Transformers Vulnerabilities

pip ML Libraries

AI Threat Alert tracks 35 known vulnerabilities in Transformers, 4 rated critical — an AI/ML ml libraries in the pip ecosystem. Each CVE includes CVSS severity, EPSS exploit probability, patch status, and CISO-grade analysis.

Data sources
62
Risk Score
35
Total CVEs
4
Critical
pip
Ecosystem
Jun 23, 2026
Last CVE
42%
Patch Rate
87d
Avg Time to Patch
161,977 stars 33,622 forks 2,464 issues 8,333 dependents Last push Jun 28, 2026
View on GitHub
OpenSSF Scorecard 6.5/10

Known Vulnerabilities (35 total, page 1 of 2)

Severity CVE ID Summary CVSS Published
HIGH CVE-2026-4372 HuggingFace transformers vulnerable to remote code execution 7.8 May 26, 2026 LOW CVE-2026-55542 Snipe-IT: auth bypass exposes S3 signature image URLs -- Jun 23, 2026 CRITICAL CVE-2026-26210 KTransformers: pickle RCE via unauthenticated ZMQ socket 9.8 Apr 23, 2026 CRITICAL CVE-2026-5241 transformers: trust_remote_code bypass enables RCE via model load 9.6 Jun 3, 2026 CRITICAL CVE-2026-47117 OpenMed: RCE via trust_remote_code model loading 9.8 Jun 2, 2026 HIGH CVE-2026-46432 lmdeploy: hardcoded trust_remote_code enables RCE 7.8 May 21, 2026 MEDIUM CVE-2026-7669 SGLang: deserialization in tokenizer loader enables RCE 5.6 May 2, 2026 MEDIUM CVE-2026-1839 HuggingFace Transformers: RCE via malicious checkpoint load 6.5 Apr 7, 2026 UNKNOWN CVE-2025-14930 transformers: Deserialization enables RCE -- Dec 23, 2025 UNKNOWN CVE-2025-14929 transformers: Deserialization enables RCE -- Dec 23, 2025 UNKNOWN CVE-2025-14928 transformers: Code Injection enables RCE -- Dec 23, 2025 UNKNOWN CVE-2025-14927 transformers: Code Injection enables RCE -- Dec 23, 2025 UNKNOWN CVE-2025-14926 transformers: Code Injection enables RCE -- Dec 23, 2025 UNKNOWN CVE-2025-14924 transformers: Deserialization enables RCE -- Dec 23, 2025 UNKNOWN CVE-2025-14921 transformers: Deserialization enables RCE -- Dec 23, 2025 UNKNOWN CVE-2025-14920 transformers: Deserialization enables RCE -- Dec 23, 2025 HIGH CVE-2025-6921 Transformers: ReDoS in optimizer halts training pipelines 7.5 Sep 23, 2025 MEDIUM CVE-2025-6051 Transformers: ReDoS in EnglishNormalizer exhausts CPU 5.3 Sep 14, 2025 HIGH CVE-2025-6638 HuggingFace Transformers: ReDoS in MarianTokenizer 7.5 Sep 12, 2025 MEDIUM CVE-2025-5197 Transformers: ReDoS in TF-to-PyTorch weight converter 5.3 Aug 6, 2025 MEDIUM CVE-2025-3933 Transformers: ReDoS in DonutProcessor causes DoS 5.3 Jul 11, 2025 LOW CVE-2025-3777 Transformers: URL validation bypass exposes image pipeline 3.5 Jul 7, 2025 MEDIUM CVE-2025-3264 Transformers: ReDoS in dynamic module loader causes DoS 5.3 Jul 7, 2025 MEDIUM CVE-2025-3263 Transformers: ReDoS in config loader causes serving DoS 5.3 Jul 7, 2025 HIGH CVE-2025-3262 Transformers: ReDoS in chat.py causes CPU exhaustion 7.5 Jul 7, 2025

Showing 1–25 of 35

Frequently asked questions

What is Transformers?

Transformers is an AI/ML ml libraries tracked by AI Threat Alert for security vulnerabilities in the pip ecosystem.

How many known vulnerabilities does Transformers have?

Transformers has 35 known CVEs, 4 of them critical, tracked from NVD and GitHub Advisory.

Which ecosystem is Transformers distributed in?

Transformers is distributed via the pip ecosystem and categorized as ml libraries.

Where does the Transformers vulnerability data come from?

Vulnerability data is sourced from NVD and GitHub Advisory, enriched with CVSS, EPSS, exploit signals, and patch status for each CVE.

How do I assess the risk of Transformers?

Review each CVE below — every entry shows CVSS severity, EPSS exploit probability, exploitation signals, and whether a patched version is available.

Monitor Transformers in your stack

Get instant alerts when new vulnerabilities affect Transformers. CISO analysis, ATLAS technique mappings, and compliance reports included.

Start Monitoring