities in elixir-grpc grpc allow unau...
- CVE-2026-9691 — Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions (9.8 CRITICAL)