A critical remote code execution vulnerability exists in the HuggingFace transformers library versions prior to 5.3.0. The vulnerability stems from unfiltered deserialization of configuration attributes in `config.json` files, specifically involving the `_attn_implementation_internal` field. When a victim loads a maliciously crafted model using the standard `AutoModelForCausalLM.from_pretrained()` API, th [truncated]
CVE-2026-44827 is a high-severity remote code execution issue in Hugging Face diffusers versions before 0.38.0. According to the CVE description and linked vendor advisory, a specially crafted Hugging Face Hub repository can cause code to run during a normal DiffusionPipeline.from_pretrained() load, even when trust_remote_code=True was not explicitly enabled. The issue is fixed in diffusers 0.38.0.
CVE-2026-44513 is a high-severity arbitrary code execution vulnerability in Hugging Face Diffusers, a popular Python library for pretrained diffusion models. The flaw exists in versions prior to 0.38.0 and stems from an architectural defect in how the `trust_remote_code` security gate was implemented. Rather than enforcing the check at the point of dynamic module loading, the gate was placed inside `Diffu [truncated]