Affected versions of the PyTorch-Lightning package are vulnerable to Path Traversal due to insufficient validation of user-supplied filenames. The `/api/v1/upload_file/` endpoint in the LightningApp component on Windows hosts fails to sanitize the filename parameter, allowing directory traversal sequences to escape the intended upload directory.

Pytorch-lightning 1.6.0 updates its dependency 'pyyaml' to v5.4 and uses yaml.safe_load() to fix code execution vulnerabilities.

Pytorch-lightning before 1.6.0 is vulnerable to Deserialization of Untrusted Data.

Affected versions of the PyTorch Lightning package are vulnerable to Denial of Service (DoS) due to improper validation of state values. The `/api/v1/state` endpoint in the LightningApp component fails to properly handle unexpected state values in POST requests, causing the server process to crash.

PyTorch Lightning version 1.5.10 and prior is vulnerable to code injection. An attacker could execute commands on the target OS running the operating system by setting the `PL_TRAINER_GPUS` when using the `Trainer` module. A [patch](https://github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8ae) is included in the `1.6.0` release.
Affected functions:
pytorch_lightning.utilities.argparse.parse_env_variables

Pytorch-lightning 1.6.0 updates its dependency 'pyyaml' to v5.4 and uses yaml.safe_load() to fix code execution vulnerabilities.