Critical Hugging Face Transformers flaw ran attacker code on a routine model load

Pluto Security Inc. today disclosed a critical remote code execution vulnerability in Hugging Face Inc.’s Transformers library that allowed attacker-controlled artificial intelligence models to run arbitrary code on a victim’s machine. The flaw fired through a standard model-loading command, even for organizations that followed Hugging Face’s recommended security guidance. Tracked as CVE-2026-4372, the flaw defeated trust_remote_code=False, […] The post Critical Hugging Face Transformers flaw ran attacker code on a routine model load appeared first on SiliconANGLE .