Huggingface Transformers — known CVE vulnerabilities
Every CVE whose affected-product data names Huggingface Transformers, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (30)
CVE-2026-5241 — CVSS 9.6 (critical): A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model…
CVE-2024-3568 — CVSS 9.6 (critical): The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the…
CVE-2023-6730 — CVSS 8.8 (high): Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
CVE-2024-11392 — CVSS 8.8 (high): Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows…
CVE-2024-11393 — CVSS 8.8 (high): Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows…
CVE-2024-11394 — CVSS 8.8 (high): Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows…
CVE-2025-14929 — CVSS 7.8 (high): Hugging Face Transformers X-CLIP Checkpoint Conversion Deserialization of Untrusted Data Remote Code Execution Vulnerability. This…
CVE-2023-7018 — CVSS 7.8 (high): Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.
CVE-2025-14920 — CVSS 7.8 (high): Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows…
CVE-2025-14921 — CVSS 7.8 (high): Hugging Face Transformers Transformer-XL Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability…
CVE-2025-14924 — CVSS 7.8 (high): Hugging Face Transformers megatron_gpt2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows…
CVE-2025-14926 — CVSS 7.8 (high): Hugging Face Transformers SEW convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers…
CVE-2025-14927 — CVSS 7.8 (high): Hugging Face Transformers SEW-D convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote…
CVE-2025-14928 — CVSS 7.8 (high): Hugging Face Transformers HuBERT convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote…
CVE-2025-14930 — CVSS 7.8 (high): Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote…
CVE-2026-1839 — CVSS 7.8 (high): A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. The…
CVE-2026-4372 — CVSS 7.8 (high): A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. The…
CVE-2025-2099 — CVSS 7.5 (high): A vulnerability in the `preprocess_string()` function of the `transformers.testing_utils` module in huggingface/transformers version…
CVE-2025-3262 — CVSS 7.5 (high): A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository, specifically in…
CVE-2025-6638 — CVSS 7.5 (high): A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically…
CVE-2025-6921 — CVSS 7.5 (high): The huggingface/transformers library, versions prior to 4.53.0, is vulnerable to Regular Expression Denial of Service (ReDoS) in the…
CVE-2024-12720 — CVSS 7.5 (high): A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the…
CVE-2025-1194 — CVSS 6.5 (medium): A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the…
CVE-2025-3264 — CVSS 5.3 (medium): A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the…
CVE-2025-3933 — CVSS 5.3 (medium): A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within…
CVE-2025-5197 — CVSS 5.3 (medium): A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the…
CVE-2025-6051 — CVSS 5.3 (medium): A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within…
CVE-2025-3263 — CVSS 5.3 (medium): A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the…
CVE-2025-3777 — CVSS 3.5 (low): Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file…