← signals
2026-07-16·HUGGINGFACE·devtool trust
meddown

On July 7, 2026, the OSV database published 12 CVEs affecting Hugging Face's Transformers library (sources 77-88).

On July 7, 2026, the OSV database published 12 CVEs affecting Hugging Face's Transformers library (sources 77-88).

window 15devidence 88confidence score 100

confidence score

Strong evidence: 3 independent source classes support this read.

100
medium confidence3 independent source classesotherpasses publish gate

signal brief

On July 7, 2026, the OSV database published 12 CVEs affecting Hugging Face's Transformers library (sources 77-88). These include multiple Regular Expression Denial of Service (ReDoS) vulnerabilities (CVE-2025-3933, CVE-2025-3262, CVE-2025-6921, CVE-2025-6638, CVE-2025-5197, CVE-2025-1194, CVE-2025-3264, CVE-2025-3263) that can cause catastrophic backtracking, a deserialization vulnerability (CVE-2024-3568), and an input validation flaw (CVE-2025-3777). Together, these vulnerabilities expose users to denial-of-service attacks and untrusted data risks, undermining confidence in the library's security. Notably, a new release of Transformers (v5.14.0) was published on PyPI on July 15, 2026 (source 76), likely containing patches. However, the sheer volume of CVEs published in a single batch suggests a systemic security review, and the absence of explicit patch notes in the release metadata may leave users uncertain about which vulnerabilities are addressed. This cluster of advisories is a negative signal for developer trust and ecosystem security.

What the sources said:

  • Source 77: 'Transformers is vulnerable to ReDoS attack through its DonutProcessor class.'
  • Source 78: 'Transformers Deserialization of Untrusted Data vulnerability.'
  • Source 76: 'Transformers 5.14.0 released' (release date July 15, 2026, no explicit security note).
  • Source 86: 'Transformers's Improper Input Validation vulnerability can be exploited through username injection.'

source data used

Decision support, not stock advice. This signal is research with cited evidence — not a recommendation to buy, sell, or hold any security.