23 matches found
CVE-2026-44827
Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trustremotecode=True safeguard when loading pipelines from Hugging Face Hub repositories. The resolvecustompipelineandcls function in pipelineloadingutils.py...
PYSEC-2026-41
Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trustremotecode=True safeguard when loading pipelines from Hugging Face Hub repositories. The resolvecustompipelineandcls function in pipelineloadingutils.py...
CVE-2026-44513
Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trustremotecode bypass in DiffusionPipeline.frompretrained allows arbitrary remote code execution despite the user passing trustremotecode=False or omitting it, which is the default. The vulnerability has three variant...
PYSEC-2026-40
Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trustremotecode bypass in DiffusionPipeline.frompretrained allows arbitrary remote code execution despite the user passing trustremotecode=False or omitting it, which is the default. The vulnerability has three variant...
PYSEC-2026-40
Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trustremotecode bypass in DiffusionPipeline.frompretrained allows arbitrary remote code execution despite the user passing trustremotecode=False or omitting it, which is the default. The vulnerability has three variant...
CVE-2026-44827 Diffusers: None.py Trust Remote Code Bypass
Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trustremotecode=True safeguard when loading pipelines from Hugging Face Hub repositories. The resolvecustompipelineandcls function in pipelineloadingutils.py...
CVE-2026-44513
Diffusers 0.38.0 fixes a trust_remote_code bypass in DiffusionPipeline.from_pretrained that allowed arbitrary remote code execution when using custom_pipeline or local snapshots. Root cause: the security gate was checked inside DiffusionPipeline.download(), but some code paths bypassed download()...
EUVD-2026-30334
Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, a trustremotecode bypass in DiffusionPipeline.frompretrained allows arbitrary remote code execution despite the user passing trustremotecode=False or omitting it, which is the default. The vulnerability has three variant...
diffusers 代码注入漏洞
Diffusers is an open-source diffusion model library developed by Hugging Face for generating images, audio, and 3D molecular structures. Versions of Diffusers prior to 0.38.0 contained a code injection vulnerability, which was caused by improper handling of the custompipeline parameter, potential...
diffusers 代码注入漏洞
diffusers is a generative model library for generating images, audio, and 3D molecular structures, open-sourced by Hugging Face. Versions of diffusers prior to 0.38.0 contained a code injection vulnerability, which was caused by a bypass of trustremotecode, potentially allowing arbitrary remote...
OPENSUSE-SU-2026:10435-1 cpp-httplib-devel-0.38.0-1.1 on GA media
These are all security issues fixed in the cpp-httplib-devel-0.38.0-1.1 package on the GA media of openSUSE Tumbleweed...
GHSA-HFPC-8R3F-GW53 AWS-LC has PKCS7_verify Signature Validation Bypass
Summary AWS-LC is an open-source, general-purpose cryptographic library. Impact Improper signature validation in PKCS7verify in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes. Customers of AWS services do not need...
EUVD-2022-7609
Malicious code in bioql PyPI...
PT-2023-20394 · Eclipse +2 · Eclipse Openj9 +2
Name of the Vulnerable Software and Affected Versions: Eclipse Openj9 versions prior to 0.38.0 Description: The issue is caused by improper bounds checking in the implementation of the shared cache, which is enabled by default in OpenJ9 builds. Specifically, the size of a string is not properly...
CVE-2023-2597
In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache which is enabled by default in OpenJ9 builds the size of a string is not properly checked against the size of the buffer...
CVE-2023-25151 DoS vulnerability for high cardinality metrics in opentelemetry-go-contrib
opentelemetry-go-contrib is a collection of extensions for OpenTelemetry-Go. The v0.38.0 release of go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp uses the httpconv.ServerRequest function to annotate metric measurements for the http.server.requestcontentlength,...
OpenTelemetry-Go Contrib 资源管理错误漏洞
OpenTelemetry-Go Contrib is a collection of extensions for OpenTelemetry Go in the OpenTelemetry open source. A resource management error vulnerability exists in OpenTelemetry-Go Contrib version v0.38.0, which stems from the fact that if the query string is always randomized, this results in an...
ChainSafe js-libp2p-noise 资源管理错误漏洞
ChainSafe js-libp2p-noise is an open source implementation of TypeScript containing the noise protocol from ChainSafe Canada. A resource management error vulnerability exists in ChainSafe js-libp2p versions prior to 0.38.0, which stems from vulnerability to targeted resource exhaustion attacks th...
PT-2022-28158 · Unknown · Opentelemetry-Go Contrib
Name of the Vulnerable Software and Affected Versions: opentelemetry-go-contrib versions 0.38.0 through 0.38.0 Description: The issue concerns a denial-of-service attack due to memory allocation increase when handling requests with constantly random query strings. The httpconv.ServerRequest...
AZL-34969 CVE-2020-25657 affecting package m2crypto for versions less than 0.38.0-3
A flaw was found in all released versions of m2crypto, where they are vulnerable to Bleichenbacher timing attacks in the RSA decryption API via the timed processing of valid PKCS1 v1.5 Ciphertext. The highest threat from this vulnerability is to confidentiality...