Home > Vulnerability Database > CVE-2026-21851

Mend.io Vulnerability Database

CVE-2026-21851

Good to know:

Date: January 7, 2026

MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.1, a Path Traversal (Zip Slip) vulnerability exists in MONAI's "_download_from_ngc_private()" function. The function uses "zipfile.ZipFile.extractall()" without path validation, while other similar download functions in the same codebase properly use the existing "safe_extract_member()" function. Commit 4014c8475626f20f158921ae0cf98ed259ae4d59 fixes this issue.

Severity Score

5.3

Related Resources (5)

Url: https://github.com/Project-MONAI/MONAI/commit/4014c8475626f20f158921ae0cf98ed259ae4d59

Url: https://github.com/Project-MONAI/MONAI

Url: https://github.com/Project-MONAI/MONAI/security/advisories/GHSA-9rg3-9pvr-6p27

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-21851

Url: https://www.mend.io/vulnerability-database/CVE-2026-21851

Severity Score

5.3

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version monai - 1.5.2

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-21851

Good to know:

Date: January 7, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?