515 matches found
CVE-2026-58116
LLaMA-Factory through 0.9.5 contains a remote code execution vulnerability that allows attackers with WebUI access to execute arbitrary Python code by supplying a malicious model path in the Chat or Training interfaces. The application passes user-supplied model path input unvalidated into...
CVE-2026-58116 LLaMA-Factory 0.9.5 Remote Code Execution via WebUI Model Path
LLaMA-Factory through 0.9.5 contains a remote code execution vulnerability that allows attackers with WebUI access to execute arbitrary Python code by supplying a malicious model path in the Chat or Training interfaces. The application passes user-supplied model path input unvalidated into...
EUVD-2026-40311
LLaMA-Factory through 0.9.5 contains a remote code execution vulnerability that allows attackers with WebUI access to execute arbitrary Python code by supplying a malicious model path in the Chat or Training interfaces. The application passes user-supplied model path input unvalidated into...
CVE-2026-58116
LLaMA-Factory through 0.9.5 contains a remote code execution vulnerability that allows attackers with WebUI access to execute arbitrary Python code by supplying a malicious model path in the Chat or Training interfaces. The application passes user-supplied model path input unvalidated into...
CVE-2026-32311
Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Flowsint allows a user to create investigations, which are used to manage sketches and analyses. Sketches have controllable graphs, which are comprised of nodes and...
CVE-2026-5241
A flaw was found in python-transformers. An attacker can exploit this vulnerability by providing a malicious model repository. During model initialization, the trustremotecode parameter, intended to prevent remote code execution, is overridden by untrusted configuration data. This allows the...
CVE-2026-5241
A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the trustremotecode parameter, intended to prevent remote code execution, is...
CVE-2026-5241 Policy Bypass in LightGlue Nested Config Resolution in huggingface/transformers
A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the trustremotecode parameter, intended to prevent remote code execution, is...
CVE-2026-5241
A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the trustremotecode parameter, intended to prevent remote code execution, is...
CVE-2026-5241
Technical details (affected products, versions, fixes, or exploit specifics) are not publicly available in the provided connected documents. Monitor for updates from vendors and security advisories.
CVE-2026-5241 Policy Bypass in LightGlue Nested Config Resolution in huggingface/transformers
A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the trustremotecode parameter, intended to prevent remote code execution, is...
EUVD-2026-34084
A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the trustremotecode parameter, intended to prevent remote code execution, is...
PT-2026-45946
Name of the Vulnerable Software and Affected Versions huggingface/transformers version 5.2.0 Description A flaw in the LightGlue model loading path allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue occurs because the trust remote code...
Hugging Face Transformers 安全漏洞
Hugging Face Transformers is an open-source framework developed by Hugging Face for defining state-of-the-art machine learning models. It covers text, visual, audio, and multimodal models, and can be used for both inference and training. Version 5.2.0 of Hugging Face Transformers contains a...
CVE-2026-47117 OpenMed < 1.5.2 Remote Code Execution via PII Model Loading
OpenMed before 1.5.2 contains a remote code execution vulnerability in the PII privacy-filter model loading path. The privacy-filter dispatcher used broad substring matching on the user-supplied modelname parameter, allowing a value such as attacker/foo-privacy-filter-bar to route through a path...
CVE-2026-47117 OpenMed < 1.5.2 Remote Code Execution via PII Model Loading
OpenMed before 1.5.2 contains a remote code execution vulnerability in the PII privacy-filter model loading path. The privacy-filter dispatcher used broad substring matching on the user-supplied modelname parameter, allowing a value such as attacker/foo-privacy-filter-bar to route through a path...
OpenMed 代码注入漏洞
OpenMed is a medical text structuring and analysis tool developed by Maziyar Panahi. Versions of OpenMed prior to 1.5.2 contained a code injection vulnerability. This vulnerability stemmed from a remote code execution flaw in the path where the PII privacy filter model is loaded. It could allow...
Malicious Package
Overview @t-in-one/prefilltransformersdatatoken is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization...
GHSA-29PF-2H5F-8G72 HuggingFace transformers vulnerable to remote code execution
A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious config.json file containing the attnimplementationinternal field set to an attacker-controlled HuggingFac...
3m (>=0.1.1 <=0.1.3), 4dpocket (>=0.1.3 <=0.1.4) +8478 more potentially affected by CVE-2026-4372 via transformers (>=5.0.0 <=5.2.0)
transformers PYPI version =5.0.0, =0.1.1, =0.1.3, =0.1.0, =0.1.0, =0.0.1, =0.1.0.dev1, =0.1.0, =2.3.15.994, =4.0.2 - aait-store-cut-part-001 =0.0.1 - aait-store-cut-part-002 =0.0.1 - aait-store-cut-part-003 =0.0.1 - aait-store-cut-part-004 =0.0.1 - aait-store-cut-part-005 =0.0.1 -...