Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

Transformers

Source -

CNA

CNA CVEs -

11

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
11Vulnerabilities found
CVE-2025-14930
Assigner-Trend Micro, Inc.
ShareView Details
Assigner-Trend Micro, Inc.
CVSS Score-7.8||HIGH
EPSS-0.48% / 65.38%
||
7 Day CHG~0.00%
Published-23 Dec, 2025 | 21:04
Updated-21 Jan, 2026 | 21:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerability

Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of weights. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28309.

Action-Not Available
Vendor-huggingfaceHugging Face
Product-transformersTransformers
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-14928
Assigner-Trend Micro, Inc.
ShareView Details
Assigner-Trend Micro, Inc.
CVSS Score-7.8||HIGH
EPSS-0.07% / 22.16%
||
7 Day CHG~0.00%
Published-23 Dec, 2025 | 21:04
Updated-21 Jan, 2026 | 16:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hugging Face Transformers HuBERT convert_config Code Injection Remote Code Execution Vulnerability

Hugging Face Transformers HuBERT convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint. The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28253.

Action-Not Available
Vendor-huggingfaceHugging Face
Product-transformersTransformers
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-14924
Assigner-Trend Micro, Inc.
ShareView Details
Assigner-Trend Micro, Inc.
CVSS Score-7.8||HIGH
EPSS-0.48% / 65.38%
||
7 Day CHG~0.00%
Published-23 Dec, 2025 | 21:04
Updated-15 Jan, 2026 | 16:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hugging Face Transformers megatron_gpt2 Deserialization of Untrusted Data Remote Code Execution Vulnerability

Hugging Face Transformers megatron_gpt2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27984.

Action-Not Available
Vendor-huggingfaceHugging Face
Product-transformersTransformers
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-14920
Assigner-Trend Micro, Inc.
ShareView Details
Assigner-Trend Micro, Inc.
CVSS Score-7.8||HIGH
EPSS-0.48% / 65.38%
||
7 Day CHG~0.00%
Published-23 Dec, 2025 | 21:04
Updated-21 Jan, 2026 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability

Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25423.

Action-Not Available
Vendor-huggingfaceHugging Face
Product-transformersTransformers
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-14926
Assigner-Trend Micro, Inc.
ShareView Details
Assigner-Trend Micro, Inc.
CVSS Score-7.8||HIGH
EPSS-0.07% / 22.16%
||
7 Day CHG~0.00%
Published-23 Dec, 2025 | 21:04
Updated-15 Jan, 2026 | 16:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hugging Face Transformers SEW convert_config Code Injection Remote Code Execution Vulnerability

Hugging Face Transformers SEW convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint. The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28251.

Action-Not Available
Vendor-huggingfaceHugging Face
Product-transformersTransformers
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-14927
Assigner-Trend Micro, Inc.
ShareView Details
Assigner-Trend Micro, Inc.
CVSS Score-7.8||HIGH
EPSS-0.07% / 22.16%
||
7 Day CHG~0.00%
Published-23 Dec, 2025 | 21:04
Updated-15 Jan, 2026 | 16:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hugging Face Transformers SEW-D convert_config Code Injection Remote Code Execution Vulnerability

Hugging Face Transformers SEW-D convert_config Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint. The specific flaw exists within the convert_config function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the current user. . Was ZDI-CAN-28252.

Action-Not Available
Vendor-huggingfaceHugging Face
Product-transformersTransformers
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2025-14921
Assigner-Trend Micro, Inc.
ShareView Details
Assigner-Trend Micro, Inc.
CVSS Score-7.8||HIGH
EPSS-0.48% / 65.38%
||
7 Day CHG~0.00%
Published-23 Dec, 2025 | 21:04
Updated-21 Jan, 2026 | 16:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hugging Face Transformers Transformer-XL Model Deserialization of Untrusted Data Remote Code Execution Vulnerability

Hugging Face Transformers Transformer-XL Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25424.

Action-Not Available
Vendor-huggingfaceHugging Face
Product-transformersTransformers
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-14929
Assigner-Trend Micro, Inc.
ShareView Details
Assigner-Trend Micro, Inc.
CVSS Score-7.8||HIGH
EPSS-0.23% / 46.45%
||
7 Day CHG~0.00%
Published-23 Dec, 2025 | 21:04
Updated-21 Jan, 2026 | 16:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hugging Face Transformers X-CLIP Checkpoint Conversion Deserialization of Untrusted Data Remote Code Execution Vulnerability

Hugging Face Transformers X-CLIP Checkpoint Conversion Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of checkpoints. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28308.

Action-Not Available
Vendor-huggingfaceHugging Face
Product-transformersTransformers
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-11394
Assigner-Zero Day Initiative
ShareView Details
Assigner-Zero Day Initiative
CVSS Score-8.8||HIGH
EPSS-65.05% / 98.50%
||
7 Day CHG~0.00%
Published-22 Nov, 2024 | 21:23
Updated-10 Feb, 2025 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability

Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25012.

Action-Not Available
Vendor-huggingfaceHugging Face
Product-transformersTransformers
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-11393
Assigner-Zero Day Initiative
ShareView Details
Assigner-Zero Day Initiative
CVSS Score-8.8||HIGH
EPSS-79.53% / 99.11%
||
7 Day CHG~0.00%
Published-22 Nov, 2024 | 21:23
Updated-10 Feb, 2025 | 22:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability

Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25191.

Action-Not Available
Vendor-huggingfaceHugging Face
Product-transformersTransformers
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-11392
Assigner-Zero Day Initiative
ShareView Details
Assigner-Zero Day Initiative
CVSS Score-7.5||HIGH
EPSS-59.29% / 98.28%
||
7 Day CHG~0.00%
Published-22 Nov, 2024 | 21:23
Updated-10 Feb, 2025 | 22:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability

Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of configuration files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-24322.

Action-Not Available
Vendor-huggingfaceHugging Facehuggingface
Product-transformersTransformerstransformers
CWE ID-CWE-502
Deserialization of Untrusted Data