CVE-2026-23654: GitHub: Zero Shot SCFoundation Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 8.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Unlikely

Patch Tuesday

2026-Mar

Released

2026-03-10

EPSS Score

0.06% (percentile: 18.5%)

Description

Dependency on vulnerable third-party component in GitHub Repo: zero-shot-scfoundation allows an unauthorized attacker to execute code over a network.

FAQ

How could an attacker exploit this vulnerability? An attacker could exploit this issue by publishing a malicious package named “geneformer” to the public PyPI registry using the same name referenced in the project’s requirements file. If a user installs the affected open‑source project and the installation process retrieves this malicious package instead of an intended legitimate one, the attacker’s code could run on the user’s system during installation. This could allow the attacker to execute unauthorized code.

Affected Products (1)

Open Source Software

• GitHub Repo: Zero Shot scFoundation

Security Updates (2)

• Release Notes
• Release Notes

Acknowledgments

<a href="https://www.linkedin.com/in/shrinivasan-sekar-525837385/">Shrinivasan Sekar</a>, <a href="https://www.linkedin.com/in/lakshmi-vignesh-s/">Lakshmi Vignesh S</a>, <a href="https://www.linkedin.com/in/shrinivasan-sekar-525837385/">Shrinivasan Sekar</a>, <a href="https://www.linkedin.com/in/shrinivasan-sekar-525837385/">Shrinivasan Sekar</a>

Revision History

• 2026-03-10: Information published.