huggingface

Top products

The 15 most recently published vulnerabilities affecting huggingface.

• CVE-2026-5241Policy Bypass in LightGlue Nested Config Resolution in huggingface/transformers9.6Jun 3, 2026
• CVE-2026-4372Arbitrary Remote Code Execution via `_attn_implementation_internal` Config Injection in huggingface/transformers7.8May 24, 2026
• CVE-2026-44827Diffusers: None.py Trust Remote Code Bypass8.8May 14, 2026
• CVE-2026-44513Diffusers: `trust_remote_code` bypass via `custom_pipeline` and local custom components8.8May 14, 2026
• CVE-2026-25874LeRobot Unsafe Deserialization Remote Code Execution via gRPC9.8Apr 23, 2026
• CVE-2026-1839Arbitrary Code Execution via Unsafe torch.load() in Trainer Checkpoint Loading in huggingface/transformers7.8Apr 7, 2026
• CVE-2026-4963huggingface smolagents Incomplete Fix CVE-2025-9959 local_python_executor.py evaluate_with code injection6.3Mar 27, 2026
• CVE-2026-2654huggingface smolagents LocalPythonExecutor requests.post server-side request forgery6.3Feb 18, 2026
• CVE-2026-0599Unbounded External Image Fetch in Validation Leads to Resource-Exhaustion DoS in huggingface/text-generation-inference7.5Feb 2, 2026
• CVE-2025-14930Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerability7.8Dec 23, 2025
• CVE-2025-14928Hugging Face Transformers HuBERT convert_config Code Injection Remote Code Execution Vulnerability7.8Dec 23, 2025
• CVE-2025-14924Hugging Face Transformers megatron_gpt2 Deserialization of Untrusted Data Remote Code Execution Vulnerability7.8Dec 23, 2025
• CVE-2025-14920Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability7.8Dec 23, 2025
• CVE-2025-14926Hugging Face Transformers SEW convert_config Code Injection Remote Code Execution Vulnerability7.8Dec 23, 2025
• CVE-2025-14927Hugging Face Transformers SEW-D convert_config Code Injection Remote Code Execution Vulnerability7.8Dec 23, 2025