The flaw, disclosed a month after it was patched, provided an attacker with remote code execution privileges by poisoning the data ingested by the model.