What is CVE-2026-28500?

CVE-2026-28500 is a high-severity vulnerability in Onnx, classified under Insufficient Verification of Data Authenticity. CVSS score: 8.6/10. Published 2026-03-18.

How severe is CVE-2026-28500?

High severity. CVSS v3 base score is 8.6 out of 10.

Vulnerability in Onnx

CVE-2026-28500

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verifi…

EPSS: 0.000 (1.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.6 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N.

Affected products

Onnx — versions <= 1.20.1

Weakness classification (CWE)

References

https://github.com/onnx/onnx/security/advisories/GHSA-hqmj-h5c6-369m (x_refsource_CONFIRM)
https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-28500.md (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-28500?: CVE-2026-28500 is a high-severity vulnerability in Onnx, classified under Insufficient Verification of Data Authenticity. CVSS score: 8.6/10. Published 2026-03-18.
How severe is CVE-2026-28500?: High severity. CVSS v3 base score is 8.6 out of 10.