← signals
2026-07-17·HUGGINGFACE·security risk
meddown

On July 7, 2026, the Open Source Vulnerabilities (OSV) database published a batch of CVEs targeting Hugging Face's...

On July 7, 2026, the Open Source Vulnerabilities (OSV) database published a batch of CVEs targeting Hugging Face's Transformers library.

window 15devidence 88confidence score 100

confidence score

Strong evidence: 3 independent source classes support this read.

100
medium confidence3 independent source classesotherpasses publish gate

signal brief

On July 7, 2026, the Open Source Vulnerabilities (OSV) database published a batch of CVEs targeting Hugging Face's Transformers library. The advisories (PYSEC-2026-1977 through 1988) detail multiple Regular Expression Denial of Service (ReDoS) vulnerabilities and a deserialization flaw. Specific vulnerable components include the DonutProcessor class, SETTING_RE variable, AdamWeightDecay optimizer, MarianTokenizer, get_imports() function, and get_configuration_file. One advisory notes a username injection vulnerability via improper input validation. These vulnerabilities could allow attackers to cause denial of service or execute untrusted code. The disclosures come shortly before the release of transformers 5.14.1 on July 16, suggesting patches may be included. However, the publication of multiple CVEs in a short period erodes trust in the library's security posture and may prompt users to evaluate alternatives or apply urgent updates, impacting HuggingFace's reputation in the AI infrastructure ecosystem.

What the sources said:

  • PYSEC-2026-1977: "Transformers is vulnerable to ReDoS attack through its DonutProcessor class"
  • PYSEC-2026-1981: "Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer"
  • PYSEC-2026-1986: "Transformers's Improper Input Validation vulnerability can be exploited through username injection"

source data used

Decision support, not stock advice. This signal is research with cited evidence — not a recommendation to buy, sell, or hold any security.