High

Remote Code Execution via Vulnerable Third-Party PyPI Dependency in zero-shot-scfoundation

IdentifiersCVE-2026-23654CWE-829

CVE-2026-23654 is a supply-chain remote code execution vulnerability in the GitHub repository zero-shot-scfoundation caused by dependency on an improperly controlled vulnerable third-party PyPI package. The issue allows malicious package substitution during installation, resulting in execution of attacker-controlled code in environments that build, install, or otherwise resolve the affected dependency. Based on the provided content, the vulnerable condition is tied to the project’s dependency chain rather than a specific application runtime function, and the primary exposure is during dependency retrieval and installation in development or CI/CD contexts.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can compromise developer workstations, build systems, and CI/CD pipelines that install the affected dependency. An attacker may achieve arbitrary code execution in the context of the installation or build process, which can lead to theft of source code, secrets, tokens, and signing material, tampering with build artifacts, insertion of backdoors into downstream software, and broader supply-chain compromise.

Mitigation

If you can’t patch tonight, do this now.

Audit PyPI dependency usage associated with zero-shot-scfoundation, especially in automated build and CI/CD workflows. Restrict package installation to trusted registries or internal mirrors, pin exact dependency names and versions, validate package provenance, and monitor for unexpected dependency resolution behavior. As a defensive measure, review developer and pipeline credentials, secrets, and produced artifacts for possible compromise if the affected dependency was installed.

Remediation

Patch, then assume compromise.

According to the provided content, Microsoft remediated CVE-2026-23654 without requiring customer action. The content also recommends that teams audit their PyPI dependencies. Where applicable, organizations should verify that dependency references for zero-shot-scfoundation and related build workflows resolve only to intended packages and versions, remove or replace the vulnerable third-party component, and review build and development environments for signs of malicious package substitution.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationGihub Repo Zero Shot Scfoundationapplication

Microsoft CorporationZero-Shot-Scfoundationapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

cyberthroneNews

Mar 11, 2026

Microsoft Patch Tuesday - March 2026 - TheCyberThrone

A supply-chain remote code execution risk stemming from an improperly controlled third-party PyPI dependency in a GitHub repository, enabling malicious package substitution during installation and potential CI/CD compromise.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-23654

NVD

nvd.nist.gov/vuln/detail/CVE-2026-23654

MITRE CWE · CWE-829

cwe.mitre.org

Vendor Advisory

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23654