NVD disclosure day

Published threat advisories for March 18, 2026

CVE advisoryCRITICAL

CVE-2026-25873

OmniGen2-RL Reward Server Unauthenticated Remote Code Execution

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

OmniGen2-RL's reward server has a critical vulnerability allowing unauthenticated remote attackers to execute arbitrary commands via malicious HTTP POST requests exploiting insecure pickle deserialization. This could lead to code execution on the host system. It is important to determine if this technology is used and