CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Snyk•added 2026/05/24 3:54 p.m.•9 views

Deserialization of Untrusted Data

Overview transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to unsafe deserialization of model configuration files, an attacker can craft a malicious config.json file...

8.5CVSS7.2AI score0.00032EPSS

CNNVD•added 2026/05/24 12:0 a.m.•4 views

Hugging Face Transformers 安全漏洞

Hugging Face Transformers is an open-source framework developed by Hugging Face for defining state-of-the-art machine learning models. It covers text, visual, audio, and multimodal models, and can be used for both inference and training. Prior versions of Hugging Face Transformers, such as 5.3.0,...

7.8CVSS7.5AI score0.00032EPSS

OSSF Malicious Packages•added 2026/05/20 8:33 a.m.•5 views

Malicious code in pinno-loggers (npm)

pinno-loggers is a malicious npm package that depends on terminal-logger-utils and triggers the malicious behavior in that package when installed or imported. The terminal-logger-utils payload executes a postinstall hook that opens utils.cjs, an obfuscated malware dropper. The dropper downloads a...

OSV•added 2026/05/20 8:33 a.m.•2 views

Exploits0References1

MAL-2026-4196 Malicious code in pinno-loggers (npm)

OSV•added 2026/05/20 8:21 a.m.•4 views

Exploits0References1

MAL-2026-4197 Malicious code in pretty-logger-utils (npm)

pretty-logger-utils is a malicious npm package that depends on terminal-logger-utils and triggers the malicious behavior in that package when installed or imported. The terminal-logger-utils payload executes a postinstall hook that opens utils.cjs, an obfuscated malware dropper. The dropper...

OSSF Malicious Packages•added 2026/05/20 6:52 a.m.•7 views

Exploits0References1

Malicious code in ts-logger-pack (npm)

ts-logger-pack is a malicious npm package that depends on terminal-logger-utils and triggers the malicious behavior in that package when installed or imported. The terminal-logger-utils payload executes a postinstall hook that opens utils.cjs, an obfuscated malware dropper. The dropper downloads...

OSV•added 2026/05/20 6:43 a.m.•6 views

MAL-2026-4198 Malicious code in terminal-logger-utils (npm)

terminal-logger-utils is a malicious npm package that when installed executes a postinstall hook that opens utils.cjs, an obfuscated malware dropper. The dropper checks the current system, downloads a platform-specific second-stage binary from Hugging Face, and executes it. The second-stage paylo...

OSV•added 2026/05/14 5:16 p.m.•5 views

Exploits0References3

PYSEC-2026-41

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trustremotecode=True safeguard when loading pipelines from Hugging Face Hub repositories. The resolvecustompipelineandcls function in pipelineloadingutils.py...

NVD•added 2026/05/14 5:16 p.m.•8 views

CVE-2026-44827

8.8CVSS0.0012EPSS

ATTACKERKB•added 2026/05/14 4:33 p.m.•4 views

CVE-2026-44827

Exploits1References2Affected Software1

EUVD•added 2026/05/14 4:33 p.m.•4 views

EUVD-2026-30332

Vulnrichment•added 2026/05/14 4:33 p.m.•7 views

CVE-2026-44827 Diffusers: None.py Trust Remote Code Bypass

IBM Security Bulletins•added 2026/05/14 1:48 p.m.•9 views

Security Bulletin: Security vulnerability in Python affects IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak

Summary A security vulnerability in Python affects IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak. Python is used by IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak as part of its deployment. This bulletin identifies the fixes...

7.8CVSS7.6AI score0.00477EPSS

Exploits0Affected Software1

IBM Security Bulletins•added 2026/05/13 10:51 a.m.•6 views

Security Bulletin: Vulnerabilities in Hugging Face Transformers bundled with IBM Fusion, IBM Fusion HCI and Content-Aware Storage

Summary IBM Fusion, IBM Fusion HCI and Content-Aware Storage includes the Hugging Face Transformers library, which could allow a remote attacker to execute arbitrary code on affected installations. These vulnerabilities exist due to the lack of proper validation of user-supplied data during the...

7.8CVSS7.6AI score0.00477EPSS

Exploits0Affected Software2

Github Security Blog•added 2026/05/12 6:30 p.m.•3 views

mamba language model framework vulnerable to insecure deserialization when loading pre-trained models from HuggingFace Hub

The mamba language model framework thru 2.2.6 is vulnerable to insecure deserialization CWE-502 when loading pre-trained models from HuggingFace Hub. The MambaLMHeadModel.frompretrained method uses torch.load to load the pytorchmodel.bin weight file without enabling the security-restrictive...

9.8CVSS6.1AI score0.00054EPSS

Exploits0References4Affected Software1

The Hacker News•added 2026/05/11 7:5 a.m.•8 views

Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K Downloads

A malicious Hugging Face repository managed to take a spot in the platform's trending list by impersonating OpenAI's Privacy Filter open-weight model to deliver a Rust-based information stealer to Windows users. The project, named Open-OSS/privacy-filter, masqueraded as its legitimate counterpart...

6AI score

Exploits0

CNNVD•added 2026/04/23 12:0 a.m.•3 views

lerobot 代码问题漏洞

Lerobot is a robot programming library open source by Hugging Face. Versions of LeRobot prior to 0.5.1 had code vulnerabilities. These vulnerabilities stemmed from unsafe deserialization in the asynchronous inference pipeline. The pickle.loads function was used to deserialize data received throug...

9.8CVSS6.4AI score0.00162EPSS