Bounties
Partners
Community
Info
huggingface / transformers
Project repository
🤗 Transformers: State-of-the-art Machine Learning for Pytorch, TensorFlow, and JAX.
Submit a report
FIRST INTERACTION
WITHIN
N/A DAYS
REVIEW
WITHIN
15 DAYS
FIX
WITHIN
90 DAYS
Test: RCE in parakeet YAML FullLoader
Apr 7th 2026
radikhoroshev
•
self closed
SSRF via unvalidated image URL in transformers serve CLI (/v1/chat/completions)
Apr 1st 2026
minicoai
•
self closed
TOCTOU in Remote Code Loading
Apr 2nd 2026
zafido
•
informative
High
Arbitrary Code Execution via Unsafe torch.load() in Multiple Conversion Scripts
Apr 2nd 2026
0xbassia
•
informative
High
Arbitrary Code Execution via torch.load(weights_only=False) in Conversion Script...
Apr 2nd 2026
seory0
•
informative
High
Unsafe torch.load() Deserialization in Newest Model Converters (edgetam_video, m...
Apr 2nd 2026
nhomyk
•
informative
High
Systemic RCE via Insecure torch.load in Transformers Model Conversion Utilities
Apr 2nd 2026
ccwlester26
•
informative
Critical
SSRF via unvalidated HTTP redirects in httpx.get() across 10 sinks (load_image,...
Mar 19th 2026
gengyscan
•
duplicate
High
Arbitrary Code Execution via `eval()` in SEW checkpoint conversion script
Apr 2nd 2026
buttergolemcode
•
informative
High
Unsafe torch.load() in 8 HuggingFace Transformers Convert Scripts Enables RCE vi...
Mar 18th 2026
odysseypro25-project
•
duplicate
High
Unsafe torch.load() in 3 HuggingFace Transformers Convert Scripts Enables RCE vi...
Mar 18th 2026
odysseypro25-project
•
informative
High
Unsafe torch.load() Across 8 Convert Scripts in HuggingFace Transformers Enables...
Mar 18th 2026
odysseypro25-project
•
self closed
RCE via torch.load() without weights_only=True in convert_dia/eomt/janus scripts...
Mar 18th 2026
theoddesseyp-ai
•
informative
High
Pickle RCE in convert_maskformer_resnet_to_pytorch.py — pickle.load() on User-Su...
Mar 18th 2026
theoddesseyp-ai
•
informative
High
Pickle RCE in convert_maskformer_swin_to_pytorch.py — pickle.load() on User-Supp...
Mar 18th 2026
theoddesseyp-ai
•
informative
High
convert_csm.py and convert_higgs_audio_v2_tokenizer_to_hf.py Use cached_file() t...
Mar 18th 2026
theoddesseyp-ai
•
informative
High
Transformers convert_dia_to_hf.py, convert_janus_weights_to_hf.py, convert_eomt_...
Mar 18th 2026
theoddesseyp-ai
•
informative
High
Transformers convert_csm.py and convert_higgs_audio_v2_tokenizer_to_hf.py use ca...
Mar 18th 2026
theoddesseyp-ai
•
informative
High
Arbitrary Code Execution via Explicit torch.load(weights_only=False) in GLM4V an...
Mar 18th 2026
theoddesseyp-ai
•
informative
High
Arbitrary Code Execution via torch.load() Without weights_only in SAM2 and EdgeT...
Mar 18th 2026
theoddesseyp-ai
•
duplicate
High
Arbitrary Code Execution via torch.load(weights_only=False) in Multiple convert_...
Mar 18th 2026
theoddesseyp-ai
•
duplicate
High
Pickle RCE in convert_maskformer_resnet_to_pytorch.py via --checkpoint_path
Mar 18th 2026
theoddesseyp-ai
•
informative
High
Unsafe torch.load without weights_only=True in 100+ conversion scripts enables R...
Mar 18th 2026
narrator3333-hash
•
duplicate
High
Unsafe torch.load() without weights_only=True in 20+ Model Conversion Scripts (A...
Mar 16th 2026
elucidator-hky
•
self closed
Arbitrary code execution via eval() on model config data in Hubert, SEW, and SEW...
Mar 16th 2026
elucidator-hky
•
self closed
Remote Code Execution via unsafe torch.load() without weights_only=True in multi...
Mar 16th 2026
elucidator-hky
•
self closed
Path Traversal via tarfile.extractall() in parakeet convert_nemo_to_hf.py allows...
Mar 16th 2026
elucidator-hky
•
self closed
Arbitrary Code Execution via Unsafe torch.load() in 27+ Model Converter Scripts
Mar 18th 2026
appsecguardian-hash
•
informative
High
Arbitrary Code Execution via Unsafe torch.load() in Perception LM Conversion Scr...
Mar 18th 2026
marcuschendev-cell
•
informative
High
Arbitrary Code Execution via Unsafe torch.load() in Dia Conversion Script
Mar 18th 2026
marcuschendev-cell
•
informative
High
Arbitrary Code Execution via Unsafe torch.load() in Pixio Conversion Script
Mar 18th 2026
marcuschendev-cell
•
informative
High
Arbitrary Code Execution via Unsafe torch.load() in DINOv3-ConvNeXt Conversion S...
Mar 18th 2026
marcuschendev-cell
•
informative
High
Arbitrary Code Execution via Unsafe torch.load() in EoMT-DINOv3 Conversion Scrip...
Mar 18th 2026
marcuschendev-cell
•
informative
High
Arbitrary Code Execution via Unsafe torch.load() in EoMT Conversion Script (2 oc...
Mar 18th 2026
marcuschendev-cell
•
informative
High
Arbitrary Code Execution via Unsafe torch.load() in EdgeTAM Video Conversion Scr...
Mar 18th 2026
marcuschendev-cell
•
informative
High
Arbitrary Code Execution via Unsafe torch.load() in EdgeTAM Conversion Script
Mar 18th 2026
marcuschendev-cell
•
informative
High
Arbitrary Code Execution via Unsafe torch.load() in SAM3 Video Conversion Script
Mar 18th 2026
marcuschendev-cell
•
informative
High
Arbitrary Code Execution via Unsafe torch.load() in SAM3 Conversion Script
Mar 18th 2026
marcuschendev-cell
•
informative
None
Arbitrary Code Execution via Unsafe torch.load() in CSM Conversion Script
Mar 18th 2026
marcuschendev-cell
•
informative
None
Arbitrary Code Execution via Unsafe torch.load() and pickle.load() in NanoChat C...
Mar 18th 2026
marcuschendev-cell
•
informative
High
Unsafe Deserialization via bare torch.load in Transformers model loading utiliti...
Mar 19th 2026
etwithin
•
informative
High
Transformers SSRF via Unvalidated URL Fetching in Media Loading Functions - Acce...
Mar 3rd 2026
avienma007
•
duplicate
Critical
Transformers SSRF via Unrestricted URL Fetching in Image/Video/Audio Pipelines
Mar 1st 2026
avienma007
•
self closed
Arbitrary Code Execution via Unguarded pickle.load() in Nanochat Converter
Feb 28th 2026
farouq7399
•
duplicate
High
RCE via explicit weights_only=False on remotely downloaded checkpoint in Higgs A...
Feb 28th 2026
avienma007
•
duplicate
Critical
RCE via torch.load() without weights_only=True in Multiple Conversion Scripts (w...
Feb 28th 2026
avienma007
•
self closed
Remote Code Execution via eval() in SEW-D Model Conversion Script
Feb 28th 2026
avienma007
•
duplicate
Critical
Remote Code Execution via unsafe pickle.load() and torch.load(weights_only=False...
Feb 27th 2026
avienma007
•
duplicate
High
Remote Code Execution via eval() in SEW-D Model Conversion Script
Feb 27th 2026
avienma007
•
duplicate
Critical
Tar Path Traversal in NeMo Model Converter Scripts Allows Arbitrary File Write
Feb 26th 2026
jeremysommerfeld8910-cpu
•
self closed
Tar Path Traversal in NeMo Model Converter Scripts Allows Arbitrary File Write
Feb 26th 2026
jeremysommerfeld8910-cpu
•
self closed
Tar Path Traversal in NeMo Model Converter Scripts Allows Arbitrary File Write
Feb 26th 2026
jeremysommerfeld8910-cpu
•
self closed
Tar Path Traversal in NeMo Model Converter Scripts Allows Arbitrary File Write
Feb 26th 2026
jeremysommerfeld8910-cpu
•
self closed
Tar Path Traversal in NeMo Model Converter Scripts Allows Arbitrary File Write
Feb 26th 2026
jeremysommerfeld8910-cpu
•
self closed
Tar path traversal via extractall() in NeMo model converter enables arbitrary fi...
Feb 26th 2026
jeremysommerfeld8910-cpu
•
self closed
Remote code execution via Hub kernel loading without trust_remote_code gate in a...
Feb 26th 2026
jeremysommerfeld8910-cpu
•
self closed
Regular expression Denial of Service - ReDoS
Feb 23rd 2026
0xmanan
•
duplicate
Medium
Unsafe torch.load() and pickle.load() without TRUST_REMOTE_CODE gate in convert_...
Feb 22nd 2026
mertsatilmaz
•
duplicate
High
Path Traversal via tar.extractall() in convert_nemo_to_hf.py allows arbitrary fi...
Feb 22nd 2026
mertsatilmaz
•
duplicate
Medium
Unsafe torch.load() without weights_only=True in multiple new model conversion s...
Feb 21st 2026
optimus-fulcria
•
duplicate
High
Remote Code Execution via Insecure Deserialization in PatchTST/Trainer
Feb 20th 2026
samidsakib-max
•
duplicate
High
Runtime pickle.load() RCE on HuggingFace Hub Data in RAG Retrieval Module
Feb 19th 2026
morecitricacid-coder
•
duplicate
None
SSRF in image/video/audio loading — 13+ pipeline classes fetch arbitrary user-su...
Mar 3rd 2026
wuqingyi20
•
duplicate
Critical
`trust_remote_code=False` Bypass in LightGlue Nested Config Loading Leads to Rem...
Feb 27th 2026
kimchikingdom
•
duplicate
Critical
`trust_remote_code=False` Is Ignored in LightGlue Nested Config Loading (Explici...
Feb 18th 2026
kimchikingdom
•
self closed
Runtime pickle.load() on HuggingFace Hub Data in RAG Retrieval Module
Apr 2nd 2026
morecitricacid-coder
•
informative
High
Arbitrary Code Execution via unsafe eval() in distilHuBERT converter (convert_di...
Feb 16th 2026
kimchikingdom
•
duplicate
High
Missing TRUST_REMOTE_CODE Protection in nanochat Conversion Script Allows RCE vi...
Feb 16th 2026
loris4py
•
duplicate
High
Unsafe Pickle Deserialization in TextDataset Cache Loading (No TRUST_REMOTE_CODE...
Feb 16th 2026
yuvalelbar6
•
self closed
Arbitrary File Write in 'QuantizationConfig' (transformers)
Feb 16th 2026
yuvalelbar6
•
self closed
Arbitrary Code Execution (ACE) via Unsafe eval() in SEW/SEW-D Conversion Scripts
Feb 16th 2026
catalyzer9867
•
duplicate
Critical
Arbitrary Code Execution via Unsafe Deserialization in GLM4v Weight Conversion
Feb 16th 2026
catalyzer9867
•
duplicate
Critical
Server-Side Request Forgery (SSRF) via Video URL in load_video()
Mar 3rd 2026
galanzi2580-wq
•
duplicate
High
Arbitrary Code Execution via Insecure Deserialization of Pickle Files
Mar 19th 2026
sebas5207418
•
informative
Critical
Arbitrary Code Execution via Insecure Pickle Deserialization in Reformer Model C...
Feb 11th 2026
pasigwilmer
•
self closed
Denial of Service via Unbounded URL Fetch and SSRF in transformers serve Image P...
Mar 19th 2026
seory0
•
duplicate
High
Unsafe YAML Deserialization via FullLoader in conversion scripts
Apr 2nd 2026
squadan
•
informative
High
Remote Code Execution via eval() in checkpoint conversion scripts
Feb 7th 2026
squadan
•
duplicate
High
Transformers Model Converters Arbitrary Code Execution via torch.load()
Feb 16th 2026
responsiblereport10
•
duplicate
High
explicit weights\_only=false in lw-detr converter enables rce via malicious chec...
Mar 19th 2026
1seal
•
informative
High
Unsafe tar extraction of Hub-downloaded .nemo archives enables Zip Slip arbitrar...
Feb 22nd 2026
theagentknownasren-gif
•
duplicate
None
SSRF in Transformers serve CLI VLM API image_url Parameter
Mar 3rd 2026
mia-718ai
•
duplicate
High
HuggingFace Transformers Hub Kernels Supply Chain Remote Code Execution (RCE)
Feb 23rd 2026
mia-718ai
•
duplicate
Critical
Arbitrary Code Execution via torch.hub.load in Transformers Conversion Scripts
Jan 30th 2026
l3ster1337
•
self closed
Deserialization of Untrusted Data leading to Remote Code Execution
Jan 30th 2026
l3ster1337
•
self closed
Arbitrary Code Execution via Unsafe torch.load(weights_only=False) in Model Conv...
Feb 27th 2026
sermikr0
•
duplicate
High
Path Traversal (Tarslip) in Hugging Face Transformers
Jan 9th 2026
locus-x64
•
duplicate
High
Arbitrary Code Execution via Unsafe Deserialization in convert_nanochat_checkpoi...
Jan 9th 2026
daddyjamwal
•
duplicate
High
Unpinned GenerationConfig downloads in Transformers CLI enable AI supply-chain p...
Apr 8th 2026
vlees46
•
pending
Arbitrary Code Execution via Unsafe torch.load() in Trainer Checkpoint Loading
Apr 7th 2026
colemurray
•
Medium
•
$125
Medium
•
$125
•
CVE-2026-1839
CVE-2026-1839
Critical Remote Code Execution via Insecure Pickle Deserialization in HuggingFac...
Jan 6th 2026
abdallaabdalrhman
•
duplicate
Critical
Arbitrary Code Execution via Pickle Deserialization in TextDataset
Dec 25th 2025
vitalysim
•
duplicate
High
Arbitrary Code Execution via `eval()` in SEW-D Checkpoint Converter
Dec 23rd 2025
vitalysim
•
duplicate
High
Path Traversal (Arbitrary File Read) in Hugging Face Transformers GLUE Data Proc...
Apr 2nd 2026
stevenjulian1528
•
informative
Medium
Insecure Deserialization in RAG module's LegacyIndex allows Arbitrary Code Exe...
Jan 6th 2026
stevenjulian1528
•
duplicate
High
ZDI-CAN-28309: Hugging Face Transformers GLM4 Deserialization of Untrusted Data...
Dec 10th 2025
zdi-disclosures
•
duplicate
High
Remote Code Execution in Nanochat Converter via Unsafe Tokenizer Deserialization
Dec 8th 2025
jonnylitten
•
informative
High
Remote Code Execution via eval() in Fairseq Checkpoint Conversion Scripts
Nov 26th 2025
daridor9
•
duplicate
High
Exposed Hugging Face Hub Staging Token in Test Utilities
Nov 28th 2025
gyde04
•
informative
High
Exposed Hugging Face Hub Token in CircleCI Configuration
Nov 28th 2025
gyde04
•
informative
Critical
Arbitrary Directory Deletion via Symlink Attack in Transformers setup.py
Nov 17th 2025
manasharsh
•
informative
High
Remote Code Execution via unsafe torch.load() in LLaMA Weights Converter
Dec 8th 2025
daridor9
•
duplicate
High
Persistent Temp-File incomplete cleanup / resource exhaustion in `transformers`...
Feb 7th 2026
ava0-0sec
•
pending
Memory DoS in Doge Model MoE Layer
Nov 13th 2025
0xmrniko
•
informative
High
Downmix Implementation as Attack Vector Against Audio Transformer Models
Nov 13th 2025
kexinoh
•
informative
Medium
Malicious model on Hugging Face → Arbitrary File Write (TarSlip) in NeMo (Parake...
Nov 10th 2025
taiphung217
•
self closed
Critical RCE: Explicit weights_only=False in Megatron GPT-2 Checkpoint Converter
Nov 6th 2025
daridor9
•
duplicate
Critical
RCE via insecure pickle deserialization
Oct 22nd 2025
sonw-vh
•
informative
Critical
Path Traversal Vulnerability in HuggingFace Transformers Model Conversion Script...
Nov 3rd 2025
yousefabdelmohymen
•
informative
Medium
Path Traversal Leading to Arbitrary File Read
Jan 5th 2026
joelindra
•
informative
High
Path Traversal in Checkpoint Resumption
Feb 18th 2026
joelindra
•
informative
Critical
Server-Side Request Forgery (SSRF)
Jan 6th 2026
joelindra
•
informative
Critical
Insecure Deserialization leading to Remote Code Execution (RCE)
Nov 6th 2025
joelindra
•
duplicate
Critical
Path Traversal leading to Arbitrary File Write/Read
Jan 5th 2026
joelindra
•
informative
Critical
Division by Zero (Leading to Denial of Service)
Nov 17th 2025
joelindra
•
informative
High
Unsafe tarfile extraction allows directory traversal and arbitrary file overwrit...
Jan 5th 2026
slezzz
•
informative
High
Unsafe eval() usage in configuration parsing allows code execution
Nov 6th 2025
slezzz
•
duplicate
High
Unsafe torch.load() Without weights_only Parameter
Nov 6th 2025
slezzz
•
duplicate
High
Unrestricted CORS Configuration
Nov 18th 2025
swilliams9772
•
informative
Medium
Path Traversal in Archive Extraction (Zip/TarSlip)
Jan 5th 2026
swilliams9772
•
informative
High
Code Injection via Unsafe YAML Deserialization
Nov 6th 2025
swilliams9772
•
duplicate
Critical
Show more...
CRITICAL
$1500
HIGH
$750
MEDIUM
$125
LOW
$20
