504 matches found
CVE-2026-32311
Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Flowsint allows a user to create investigations, which are used to manage sketches and analyses. Sketches have controllable graphs, which are comprised of nodes and...
CVE-2026-5241
A flaw was found in python-transformers. An attacker can exploit this vulnerability by providing a malicious model repository. During model initialization, the trustremotecode parameter, intended to prevent remote code execution, is overridden by untrusted configuration data. This allows the...
CVE-2026-5241
A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the trustremotecode parameter, intended to prevent remote code execution, is...
CVE-2026-5241 Policy Bypass in LightGlue Nested Config Resolution in huggingface/transformers
A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the trustremotecode parameter, intended to prevent remote code execution, is...
CVE-2026-5241
A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the trustremotecode parameter, intended to prevent remote code execution, is...
EUVD-2026-34084
A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the trustremotecode parameter, intended to prevent remote code execution, is...
CVE-2026-5241
Technical details (affected products, versions, fixes, or exploit specifics) are not publicly available in the provided connected documents. Monitor for updates from vendors and security advisories.
PT-2026-45946
A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the trust remote code parameter, intended to prevent remote code execution, ...
Hugging Face Transformers 安全漏洞
Hugging Face Transformers is an open-source framework developed by Hugging Face for defining state-of-the-art machine learning models. It covers text, visual, audio, and multimodal models, and can be used for both inference and training. Version 5.2.0 of Hugging Face Transformers contains a...
CVE-2026-47117 OpenMed < 1.5.2 Remote Code Execution via PII Model Loading
OpenMed before 1.5.2 contains a remote code execution vulnerability in the PII privacy-filter model loading path. The privacy-filter dispatcher used broad substring matching on the user-supplied modelname parameter, allowing a value such as attacker/foo-privacy-filter-bar to route through a path...
OpenMed 代码注入漏洞
OpenMed is a medical text structuring and analysis tool developed by Maziyar Panahi. Versions of OpenMed prior to 1.5.2 contained a code injection vulnerability. This vulnerability stemmed from a remote code execution flaw in the path where the PII privacy filter model is loaded. It could allow...
Malicious Package
Overview @t-in-one/prefilltransformersdatatoken is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization...
Deserialization of Untrusted Data
Overview transformers is a State-of-the-art Machine Learning for JAX, PyTorch and TensorFlow Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to unsafe deserialization of model configuration files, an attacker can craft a malicious config.json file...
aiccel (>=3.0.7 <=3.5.0), anonipy (>=0.0.1 <=0.6.1) +112 more potentially affected by CVE-2026-4372 via transformers (>=5.0.0 <=5.2.0)
transformers PYPI version =5.0.0, =3.0.7, =0.0.1, =0.7.0, =2.0.0, =0.0.10, =0.1.7, =0.1.1, =0.1.4, =0.1.0, =0.5.0 - chatterbox-api =1.0.0 - chatterbox-flash =0.1.0 - chatterbox-tts =0.1.7 - chatterbox-tts-api =1.0.0 and more Source cves: CVE-2026-4372 Source advisory:...
CVE-2026-4372
A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious config.json file containing the attnimplementationinternal field set to an attacker-controlled HuggingFac...
CVE-2026-4372
A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious config.json file containing the attnimplementationinternal field set to an attacker-controlled HuggingFac...
CVE-2026-4372
CVE-2026-4372 affects HuggingFace transformers prior to 5.3.0. A malicious config.json can set _attn_implementation_internal to an attacker-controlled HuggingFace Hub repo ID. When a victim loads a model with AutoModelForCausalLM.from_pretrained(), the library downloads and executes arbitrary Pyt...
EUVD-2026-31598
A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious config.json file containing the attnimplementationinternal field set to an attacker-controlled HuggingFac...
CVE-2026-4372 Arbitrary Remote Code Execution via `_attn_implementation_internal` Config Injection in huggingface/transformers
A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious config.json file containing the attnimplementationinternal field set to an attacker-controlled HuggingFac...
CVE-2026-4372 Arbitrary Remote Code Execution via `_attn_implementation_internal` Config Injection in huggingface/transformers
A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The vulnerability allows an attacker to craft a malicious config.json file containing the attnimplementationinternal field set to an attacker-controlled HuggingFac...