Lucene search
K

14 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:14 p.m.11 views

CVE-2026-4372

A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious config.json file containing the attnimplementationinternal field set to an attacker-controlled HuggingFac...

7.8CVSS8.1AI score0.00479EPSS
Exploits1References1
Github Security Blog
Github Security Blog
added 2026/05/20 3:31 p.m.12 views

Diffusers: TOCTOU Trust Remote Code Bypass

Background This vulnerability is found in the diffusers package - the transformers-equivalent library for diffusion models. It is found in the DiffusionPipeline.frompretrained flow, which is used to load a pipeline from the HuggingFace Hub. This function has a trustremotecode guard: if the...

6.4AI score0.00048EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/20 12:0 a.m.15 views

PT-2026-42205

Background This vulnerability is found in the diffusers package - the transformers-equivalent library for diffusion models. It is found in the DiffusionPipeline.from pretrained flow, which is used to load a pipeline from the HuggingFace Hub. This function has a trust remote code guard: if the...

7.5CVSS6.4AI score0.00048EPSS
Exploits0References6
PyPA
PyPA
added 2026/05/14 5:16 p.m.22 views

PYSEC-2026-41

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trustremotecode=True safeguard when loading pipelines from Hugging Face Hub repositories. The resolvecustompipelineandcls function in pipelineloadingutils.py...

8.8CVSS6.5AI score0.00562EPSS
Exploits1References1Affected Software1
CVE
CVE
added 2026/05/14 4:33 p.m.70 views

CVE-2026-44827

Diffusers prior to 0.38.0 is vulnerable to silent remote code execution when loading pipelines from Hugging Face Hub without trust_remote_code. If custom_pipeline is not supplied, _resolve_custom_pipeline_and_cls formats None as None.py; a repository containing a None.py with a subclass of Diffus...

8.8CVSS6.5AI score0.00562EPSS
Exploits1References1Affected Software1
Snyk
Snyk
added 2025/11/24 8:33 p.m.3 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

9.8CVSS6.8AI score
Exploits0References3
Snyk
Snyk
added 2025/11/24 4:24 p.m.2 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

9.8CVSS6.8AI score
Exploits0References3
Snyk
Snyk
added 2025/11/24 4:24 p.m.4 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

9.8CVSS6.8AI score
Exploits0References3
IBM Security Bulletins
IBM Security Bulletins
added 2025/04/29 2:7 a.m.19 views

Security Bulletin: IBM Security Verify Information Queue displays the Grafana signing key when setting up the logs stack (CVE-2021-20412)

Summary IBM Security Verify Information Queue ISIQ offers an optional logs stack to demonstrate logging and monitoring. Among the stack's components is a Grafana dashboard. The initialization file for Grafana contains a hard-coded signing key. As of ISIQ v10.0.0, this signing key has been removed...

7.5CVSS7.6AI score0.00886EPSS
Exploits0Affected Software1
OSV
OSV
added 2024/03/04 12:15 a.m.23 views

PYSEC-2024-43

LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a loadchain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure...

8.1CVSS6.1AI score0.0174EPSS
Exploits1References2
IBM Security Bulletins
IBM Security Bulletins
added 2021/02/10 6:5 p.m.23 views

Security Bulletin: IBM Security Verify Information Queue does not properly encode error messages sent to web users (CVE-2021-20405)

Summary When an error occurs while using the IBM Security Verify Information Queue ISIQ web application, the status messages sent back to the user are not properly encoded. This could lead to information disclosure, which could then be leveraged in a phishing attack. As of v10.0.0, the ISIQ web...

7.5CVSS0.7AI score0.00752EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2020/04/07 3:53 p.m.20 views

Security Bulletin: IBM Security Information Queue does not invalidate sessions after logout (CVE-2020-4291)

Summary IBM Security Information Queue ISIQ session identifiers are not properly invalidated upon user logout from ISIQ's web UI. This create opportunities for an attacker to hijack a user session token. As of v1.0.6, ISIQ immediately invalidates the session token when a user logs out...

4.7CVSS0.6AI score0.01208EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2019/06/04 3:35 p.m.14 views

Security Bulletin: IBM Security Information Queue reveals internal data in application error messages

Summary IBM Security Information Queue ISIQ reveals too much internal data when displaying application error messages. This data could be used by an attacker. As of v1.0.3, ISIQ's displayed errors are more terse. Detailed diagnostic data is only written to ISIQ log files. Vulnerability Details...

5.3CVSS0.7AI score0.01269EPSS
Exploits0Affected Software1
IBM Security Bulletins
IBM Security Bulletins
added 2019/06/04 3:30 p.m.23 views

Security Bulletin: IBM Security Information Queue web application is vulnerable to clickjacking attack

Summary The IBM Security Information Queue ISIQ web application is vulnerable to a clickjacking attack in which an untrusted page could get embedded into another frame or object. As of v1.0.3, the ISIQ web server disallows browsers from embedding content. Vulnerability Details CVEID: CVE-2019-421...

6.1CVSS1.9AI score0.01183EPSS
Exploits0Affected Software1
Rows per page
Query Builder