23 matches found
GHSA-69W3-R845-3855 HuggingFace Transformers allows for arbitrary code execution in the `Trainer` class
A vulnerability in the HuggingFace Transformers library, specifically in the Trainer class, allows for arbitrary code execution. The loadrngstate method in src/transformers/trainer.py at line 3059 calls torch.load without the weightsonly=True parameter. This issue affects all versions of the...
CVE-2026-1839 Arbitrary Code Execution via Unsafe torch.load() in Trainer Checkpoint Loading in huggingface/transformers
A vulnerability in the HuggingFace Transformers library, specifically in the Trainer class, allows for arbitrary code execution. The loadrngstate method in src/transformers/trainer.py at line 3059 calls torch.load without the weightsonly=True parameter. This issue affects all versions of the...
CVE-2026-1839
CVE-2026-1839 concerns the HuggingFace Transformers library, affecting the Trainer class. The root cause is an unsafe load in src/transformers/trainer.py: _load_rng_state() calls torch.load() without weights_only=True, which can allow arbitrary code execution when loading a malicious checkpoint (...
3-04-2025-ttm (=0.1.0), 3d-connectx-env (>=1.0.0 <=1.0.1) +2649 more potentially affected by CVE-2026-4538 via torch (>=1.0.0 <=2.10.0)
torch PYPI version =1.0.0, =1.0.0, =0.1.0, =0.1.0, =0.7.4, =0.2.4, =0.0.1b1, =1.0.32, =0.0.3, =2.1.17, =2.2.2 and more Source cves: CVE-2026-4538 Source advisory: OSV:PYSEC-2026-139...
01os (=0.0.14), 21cmpsdenoiser (>=1.0.0 <=1.0.2) +25351 more potentially affected by CVE-2025-55560 via torch (>=1.0.0 <=2.7.0)
torch PYPI version =1.0.0, =1.0.0, =0.1.0, =1.0.0, =0.1.0, =2.13.0, =0.1.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.0.10 and more Source cves: CVE-2025-55560 Source advisory: OSV:PYSEC-2025-209...
01os (=0.0.14), 21cmpsdenoiser (>=1.0.0 <=1.0.2) +25550 more potentially affected by CVE-2025-55552 via torch (>=1.0.0 <=2.8.0)
torch PYPI version =1.0.0, =1.0.0, =0.1.0, =1.0.0, =0.1.0, =2.13.0, =0.1.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.0.10 and more Source cves: CVE-2025-55552 Source advisory: OSV:PYSEC-2025-204...
01os (=0.0.14), 21cmpsdenoiser (>=1.0.0 <=1.0.2) +24379 more potentially affected by CVE-2025-55552 via torch (>=2.0.0 <=2.8.0)
torch PYPI version =2.0.0, =1.0.0, =0.1.0, =2.13.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.0.1, =0.10.5, =0.10.13 and more Source cves: CVE-2025-55552 Source advisory: SNYK:PYTHON-TORCH-13052971...
01os (=0.0.14), 21cmpsdenoiser (>=1.0.0 <=1.0.2) +24265 more potentially affected by CVE-2025-55553 via torch (>=2.0.0 <=2.7.1)
torch PYPI version =2.0.0, =1.0.0, =0.1.0, =2.13.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.0.1, =0.10.5, =0.10.13 and more Source cves: CVE-2025-55553 Source advisory: SNYK:PYTHON-TORCH-13052994...
01os (=0.0.14), 21cmpsdenoiser (>=1.0.0 <=1.0.2) +24265 more potentially affected by CVE-2025-55557 via torch (>=2.0.0 <=2.7.1)
torch PYPI version =2.0.0, =1.0.0, =0.1.0, =2.13.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.0.1, =0.10.5, =0.10.13 and more Source cves: CVE-2025-55557 Source advisory: SNYK:PYTHON-TORCH-13052977...
01os (=0.0.14), 21cmpsdenoiser (>=1.0.0 <=1.0.2) +25550 more potentially affected by CVE-2025-55551 via torch (>=1.0.0 <=2.8.0)
torch PYPI version =1.0.0, =1.0.0, =0.1.0, =1.0.0, =0.1.0, =2.13.0, =0.1.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.0.10 and more Source cves: CVE-2025-55551 Source advisory: OSV:PYSEC-2025-203...
01os (=0.0.14), 21cmpsdenoiser (>=1.0.0 <=1.0.2) +25314 more potentially affected by CVE-2025-46148 via torch (>=1.0.0 <=2.6.0)
torch PYPI version =1.0.0, =1.0.0, =0.1.0, =1.0.0, =0.1.0, =2.13.0, =0.1.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.0.10 and more Source cves: CVE-2025-46148 Source advisory: OSV:PYSEC-2025-198...
01os (=0.0.14), 21cmpsdenoiser (>=1.0.0 <=1.0.2) +24265 more potentially affected by CVE-2025-55558 via torch (>=2.0.0 <=2.7.1)
torch PYPI version =2.0.0, =1.0.0, =0.1.0, =2.13.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.0.1, =0.10.5, =0.10.13 and more Source cves: CVE-2025-55558 Source advisory: SNYK:PYTHON-TORCH-13052818...
01os (=0.0.14), 21cmpsdenoiser (>=1.0.0 <=1.0.2) +24379 more potentially affected by CVE-2025-55551 via torch (>=2.0.0 <=2.8.0)
torch PYPI version =2.0.0, =1.0.0, =0.1.0, =2.13.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.0.1, =0.10.5, =0.10.13 and more Source cves: CVE-2025-55551 Source advisory: SNYK:PYTHON-TORCH-13052805...
LLaMA-Factory allows Code Injection through improper vhead_file safeguards
Summary A critical remote code execution vulnerability was discovered during the Llama Factory training process. This vulnerability arises because the vheadfile is loaded without proper safeguards, allowing malicious attackers to execute arbitrary malicious code on the host system simply by passi...
01os (=0.0.14), 21cmpsdenoiser (>=1.0.0 <=1.0.2) +25158 more potentially affected by CVE-2025-32434 via torch (>=1.0.0 <=2.5.1)
torch PYPI version =1.0.0, =1.0.0, =0.1.0, =1.0.0, =0.1.0, =2.13.0, =0.1.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.0.10 and more Source cves: CVE-2025-32434 Source advisory: OSV:GHSA-53Q9-R3PM-6PQ6...
01os (=0.0.14), 21cmpsdenoiser (>=1.0.0 <=1.0.2) +24265 more potentially affected by CVE-2025-3730 via torch (>=2.0.0 <=2.7.1)
torch PYPI version =2.0.0, =1.0.0, =0.1.0, =2.13.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.0.1, =0.10.5, =0.10.13 and more Source cves: CVE-2025-3730 Source advisory: SNYK:PYTHON-TORCH-9726944...
01os (=0.0.14), 21cmpsdenoiser (>=1.0.0 <=1.0.2) +25628 more potentially affected by CVE-2025-3121 via torch (>=1.0.0 <=2.9.1)
torch PYPI version =1.0.0, =1.0.0, =0.1.0, =1.0.0, =0.1.0, =2.13.0, =0.1.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.0.10 and more Source cves: CVE-2025-3121 Source advisory: SNYK:PYTHON-TORCH-10337834...
01os (=0.0.14), 21cmpsdenoiser (>=1.0.0 <=1.0.2) +25628 more potentially affected by CVE-2025-3000 via torch (>=1.0.0 <=2.9.1)
torch PYPI version =1.0.0, =1.0.0, =0.1.0, =1.0.0, =0.1.0, =2.13.0, =0.1.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.0.10 and more Source cves: CVE-2025-3000 Source advisory: SNYK:PYTHON-TORCH-10337826...
01os (=0.0.14), 21cmpsdenoiser (>=1.0.0 <=1.0.2) +25314 more potentially affected by CVE-2025-2998 via torch (>=1.0.0 <=2.6.0)
torch PYPI version =1.0.0, =1.0.0, =0.1.0, =1.0.0, =0.1.0, =2.13.0, =0.1.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.0.10 and more Source cves: CVE-2025-2998 Source advisory: OSV:GHSA-F4HP-RMR7-R7V8...
01os (=0.0.14), 21cmpsdenoiser (>=1.0.0 <=1.0.2) +25351 more potentially affected by CVE-2025-2953 via torch (>=1.0.0 <=2.7.0)
torch PYPI version =1.0.0, =1.0.0, =0.1.0, =1.0.0, =0.1.0, =2.13.0, =0.1.0, =0.1.0, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.0.10 and more Source cves: CVE-2025-2953 Source advisory: OSV:GHSA-3749-GHW9-M3MG...