Advisories for Pypi/Pytorch-Lightning package

Security Advisory: Compromise of PyTorch Lightning PyPI Package Versions Published: 2026-04-30 Last Updated: 2026-04-30 Lightning AI has identified a security incident affecting certain versions of a PyPI package. What happened Lightning AI has determined that one or more released versions of this package have been compromised and include malicious code. The current investigation indicates that the affected versions have introduced functionality consistent with a credential harvesting mechanism. There is a …

In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the LightningApp when running on a Windows host. The vulnerability occurs at the /api/v1/upload_file/ endpoint, allowing an attacker to write or overwrite arbitrary files by providing a crafted filename. This can lead to potential remote code execution (RCE) by overwriting critical files or placing malicious files in sensitive locations.

A vulnerability in lightning-ai/pytorch-lightning version 2.3.2 allows an attacker to cause a denial of service by sending an unexpected POST request to the /api/v1/state endpoint of LightningApp. This issue occurs due to improper handling of unexpected state values, which results in the server shutting down.

PyTorch Lightning version 1.5.10 and prior is vulnerable to code injection. An attacker could execute commands on the target OS running the operating system by setting the PL_TRAINER_GPUS when using the Trainer module. A patch is included in the 1.6.0 release.

pytorch-lightning is vulnerable to Deserialization of Untrusted Data.