Transformers

This hub aggregates every CVE we track for Transformers, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

OSS Librarieslibrarylibrary

CVEs tracked

Critical

High

In CISA KEV

Severity distribution

HIGH20MEDIUM7CRITICAL2LOW1

Monthly trend

2024-072026-06

Latest CVEs

See all →

The 15 most recently published vulnerabilities affecting Transformers.

CVE-2026-5241Policy Bypass in LightGlue Nested Config Resolution in huggingface/transformers9.6Jun 3, 2026
CVE-2026-4372Arbitrary Remote Code Execution via `_attn_implementation_internal` Config Injection in huggingface/transformers7.8May 24, 2026
CVE-2026-1839Arbitrary Code Execution via Unsafe torch.load() in Trainer Checkpoint Loading in huggingface/transformers7.8Apr 7, 2026
CVE-2025-14930Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerability7.8Dec 23, 2025
CVE-2025-14928Hugging Face Transformers HuBERT convert_config Code Injection Remote Code Execution Vulnerability7.8Dec 23, 2025
CVE-2025-14924Hugging Face Transformers megatron_gpt2 Deserialization of Untrusted Data Remote Code Execution Vulnerability7.8Dec 23, 2025
CVE-2025-14920Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability7.8Dec 23, 2025
CVE-2025-14926Hugging Face Transformers SEW convert_config Code Injection Remote Code Execution Vulnerability7.8Dec 23, 2025
CVE-2025-14927Hugging Face Transformers SEW-D convert_config Code Injection Remote Code Execution Vulnerability7.8Dec 23, 2025
CVE-2025-14921Hugging Face Transformers Transformer-XL Model Deserialization of Untrusted Data Remote Code Execution Vulnerability7.8Dec 23, 2025
CVE-2025-14929Hugging Face Transformers X-CLIP Checkpoint Conversion Deserialization of Untrusted Data Remote Code Execution Vulnerability7.8Dec 23, 2025
CVE-2025-6921Regular Expression Denial of Service (ReDoS) in huggingface/transformers7.5Sep 23, 2025
CVE-2025-6051Regular Expression Denial of Service (ReDoS) in huggingface/transformers5.3Sep 14, 2025
CVE-2025-6638Regular Expression Denial of Service (ReDoS) in huggingface/transformers7.5Sep 12, 2025
CVE-2025-5197Regular Expression Denial of Service (ReDoS) in huggingface/transformers5.3Aug 6, 2025

Product normalization is registry-driven with AI assist and human review. How it works