Lucene search
K

332 matches found

EUVD
EUVD
added 2026/05/14 4:33 p.m.9 views

EUVD-2026-30332

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trustremotecode=True safeguard when loading pipelines from Hugging Face Hub repositories. The resolvecustompipelineandcls function in pipelineloadingutils.py...

8.8CVSS6.5AI score0.00562EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/05/14 4:33 p.m.8 views

CVE-2026-44827

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trustremotecode=True safeguard when loading pipelines from Hugging Face Hub repositories. The resolvecustompipelineandcls function in pipelineloadingutils.py...

8.8CVSS6.5AI score0.00562EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/14 4:33 p.m.11 views

CVE-2026-44827 Diffusers: None.py Trust Remote Code Bypass

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trustremotecode=True safeguard when loading pipelines from Hugging Face Hub repositories. The resolvecustompipelineandcls function in pipelineloadingutils.py...

8.8CVSS6.5AI score0.00562EPSS
Exploits1References1
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/14 1:48 p.m.14 views

Security Bulletin: Security vulnerability in Python affects IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak

Summary A security vulnerability in Python affects IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak. Python is used by IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak as part of its deployment. This bulletin identifies the fixes...

7.8CVSS7.6AI score0.00315EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/13 10:51 a.m.16 views

Security Bulletin: Vulnerabilities in Hugging Face Transformers bundled with IBM Fusion, IBM Fusion HCI and Content-Aware Storage

Summary IBM Fusion, IBM Fusion HCI and Content-Aware Storage includes the Hugging Face Transformers library, which could allow a remote attacker to execute arbitrary code on affected installations. These vulnerabilities exist due to the lack of proper validation of user-supplied data during the...

7.8CVSS7.6AI score0.00315EPSS
Exploits0Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/12 6:30 p.m.10 views

mamba language model framework vulnerable to insecure deserialization when loading pre-trained models from HuggingFace Hub

The mamba language model framework thru 2.2.6 is vulnerable to insecure deserialization CWE-502 when loading pre-trained models from HuggingFace Hub. The MambaLMHeadModel.frompretrained method uses torch.load to load the pytorchmodel.bin weight file without enabling the security-restrictive...

9.8CVSS6.1AI score0.00409EPSS
Exploits0References4Affected Software1
The Hacker News
The Hacker News
added 2026/05/11 7:5 a.m.15 views

Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K Downloads

A malicious Hugging Face repository managed to take a spot in the platform's trending list by impersonating OpenAI's Privacy Filter open-weight model to deliver a Rust-based information stealer to Windows users. The project, named Open-OSS/privacy-filter, masqueraded as its legitimate counterpart...

6AI score
Exploits0
CNNVD
CNNVD
added 2026/04/23 12:0 a.m.8 views

lerobot 代码问题漏洞

Lerobot is a robot programming library open source by Hugging Face. Versions of LeRobot prior to 0.5.1 had code vulnerabilities. These vulnerabilities stemmed from unsafe deserialization in the asynchronous inference pipeline. The pickle.loads function was used to deserialize data received throug...

9.8CVSS6.4AI score0.15547EPSS
Exploits1References1
OSV
OSV
added 2026/03/27 6:31 p.m.4 views

GHSA-54FQ-V6X8-244G Hugging Face Smolagents has an Injection issue

A weakness has been identified in huggingface smolagents 1.25.0.dev0. This affects the function evaluateaugassign/evaluatecall/evaluatewith of the file src/smolagents/localpythonexecutor.py of the component Incomplete Fix CVE-2025-9959. This manipulation causes code injection. It is possible to...

6.3CVSS5.6AI score0.00575EPSS
Exploits1References9
Github Security Blog
Github Security Blog
added 2026/03/01 1:29 a.m.9 views

Gradio has an Open Redirect in its OAuth Flow

Summary The redirecttotarget function in Gradio's OAuth flow accepts an unvalidated targeturl query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled i.e. apps running on Hugging Face Spaces with...

4.7CVSS6AI score0.00232EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2026/03/01 1:0 a.m.5 views

GHSA-H3H8-3V2V-RG7M Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret

Summary Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components e.g. gr.LoginButton are used. When a user visits /login/huggingface, the server retrieves its own Hugging Face access token via huggingfacehub.gettoken and stores it...

5.9AI score0.00453EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2026/03/01 1:0 a.m.5 views

Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret

Summary Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components e.g. gr.LoginButton are used. When a user visits /login/huggingface, the server retrieves its own Hugging Face access token via huggingfacehub.gettoken and stores it...

5.9CVSS5.9AI score0.00453EPSS
Exploits1References6Affected Software1
Snyk
Snyk
added 2026/02/28 12:14 a.m.5 views

Use of Hard-coded Credentials

Overview gradio is a Python library for easily interacting with trained machine learning models Affected versions of this package are vulnerable to Use of Hard-coded Credentials via the login/huggingface route, which retrieves the server's Hugging Face access token using the huggingfacehub.gettok...

8.2CVSS5.9AI score0.00453EPSS
Exploits1References2
OSV
OSV
added 2026/02/27 10:16 p.m.6 views

PYSEC-2026-65

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the redirecttotarget function in Gradio's OAuth flow accepts an unvalidated targeturl query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback...

4.7CVSS5.9AI score0.00232EPSS
Exploits0References1
PyPA
PyPA
added 2026/02/27 10:16 p.m.8 views

PYSEC-2026-63

Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components e.g. gr.LoginButton are used. When a user visi...

5.9CVSS5.8AI score0.00453EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2026/02/27 10:16 p.m.11 views

PYSEC-2026-63

Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components e.g. gr.LoginButton are used. When a user visi...

5.9CVSS5.8AI score0.00453EPSS
Exploits1References1
EUVD
EUVD
added 2026/02/27 9:44 p.m.4 views

EUVD-2026-9083

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the redirecttotarget function in Gradio's OAuth flow accepts an unvalidated targeturl query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback...

4.3CVSS6AI score0.00232EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/02/27 9:44 p.m.12 views

CVE-2026-28415

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the redirecttotarget function in Gradio's OAuth flow accepts an unvalidated targeturl query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback...

4.7CVSS6AI score0.00232EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/27 9:44 p.m.3 views

CVE-2026-28415 Gradio has Open Redirect in OAuth Flow

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the redirecttotarget function in Gradio's OAuth flow accepts an unvalidated targeturl query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback...

4.3CVSS6AI score0.00232EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/02/27 9:44 p.m.24 views

CVE-2026-28415 Gradio has Open Redirect in OAuth Flow

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the redirecttotarget function in Gradio's OAuth flow accepts an unvalidated targeturl query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback...

4.3CVSS0.00232EPSS
Exploits0References1
Rows per page
Query Builder