CVE-2026-44827

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trustremotecode=True safeguard when loading pipelines from Hugging Face Hub repositories. The resolvecustompipelineandcls function in pipelineloadingutils.py...

PYSEC-2026-41

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trustremotecode=True safeguard when loading pipelines from Hugging Face Hub repositories. The resolvecustompipelineandcls function in pipelineloadingutils.py...

CVE-2026-44513

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trustremotecode bypass in DiffusionPipeline.frompretrained allows arbitrary remote code execution despite the user passing trustremotecode=False or omitting it, which is the default. The vulnerability has three variant...

PYSEC-2026-40

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trustremotecode bypass in DiffusionPipeline.frompretrained allows arbitrary remote code execution despite the user passing trustremotecode=False or omitting it, which is the default. The vulnerability has three variant...

PYSEC-2026-40

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trustremotecode bypass in DiffusionPipeline.frompretrained allows arbitrary remote code execution despite the user passing trustremotecode=False or omitting it, which is the default. The vulnerability has three variant...

CVE-2026-44827 Diffusers: None.py Trust Remote Code Bypass

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trustremotecode=True safeguard when loading pipelines from Hugging Face Hub repositories. The resolvecustompipelineandcls function in pipelineloadingutils.py...

CVE-2026-44513

Diffusers 0.38.0 fixes a trust_remote_code bypass in DiffusionPipeline.from_pretrained that allowed arbitrary remote code execution when using custom_pipeline or local snapshots. Root cause: the security gate was checked inside DiffusionPipeline.download(), but some code paths bypassed download()...

EUVD-2026-30334

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trustremotecode bypass in DiffusionPipeline.frompretrained allows arbitrary remote code execution despite the user passing trustremotecode=False or omitting it, which is the default. The vulnerability has three variant...

CVE-2026-44513 Diffusers: `trust_remote_code` bypass via `custom_pipeline` and local custom components

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trustremotecode bypass in DiffusionPipeline.frompretrained allows arbitrary remote code execution despite the user passing trustremotecode=False or omitting it, which is the default. The vulnerability has three variant...

diffusers 代码注入漏洞

Diffusers is an open-source diffusion model library developed by Hugging Face for generating images, audio, and 3D molecular structures. Versions of Diffusers prior to 0.38.0 contained a code injection vulnerability, which was caused by improper handling of the custompipeline parameter, potential...

diffusers 代码注入漏洞

diffusers is a generative model library for generating images, audio, and 3D molecular structures, open-sourced by Hugging Face. Versions of diffusers prior to 0.38.0 contained a code injection vulnerability, which was caused by a bypass of trustremotecode, potentially allowing arbitrary remote...

Diffusers has a `trust_remote_code` bypass via `custom_pipeline` and local custom components

Impact A trustremotecode bypass in DiffusionPipeline.frompretrained allows arbitrary remote code execution despite the user passing trustremotecode=False or omitting it, which is the default. The vulnerability has three variants, all sharing the same root cause — the trustremotecode gate was...

OPENSUSE-SU-2026:10435-1 cpp-httplib-devel-0.38.0-1.1 on GA media

These are all security issues fixed in the cpp-httplib-devel-0.38.0-1.1 package on the GA media of openSUSE Tumbleweed...

GHSA-HFPC-8R3F-GW53 AWS-LC has PKCS7_verify Signature Validation Bypass

Summary AWS-LC is an open-source, general-purpose cryptographic library. Impact Improper signature validation in PKCS7verify in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes. Customers of AWS services do not need...

EUVD-2022-7609

Malicious code in bioql PyPI...

CVE-2025-59532 Codex has sandbox bypass due to bug in path configuration logic

Codex CLI is a coding agent from OpenAI that runs locally. In versions 0.2.0 to 0.38.0, due to a bug in the sandbox configuration logic, Codex CLI could treat a model-generated cwd as the sandbox’s writable root, including paths outside of the folder where the user started their session. This log...

Eclipse OpenJ9 缓冲区错误漏洞

Eclipse OpenJ9 is a Java application engine from the Eclipse Foundation. It is primarily used to run Java applications. A security vulnerability exists in Eclipse OpenJ9 versions prior to 0.38.0, which stems from an implementation of shared caching where the size of a string is not properly check...

PT-2023-20394 · Eclipse +2 · Eclipse Openj9 +2

Name of the Vulnerable Software and Affected Versions: Eclipse Openj9 versions prior to 0.38.0 Description: The issue is caused by improper bounds checking in the implementation of the shared cache, which is enabled by default in OpenJ9 builds. Specifically, the size of a string is not properly...

CVE-2023-2597

In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache which is enabled by default in OpenJ9 builds the size of a string is not properly checked against the size of the buffer...

CVE-2023-25151 DoS vulnerability for high cardinality metrics in opentelemetry-go-contrib

opentelemetry-go-contrib is a collection of extensions for OpenTelemetry-Go. The v0.38.0 release of go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp uses the httpconv.ServerRequest function to annotate metric measurements for the http.server.requestcontentlength,...