Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-31235: imgaug library (0.4.0 and earlier) allows code execution via malicious data
CVE-2026-31235
GHSA-g82g-j283-hj97
Summary
The imgaug library has a security flaw that allows an attacker to run malicious code on your system if they can influence the data used by the library. This is particularly concerning if you're using imgaug in a shared environment where other people can send data to your system. To stay safe, update to the latest version of imgaug.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| pip | – | imgaug | <= 0.4.0 |
Original title
imgaug contains an insecure deserialization vulnerability in BackgroundAugmenter class within multicore.py module
Original description
The imgaug library thru 0.4.0 contains an insecure deserialization vulnerability in its BackgroundAugmenter class within the multicore.py module. The class uses Python's pickle module to deserialize data received via a multiprocessing queue in the _augment_images_worker() method without any safety checks. An attacker who can influence the data placed into this queue (e.g., through social engineering, malicious input scripts, or a compromised shared queue) can provide a malicious pickle payload. When deserialized, this payload can execute arbitrary code in the context of the worker process, leading to remote or local code execution depending on the deployment scenario.
Vulnerability type
CWE-502
Deserialization of Untrusted Data
Published: 12 May 2026 · Updated: 28 May 2026 · First seen: 13 May 2026