Product
LMDeploy versions 0.12.3 and older are vulnerable to arbitrary code execution (CVE-2026-46432) due to the application hardcoding `trust_remote_code=True` when loading HuggingFace models, allowing an attacker to execute arbitrary Python code during model initialization.