Vendor

HuggingFace

1 brief RSS

LMDeploy Arbitrary Code Execution via Hardcoded trust_remote_code=True

LMDeploy versions 0.12.3 and older are vulnerable to arbitrary code execution (CVE-2026-46432) due to the application hardcoding `trust_remote_code=True` when loading HuggingFace models, allowing an attacker to execute arbitrary Python code during model initialization.

Transformers +1 arbitrary code execution huggingface lmdeploy trust_remote_code

2r 2t 1h ago