2 matches found
PT-2026-45946
Name of the Vulnerable Software and Affected Versions huggingface/transformers version 5.2.0 Description A flaw in the LightGlue model loading path allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue occurs because the trust remote code...
`trust_remote_code=False` Bypass in LightGlue Nested Config Resolution (Transformers 5.2.0) Leading to Remote Code Execution During Normal `from_pretrained()` Loading
Description Transformers contains a trust-boundary flaw in the LightGlue loading path. When loading a LightGlue model, LightGlueConfig reads trustremotecode from untrusted model config.json and reuses it for nested AutoConfig.frompretrained... resolution. This allows an attacker-controlled model...