What is CVE-2026-5241?

CVE-2026-5241 is a critical-severity vulnerability in Huggingface Huggingface/transformers, classified under Inclusion of Functionality from Untrusted Control Sphere. CVSS score: 9.6/10. Published 2026-06-03.

How severe is CVE-2026-5241?

Critical severity. CVSS v3 base score is 9.6 out of 10.

Vulnerability in Huggingface Huggingface/transformers

CVE-2026-5241

A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. The issue arises because the `trust_remote_…

EPSS: 0.001 (21.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.6 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.

Affected products

Huggingface Huggingface/transformers — versions unspecified
Huggingface Transformers — versions 5.2.0

Weakness classification (CWE)

CWE-829 — Inclusion of Functionality from Untrusted Control Sphere

References

security@huntr.dev (Patch)
security@huntr.dev (Exploit, Third Party Advisory)

Frequently asked questions

What is CVE-2026-5241?: CVE-2026-5241 is a critical-severity vulnerability in Huggingface Huggingface/transformers, classified under Inclusion of Functionality from Untrusted Control Sphere. CVSS score: 9.6/10. Published 2026-06-03.
How severe is CVE-2026-5241?: Critical severity. CVSS v3 base score is 9.6 out of 10.