6.5

CVE-2026-1839

EPSS 0.02%
Veröffentlicht 07.04.2026 05:22:00
Zuletzt bearbeitet 07.04.2026 14:16:18
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The `_load_rng_state()` method in `src/transformers/trainer.py` at line 3059 calls `torch.load()` without the `weights_only=True` parameter. This issue affects all versions of the library supporting `torch>=2.2` when used with PyTorch versions below 2.6, as the `safe_globals()` context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as `rng_state.pth`, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerhuggingface

≫

Produkt huggingface/transformers

Version < v5.0.0rc3

Version unspecified

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.052

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@huntr.dev	6.5	1	5.5	CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:H

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://huntr.com/bounties/3c77bb97-e493-493d-9a88-c57f5c536485

https://github.com/huggingface/transformers/commit/03c8082ba4594c9b8d6fe190ca9bed0e5f8ca396

https://nvd.nist.gov/vuln/detail/CVE-2026-1839

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-1839

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-1839

EUVD