PYSEC-2026-41

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/diffusers/PYSEC-2026-41.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2026-41

Aliases

CVE-2026-44827
GHSA-j7w6-vpvq-j3gm

Published

2026-05-14T17:16:23.500Z

Modified

2026-05-20T09:18:56.729581Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, diffusers 0.37.0 allows remote code execution without the trustremotecode=True safeguard when loading pipelines from Hugging Face Hub repositories. The resolvecustompipelineandcls function in pipelineloadingutils.py performs string interpolation on the custompipeline parameter using f"{custompipeline}.py". When custompipeline is not supplied by the user, it defaults to None, which Python interpolates as the literal string "None.py". If an attacker publishes a Hub repository containing a file named None.py with a class that subclasses DiffusionPipeline, the file is automatically downloaded and executed during a standard DiffusionPipeline.frompretrained() call with no additional keyword arguments. The trustremotecode check in DiffusionPipeline.download() is bypassed because it evaluates custompipeline is not None as False (since the kwarg was never supplied), while the downstream code path that actually loads the module resolves the None value into a valid filename. An attacker can achieve silent arbitrary code execution by publishing a malicious model repository with a None.py file and a standard-looking modelindex.json that references a legitimate pipeline class name, requiring only that a victim calls frompretrained on the repository. This vulnerability is fixed in 0.38.0.

References

https://github.com/huggingface/diffusers/security/advisories/GHSA-j7w6-vpvq-j3gm

Affected packages

PyPI / diffusers

Package

Name: diffusers; View open source insights on deps.dev
Purl: pkg:pypi/diffusers

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.38.0

Affected versions

0.*

0.0.1

0.0.2

0.0.3

0.0.4

0.1.0

0.1.1

0.1.2

0.1.3

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.3.0

0.4.0

0.4.1

0.4.2

0.5.0

0.5.1

0.6.0

0.7.0

0.7.1

0.7.2

0.8.0

0.8.1

0.9.0

0.10.0

0.10.1

0.10.2

0.11.0

0.11.1

0.12.0

0.12.1

0.13.0

0.13.1

0.14.0

0.15.0

0.15.1

0.16.0

0.16.1

0.17.0

0.17.1

0.18.0

0.18.1

0.18.2

0.19.0

0.19.1

0.19.2

0.19.3

0.20.0

0.20.1

0.20.2

0.21.0

0.21.1

0.21.2

0.21.3

0.21.4

0.22.0

0.22.1

0.22.2

0.22.3

0.23.0

0.23.1

0.24.0

0.25.0

0.25.1

0.26.0

0.26.1

0.26.2

0.26.3

0.27.0

0.27.1

0.27.2

0.28.0

0.28.1

0.28.2

0.29.0

0.29.1

0.29.2

0.30.0

0.30.1

0.30.2

0.30.3

0.31.0

0.32.0

0.32.1

0.32.2

0.33.0

0.33.1

0.34.0

0.35.0

0.35.1

0.35.2

0.36.0

0.37.0

0.37.1

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/diffusers/PYSEC-2026-41.yaml"