PyPI package
lightning
pkg:pypi/lightning
Malware
1 malicious version on record
One or more versions of this package have been flagged as containing malicious code. Audit any system that installed an affected version.
- MAL-2026-3201Malicious code in lightning (PyPI)Apr 30, 2026
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-5980 | — | < 2.3.3 | 2.3.3 | Jun 27, 2024 | A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. When the LightningApp is running with the plugin_server, attackers can deploy malicious tar.gz plugins that embed arbitra | ||
| CVE-2024-5452 | — | < 2.3.3 | 2.3.3 | Jun 6, 2024 | A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The library uses `deepdiff.Delta` objects to modify |
- CVE-2024-5980Jun 27, 2024affected < 2.3.3fixed 2.3.3
A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. When the LightningApp is running with the plugin_server, attackers can deploy malicious tar.gz plugins that embed arbitra
- CVE-2024-5452Jun 6, 2024affected < 2.3.3fixed 2.3.3
A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The library uses `deepdiff.Delta` objects to modify