Lucene search
+L

232 matches found

NVD
NVD
added 2026/02/27 10:16 p.m.13 views

CVE-2026-27167

Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components e.g. gr.LoginButton are used. When a user visi...

5.9CVSS0.00453EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/02/27 9:40 p.m.2 views

CVE-2026-27167 Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret

Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components e.g. gr.LoginButton are used. When a user visi...

6AI score0.00453EPSS
Exploits1References1
EUVD
EUVD
added 2026/02/27 9:40 p.m.5 views

EUVD-2026-9075

Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components e.g. gr.LoginButton are used. When a user visi...

6AI score0.00453EPSS
Exploits1References1
CNNVD
CNNVD
added 2026/02/27 12:0 a.m.9 views

Gradio 信任管理问题漏洞

Gradio is an open source Python library from Gradio Open Source, a way to demonstrate machine learning models through a friendly web interface. A trust management issue vulnerability exists in Gradio versions prior to 4.16.0 through 6.6.0. The vulnerability stems from the automatic enablement of...

5.9CVSS5.8AI score0.00453EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/02/27 12:0 a.m.12 views

PT-2026-22405

Name of the Vulnerable Software and Affected Versions Gradio versions 4.16.0 through 6.5.9 Description Gradio is a Python package for rapid prototyping. Applications running outside of Hugging Face Spaces, versions 4.16.0 through 6.5.9, improperly handle OAuth components like gr.LoginButton...

6AI score0.00453EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 2026/02/19 7:21 p.m.7 views

CVE-2026-2654

A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of the component LocalPythonExecutor. Executing a manipulation can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made...

9.8CVSS5.4AI score0.00379EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/02/18 1:32 p.m.26 views

CVE-2026-2654 huggingface smolagents LocalPythonExecutor requests.post server-side request forgery

A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of the component LocalPythonExecutor. Executing a manipulation can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made...

6.5CVSS0.00379EPSS
Exploits1References5
CVE
CVE
added 2026/02/18 1:32 p.m.25 views

CVE-2026-2654

Affects huggingface smolagents 1.24.0. The LocalPythonExecutor uses requests.get/post, enabling remote SSRF via manipulation of outbound requests. Public PoC/exploit exists; vendor did not respond. Remediation not provided in the sources; no fixed version is listed for smolagents. Monitor for upd...

9.8CVSS5.4AI score0.00379EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2026/02/18 1:32 p.m.6 views

CVE-2026-2654 huggingface smolagents LocalPythonExecutor requests.post server-side request forgery

A weakness has been identified in huggingface smolagents 1.24.0. Impacted is the function requests.get/requests.post of the component LocalPythonExecutor. Executing a manipulation can lead to server-side request forgery. It is possible to launch the attack remotely. The exploit has been made...

5.3CVSS6.2AI score0.00379EPSS
Exploits1References7
Positive Technologies
Positive Technologies
added 2026/02/18 12:0 a.m.9 views

PT-2026-20398

Name of the Vulnerable Software and Affected Versions huggingface smolagents version 1.24.0 Description A weakness exists in the LocalPythonExecutor component of the software. The functions requests.get and requests.post are affected, potentially leading to server-side request forgery. This issue...

9.8CVSS6.5AI score0.00379EPSS
Exploits1References15
NVD
NVD
added 2026/02/02 11:16 a.m.9 views

CVE-2026-0599

A vulnerability in huggingface/text-generation-inference version 3.3.6 allows unauthenticated remote attackers to exploit unbounded external image fetching during input validation in VLM mode. The issue arises when the router scans inputs for Markdown image links and performs a blocking HTTP GET...

7.5CVSS0.22494EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/02/02 10:36 a.m.5 views

CVE-2026-0599 Unbounded External Image Fetch in Validation Leads to Resource-Exhaustion DoS in huggingface/text-generation-inference

A vulnerability in huggingface/text-generation-inference version 3.3.6 allows unauthenticated remote attackers to exploit unbounded external image fetching during input validation in VLM mode. The issue arises when the router scans inputs for Markdown image links and performs a blocking HTTP GET...

7.5CVSS5.5AI score0.22494EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/02/02 10:36 a.m.139 views

CVE-2026-0599 Unbounded External Image Fetch in Validation Leads to Resource-Exhaustion DoS in huggingface/text-generation-inference

A vulnerability in huggingface/text-generation-inference version 3.3.6 allows unauthenticated remote attackers to exploit unbounded external image fetching during input validation in VLM mode. The issue arises when the router scans inputs for Markdown image links and performs a blocking HTTP GET...

7.5CVSS0.22494EPSS
Exploits0References2
Packet Storm News
Packet Storm News
added 2026/01/28 12:0 a.m.6 views

Llama-3.1-FoundationAI-SecurityLLM-Reasoning-8B Technical Report

We present Foundation-Sec-8B-Reasoning, the first open-source native reasoning model for cybersecurity. Built upon our previously released Foundation-Sec-8B base model derived from Llama-3.1-8B-Base, the model is trained through a two-stage process combining supervised fine-tuning SFT and...

5.9AI score
Exploits0
Snyk
Snyk
added 2026/01/12 1:59 a.m.5 views

Malicious Package

Overview huggingface-js is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6.8AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/01/12 1:59 a.m.8 views

Malicious code in huggingface-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ddd4d756fe7df1a0ac3caf862d744269bc2e1c1b49d8a4e12c702ded81b75dbf The package huggingface-js was found to contain malicious code. Source: ghsa-malware 9240da3d6ad3248bf99f72ea626c3562d3614a363647cad28a5468f16e73b885...

6.9AI score
Exploits0References1
EUVD
EUVD
added 2026/01/12 1:59 a.m.6 views

EUVD-2026-1979

Malicious code in huggingface-js npm...

6.6AI score
Exploits0References1
OSV
OSV
added 2026/01/12 1:59 a.m.4 views

MAL-2026-222 Malicious code in huggingface-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ddd4d756fe7df1a0ac3caf862d744269bc2e1c1b49d8a4e12c702ded81b75dbf The package huggingface-js was found to contain malicious code. Source: ghsa-malware 9240da3d6ad3248bf99f72ea626c3562d3614a363647cad28a5468f16e73b885...

6.8AI score
Exploits0References1
RedhatCVE
RedhatCVE
added 2025/12/24 6:18 p.m.13 views

CVE-2025-14929

A flaw was found in the Hugging Face Transformers library. The parsing of checkpoints fails to validate user-supplied data, causing a deserialization of untrusted data. An attacker can exploit this issue by providing a malicious X-CLIP model, resulting in arbitrary code execution in the context o...

8.8CVSS7.9AI score0.00315EPSS
Exploits0References4
OSV
OSV
added 2025/12/23 9:4 p.m.3 views

CVE-2025-14920 Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability

Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability ...

7.8CVSS7.6AI score0.00262EPSS
Exploits0References3
Rows per page
Query Builder