Lucene search
K

7 matches found

OSV
OSV
added 2026/06/26 9:8 p.m.8 views

MAL-2026-6538 Malicious code in db-plog (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 961a6a108104105727b81399e6a3a6d56636cb79ae8fbfbbc33528f90d890d99 On every Model instantiation — the package's documented primary API — dist/index.js executes execSync'npm install db-connector-log --no-warnings...

6AI score
Exploits0References3
Snyk
Snyk
added 2026/06/10 1:14 a.m.3 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the model initialization process when trustremotecode=True is hardcoded in multiple HuggingFace model-loading call sites. An attacker can execute arbitrary code by supplying a malicious model repository...

8.5CVSS6.2AI score0.00142EPSS
Exploits0References2
CVE
CVE
added 2026/06/09 11:5 p.m.37 views

CVE-2026-46432

CVE-2026-46432 (LMDeploy) affects lmdeploy

7.8CVSS6.2AI score0.00142EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/03 12:33 p.m.14 views

EUVD-2026-34084

A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the trustremotecode parameter, intended to prevent remote code execution, is...

8CVSS7.9AI score0.00531EPSS
Exploits1References2
Snyk
Snyk
added 2026/01/21 4:12 p.m.4 views

Arbitrary Code Injection

Overview vllm is an A high-throughput and memory-efficient inference and serving engine for LLMs Affected versions of this package are vulnerable to Arbitrary Code Injection via the automap process during model initialization, even when trustremotecode is false. An attacker can execute arbitrary...

9.8CVSS6.3AI score0.00737EPSS
Exploits1References2
OSV
OSV
added 2026/01/21 4:12 p.m.4 views

GHSA-2PC9-4J83-QJMR vLLM affected by RCE via auto_map dynamic module loading during model initialization

Summary vLLM loads Hugging Face automap dynamic modules during model resolution without gating on trustremotecode, allowing attacker-controlled Python code in a model repo/path to execute at server startup. --- Impact An attacker who can influence the model repo/path local directory or remote...

8.8CVSS6AI score0.00737EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2026/01/21 4:12 p.m.11 views

vLLM affected by RCE via auto_map dynamic module loading during model initialization

Summary vLLM loads Hugging Face automap dynamic modules during model resolution without gating on trustremotecode, allowing attacker-controlled Python code in a model repo/path to execute at server startup. --- Impact An attacker who can influence the model repo/path local directory or remote...

9.8CVSS5.9AI score0.00737EPSS
Exploits1References6Affected Software1
Rows per page
Query Builder