← signals
2026-07-08·HUGGINGFACE·security vulnerability cluster
meddown

On July 7, 2026, multiple OSV advisories (PYSEC-2026-1977 through PYSEC-2026-1988) were published detailing...

On July 7, 2026, multiple OSV advisories (PYSEC-2026-1977 through PYSEC-2026-1988) were published detailing vulnerabilities in the Hugging Face Transformers library.

window 15devidence 87confidence score 100

confidence score

Strong evidence: 3 independent source classes support this read.

100
medium confidence3 independent source classesotherpasses publish gate

signal brief

On July 7, 2026, multiple OSV advisories (PYSEC-2026-1977 through PYSEC-2026-1988) were published detailing vulnerabilities in the Hugging Face Transformers library. These include ReDoS attacks via the DonutProcessor class (CVE-2025-3933), deserialization of untrusted data (CVE-2024-3568), and several other ReDoS and input validation issues (CVE-2025-3262, CVE-2025-6921, CVE-2025-6638, CVE-2024-12720, CVE-2025-5197, CVE-2025-1194, CVE-2025-3264, CVE-2025-3777, CVE-2025-3263, CVE-2025-6051). The transformers library is fundamental to Hugging Face's ecosystem, used for model definition and inference across text, vision, and audio. These vulnerabilities could allow denial of service, arbitrary code execution, or data leakage. A new version 5.13.0 was released on July 3, but the advisories were published on July 7 and may not have been patched yet. This cluster of CVEs may erode developer trust and prompt urgent upgrades, potentially impacting Hugging Face's reputation and usage. The disclosed vulnerabilities were published by OSV, a well-known vulnerability database, lending credibility to the reports.

What the sources said:

source data used

Decision support, not stock advice. This signal is research with cited evidence — not a recommendation to buy, sell, or hold any security.