CVE-2026-1839

A flaw was found in HuggingFace Transformers. A remote attacker can exploit this vulnerability by supplying a specially crafted checkpoint file e.g., rngstate.pth. The loadrngstate method in the Trainer class loads this file using torch.load without proper validation, specifically missing the...

GHSA-69W3-R845-3855 HuggingFace Transformers allows for arbitrary code execution in the `Trainer` class

A vulnerability in the HuggingFace Transformers library, specifically in the Trainer class, allows for arbitrary code execution. The loadrngstate method in src/transformers/trainer.py at line 3059 calls torch.load without the weightsonly=True parameter. This issue affects all versions of the...

CVE-2026-1839

A vulnerability in the HuggingFace Transformers library, specifically in the Trainer class, allows for arbitrary code execution. The loadrngstate method in src/transformers/trainer.py at line 3059 calls torch.load without the weightsonly=True parameter. This issue affects all versions of the...

CVE-2026-1839

A vulnerability in the HuggingFace Transformers library, specifically in the Trainer class, allows for arbitrary code execution. The loadrngstate method in src/transformers/trainer.py at line 3059 calls torch.load without the weightsonly=True parameter. This issue affects all versions of the...

CVE-2026-1839 Arbitrary Code Execution via Unsafe torch.load() in Trainer Checkpoint Loading in huggingface/transformers

A vulnerability in the HuggingFace Transformers library, specifically in the Trainer class, allows for arbitrary code execution. The loadrngstate method in src/transformers/trainer.py at line 3059 calls torch.load without the weightsonly=True parameter. This issue affects all versions of the...

PT-2026-30793

Name of the Vulnerable Software and Affected Versions HuggingFace Transformers versions prior to 5.0.0rc3 Description A flaw exists in the Trainer class within the HuggingFace Transformers library. The load rng state method, located in src/transformers/trainer.py at line 3059, utilizes torch.load...

Deserialization of Untrusted Data

Overview transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the loadrngstate that uses unsafe torch.load function. An attacker can achieve an arbitrary code execution by...

Arbitrary Code Execution via Unsafe torch.load() in Trainer Checkpoint Loading

Summary A critical arbitrary code execution vulnerability exists in HuggingFace Transformers' Trainer class. The loadrngstate method at src/transformers/trainer.py:3059 calls torch.load without the weightsonly=True parameter. While a safeglobals context manager wraps this call, it provides no...

Security Bulletin: OpenSSL vulnerabilities affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center)

Summary Multiple OpenSSL vulnerabilities were disclosed by the OpenSSL Project. OpenSSL, used by IBM Spectrum Control formerly Tivoli Storage Productivity Center, has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2019-1552 DESCRIPTION: OpenSSL has internal defaults for a directo...

Security Bulletin: Multiple Vulnerabilities in OpenSSL Affect IBM Sterling Connect:Direct for HP NonStop

Summary There are multiple vulnerabilities in the OpenSSL library used by IBM Sterling Connect:Direct for HP NonStop. IBM Sterling Connect:Direct for HP NonStop has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2019-1547 DESCRIPTION: OpenSSL could allow a local authenticated...

Amazon Linux 2 : openssl11 (ALAS-2020-1456)

The version of openssl11 installed on the remote host is prior to 1.1.1c-15. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2020-1456 advisory. In situations where an attacker receives automated notification of the success or failure of a decryption attempt an...

Security Bulletin: Multiple vulnerabilities have been identified in OpenSSL, a product which ships with IBM Tivoli Nework Manager

Summary OpenSSL is shipped with IBM Tivoli Network Manager version 3.9 Fix Pack 4 and Fix Pack 5. Information about a security vulnerability affecting OpenSSL is published here. Vulnerability Details CVEID: CVE-2019-1547 DESCRIPTION: OpenSSL could allow a local authenticated attacker to obtain...

Security Bulletin: OpenSSL publicly disclosed vulnerability

Summary IBM MobileFirst Platform Foundation has addressed the following vulnerabilityies by updating the version of OpenSSL. Vulnerability Details CVEID: CVE-2019-1563 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a padding oracle attack in...