Hugging Face

OpenMed before 1.5.2 is vulnerable to remote code execution (CVE-2026-47117) due to broad substring matching in the PII privacy-filter model loading path, allowing an unauthenticated attacker to execute arbitrary code by supplying a malicious Hugging Face model repository containing custom Transformers code.

LMDeploy <= 0.12.3 is vulnerable to remote code execution (CVE-2026-46517) because it hardcodes `trust_remote_code=True` when calling `transformers.AutoConfig.from_pretrained()`, allowing a malicious Hugging Face repository to execute arbitrary Python code when loaded without user opt-out.

A Time-of-Check Time-of-Use (TOCTOU) vulnerability in the `diffusers` package allows arbitrary code execution via a race condition when loading pipelines from the Hugging Face Hub, bypassing trust checks.

A malicious repository on Hugging Face, impersonating OpenAI's 'Privacy Filter' project, distributed information-stealing malware to Windows users by executing a PowerShell command that downloads and runs a Rust-based infostealer, which exfiltrates collected data to a command-and-control server.

Threat actors are using social engineering to distribute malware via AI distribution platforms such as Hugging Face and ClawHub by tricking users into downloading malicious files, which leads to malware infections on Windows, macOS, Linux, and Android systems.