← signals
2026-07-09·HUGGINGFACE·security risk
lowdown

On July 7, 2026, Open Source Vulnerabilities (OSV) published 11 advisories (PYSEC-2026-1977 through PYSEC-2026-1988)...

On July 7, 2026, Open Source Vulnerabilities (OSV) published 11 advisories (PYSEC-2026-1977 through PYSEC-2026-1988) detailing CVEs in the Hugging Face Transformers library.

window 15devidence 88confidence score 100

confidence score

Strong evidence: 3 independent source classes support this read.

100
low confidence3 independent source classesotherpasses publish gate

signal brief

On July 7, 2026, Open Source Vulnerabilities (OSV) published 11 advisories (PYSEC-2026-1977 through PYSEC-2026-1988) detailing CVEs in the Hugging Face Transformers library. These include Regular Expression Denial of Service (ReDoS) vulnerabilities in components such as DonutProcessor, SETTING_RE, AdamWeightDecay optimizer, MarianTokenizer, and get_imports(), as well as a Deserialization of Untrusted Data vulnerability (CVE-2024-3568) and an Improper Input Validation vulnerability via username injection (CVE-2025-3777). The advisories were issued just four days after the release of Transformers 5.13.0 on July 3, which does not address these vulnerabilities. This cluster of security flaws poses risks to users of the Transformers library, potentially enabling denial of service or arbitrary code execution in affected deployments. Given the central role of Transformers in the Hugging Face ecosystem, these vulnerabilities could undermine user trust and increase operational security burdens for the platform.

What the sources said

  • Source 76 (PyPI): "Transformers: the model-definition framework for state-of-the-art machine learning models..." (release of v5.13.0 on July 3).
  • Source 77 (OSV): "Transformers is vulnerable to ReDoS attack through its DonutProcessor class" (CVE-2025-3933).
  • Source 78 (OSV): "Transformers Deserialization of Untrusted Data vulnerability" (CVE-2024-3568).
  • Source 87 (OSV): "Transformers's ReDoS vulnerability in get_configuration_file can lead to catastrophic backtracking" (CVE-2025-3263).

source data used

Decision support, not stock advice. This signal is research with cited evidence — not a recommendation to buy, sell, or hold any security.