CVE-2026-3071 HIGH

CVE-2026-3071

Vendor Flair

Product Flair

Weakness CWE-502 · Unsafe deserialization

Published February 26, 2026

Last update February 27, 2026

View on NVD All CVEs

CVSS base score

8.4/10

Attack vector Local

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Deserialization of untrusted data in the LanguageModel class of Flair from versions 0.4.1 to latest are vulnerable to arbitrary code execution when loading a malicious model.

Key dates

02Disclosure timeline

February 26, 2026 CVE published

February 27, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-3071

Related vulnerabilities

04Related CVE

CVE-2025-9571 Arbitrary Code Execution in Google Cloud Data Fusion via Malicious Artifact Upload CVE-2024-4371 CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More <= 4.4.1 - Unauthenticated PHP Object Injection CVE-2025-55136 CVE-2021-33175 CVE-2021-44228 Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints