HIGH
Huggingface
CVE published 2026-05-14
CVE-2026-44827
CVE-2026-44827 is a high-severity remote code execution issue in Hugging Face diffusers versions before 0.38.0. According to the CVE description and linked vendor advisory, a specially crafted Hugging Face Hub repository can cause code to run during a normal DiffusionPipeline.from_pretrained() load, even when trust_remote_code=True was not explicitly enabled. The issue is fixed in diffusers 0.38.0.