auto-survey (>=0.1.0 <=0.2.4), gptparse (=0.3.0) +12 more potentially affected by CVE-2026-44018 via docling (>=2.51.0 <=2.90.0)

docling PYPI version =2.51.0, =0.1.0, =0.19.2, =1.40.0, =0.6.2, =0.0.1, =0.3.0, =1.0.0, =1.6.2, =1.6.2, =0.0.1, =0.0.2 Source cves: CVE-2026-44018 Source advisory: OSV:GHSA-R3XG-RG9J-67FV...

auto-survey (>=0.1.0 <=0.2.4), gptparse (=0.3.0) +5 more potentially affected by CVE-2026-44016 via docling (>=2.87.0 <=2.90.0)

docling PYPI version =2.87.0, =0.1.0, =0.40.0, =0.6.2, =0.0.1, =0.0.1, =0.0.2 Source cves: CVE-2026-44016 Source advisory: SNYK:PYTHON-DOCLING-17151857...

instructlab-sdg (>=0.0.1 <=0.0.1rc4) potentially affected by CVE-2026-6859 via instructlab (=0.17.2)

instructlab PYPI version =0.17.2 is affected by a known vulnerability. The following packages have a transitive dependency on instructlab and may be impacted: - instructlab-sdg =0.0.1, =0.0.1rc4 Source cves: CVE-2026-6859 Source advisory: SNYK:PYTHON-INSTRUCTLAB-16323407...

instructlab-sdg (>=0.0.1 <=0.0.1rc4) potentially affected by CVE-2026-6859 via instructlab (=0.17.2)

instructlab PYPI version =0.17.2 is affected by a known vulnerability. The following packages have a transitive dependency on instructlab and may be impacted: - instructlab-sdg =0.0.1, =0.0.1rc4 Source cves: CVE-2026-6859 Source advisory: OSV:GHSA-RXPQ-XGQX-FR7P...

EUVD-2026-24752

A flaw was found in InstructLab. The linuxtrain.py script hardcodes trustremotecode=True when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run ilab train/download/generate with a specially crafted malicious model...

Inclusion of Functionality from Untrusted Control Sphere

Overview instructlab is a Core package for interacting with InstructLab Affected versions of this package are vulnerable to Inclusion of Functionality from Untrusted Control Sphere via default trustremotecode=True for loading models from HuggingFacein in linuxtrain.py file. An attacker can execut...

InstructLab Includes Functionality from Untrusted Control Sphere

A flaw was found in InstructLab. The linuxtrain.py script hardcodes trustremotecode=True when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run ilab train/download/generate with a specially crafted malicious model...

GHSA-RXPQ-XGQX-FR7P InstructLab Includes Functionality from Untrusted Control Sphere

A flaw was found in InstructLab. The linuxtrain.py script hardcodes trustremotecode=True when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run ilab train/download/generate with a specially crafted malicious model...

instructlab-sdg (>=0.0.1 <=0.0.1rc4) potentially affected by CVE-2026-6855 via instructlab (=0.17.2)

instructlab PYPI version =0.17.2 is affected by a known vulnerability. The following packages have a transitive dependency on instructlab and may be impacted: - instructlab-sdg =0.0.1, =0.0.1rc4 Source cves: CVE-2026-6855 Source advisory: OSV:GHSA-PQMG-C2J8-FQ92...

GHSA-PQMG-C2J8-FQ92 InstructLab vulnerable to Path Traversal

A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the logsdir parameter. This allows the attacker to create new directories and write files to arbitrary locations on the system, potentially leading to...

InstructLab vulnerable to Path Traversal

A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the logsdir parameter. This allows the attacker to create new directories and write files to arbitrary locations on the system, potentially leading to...

CVE-2026-6859

A flaw was found in InstructLab. The linuxtrain.py script hardcodes trustremotecode=True when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run ilab train/download/generate with a specially crafted malicious model...

CVE-2026-6855

A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the logsdir parameter. This allows the attacker to create new directories and write files to arbitrary locations on the system, potentially leading to...

CVE-2026-6859 Instructlab: instructlab: arbitrary code execution due to hardcoded `trust_remote_code=true`

A flaw was found in InstructLab. The linuxtrain.py script hardcodes trustremotecode=True when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run ilab train/download/generate with a specially crafted malicious model...

CVE-2026-6859

A flaw was found in InstructLab. The linuxtrain.py script hardcodes trustremotecode=True when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run ilab train/download/generate with a specially crafted malicious model...

CVE-2026-6859 Instructlab: instructlab: arbitrary code execution due to hardcoded `trust_remote_code=true`

A flaw was found in InstructLab. The linuxtrain.py script hardcodes trustremotecode=True when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run ilab train/download/generate with a specially crafted malicious model...

CVE-2026-6859

A flaw was found in InstructLab. The linuxtrain.py script hardcodes trustremotecode=True when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run ilab train/download/generate with a specially crafted malicious model...

CVE-2026-6859

CVE-2026-6859 is a Red Hat advisory about a flaw in InstructLab where linux_train.py hardcodes trust_remote_code=True when loading models from HuggingFace. This enables arbitrary Python code execution if a user runs ilab train/download/generate with a malicious HuggingFace model, potentially lead...

CVE-2026-6855

A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the logsdir parameter. This allows the attacker to create new directories and write files to arbitrary locations on the system, potentially leading to...

CVE-2026-6855 Instructlab: instructlab: path traversal allows arbitrary directory creation and file write

A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the logsdir parameter. This allows the attacker to create new directories and write files to arbitrary locations on the system, potentially leading to...