huggingface security advisories
2 threat alerts tracking vulnerabilities and security advisories that affect huggingface products.
Vulnios monitors huggingface CVE feeds, vendor advisories, CISA KEV listings, and exploit-prediction data continuously. Each alert below is enriched with severity, exploitation status, affected products, and a remediation path. Use this page to scan recent huggingface security news in one place, or click into an individual alert for full detail.
Critical Vulnerability: CVE-2026-5241 — huggingface — transformers
A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The
criticalCVE-2026-5241Critical Vulnerability: CVE-2026-25874 — huggingface — lerobot
LeRobot through 0.5.1 contains an unsafe deserialization vulnerability in the async inference pipeline where pickle.loads() is used to deserialize data received over unauthenticated gRPC channels with
criticalCVE-2026-25874
Track huggingface exposure across your environment
Vulnios automatically cross-references your asset inventory against new huggingface CVEs and surfaces only what affects you. No more sifting manually — actionable findings only.
Start a free scan