CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 2026/06/05 7:13 p.m.•6 views

CVE-2026-48545

Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can return a...

7.6CVSS5.6AI score0.00355EPSS

RedhatCVE•added 2026/06/05 7:12 p.m.•8 views

CVE-2026-44827

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trustremotecode=True safeguard when loading pipelines from Hugging Face Hub repositories. The resolvecustompipelineandcls function in pipelineloadingutils.py...

8.8CVSS6.4AI score0.00562EPSS

ATTACKERKB•added 2026/06/02 2:15 p.m.•7 views

CVE-2026-47117

OpenMed before 1.5.2 contains a remote code execution vulnerability in the PII privacy-filter model loading path. The privacy-filter dispatcher used broad substring matching on the user-supplied modelname parameter, allowing a value such as attacker/foo-privacy-filter-bar to route through a path...

9.8CVSS6.5AI score0.00927EPSS

Exploits0References5

GithubExploit•added 2026/05/29 7:35 a.m.•68 views

Exploit for XPath Injection in Huggingface Smolagents

🔐 Smolagents XPath Injection Simulation Framework CVE-2025-11...

5.4CVSS6AI score0.00252EPSS

Exploits2

OSV•added 2026/05/25 10:4 a.m.•8 views

MAL-2026-4823 Malicious code in msc-terminal (npm)

Part of a multi-package malicious campaign, msc-terminal npm author nhpkevte1576 carries the same payload as eo-terminal and logger-draft — a fully-featured infostealer and remote access trojan RAT deployed via a postinstall hook. All three packages share the same C2 infrastructure and attack...

6AI score

Exploits0References2

Snyk•added 2026/05/24 3:54 p.m.•21 views

Deserialization of Untrusted Data

Overview transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to unsafe deserialization of model configuration files, an attacker can craft a malicious config.json file...

8.5CVSS7.2AI score0.00271EPSS

Exploits1References2

CNNVD•added 2026/05/24 12:0 a.m.•8 views

Hugging Face Transformers 安全漏洞

Hugging Face Transformers is an open-source framework developed by Hugging Face for defining state-of-the-art machine learning models. It covers text, visual, audio, and multimodal models, and can be used for both inference and training. Prior versions of Hugging Face Transformers, such as 5.3.0,...

7.8CVSS7.5AI score0.00271EPSS

Exploits1References2

OSSF Malicious Packages•added 2026/05/20 8:33 a.m.•6 views

Malicious code in pinno-loggers (npm)

pinno-loggers is a malicious npm package that depends on terminal-logger-utils and triggers the malicious behavior in that package when installed or imported. The terminal-logger-utils payload executes a postinstall hook that opens utils.cjs, an obfuscated malware dropper. The dropper downloads a...

OSV•added 2026/05/20 8:33 a.m.•5 views

MAL-2026-4196 Malicious code in pinno-loggers (npm)

OSV•added 2026/05/20 8:21 a.m.•5 views

MAL-2026-4197 Malicious code in pretty-logger-utils (npm)

pretty-logger-utils is a malicious npm package that depends on terminal-logger-utils and triggers the malicious behavior in that package when installed or imported. The terminal-logger-utils payload executes a postinstall hook that opens utils.cjs, an obfuscated malware dropper. The dropper...

OSSF Malicious Packages•added 2026/05/20 6:52 a.m.•7 views

Malicious code in ts-logger-pack (npm)

ts-logger-pack is a malicious npm package that depends on terminal-logger-utils and triggers the malicious behavior in that package when installed or imported. The terminal-logger-utils payload executes a postinstall hook that opens utils.cjs, an obfuscated malware dropper. The dropper downloads...

OSV•added 2026/05/20 6:43 a.m.•14 views

Exploits0References2

MAL-2026-4198 Malicious code in terminal-logger-utils (npm)

terminal-logger-utils is a malicious npm package that when installed executes a postinstall hook that opens utils.cjs, an obfuscated malware dropper. The dropper checks the current system, downloads a platform-specific second-stage binary from Hugging Face, and executes it. The second-stage paylo...

NVD•added 2026/05/14 5:16 p.m.•9 views

Exploits0References3

CVE-2026-44827

8.8CVSS0.00562EPSS

OSV•added 2026/05/14 5:16 p.m.•7 views

PYSEC-2026-41

EUVD•added 2026/05/14 4:33 p.m.•6 views

EUVD-2026-30332

Vulnrichment•added 2026/05/14 4:33 p.m.•9 views

CVE-2026-44827 Diffusers: None.py Trust Remote Code Bypass

ATTACKERKB•added 2026/05/14 4:33 p.m.•6 views

CVE-2026-44827