Signal

Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-04-27 23:43 UTCUpdated 2026-04-28 11:18 UTC

rss

securitycritical_unpatched_flaw

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (2)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (2 domains)

2 top sources shown

Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE

The Hacker News · News · thehackernews.com · 2026-04-28 11:18 UTC

LMDeploy vulnerability exploited, highlighting AI infrastructure risks

SC Media · News · scworld.com · 2026-04-27 23:43 UTC

limited source diversity in top sources

View all evidence

Overview

The SSRF vulnerability resides within LMDeploy's vision-language module, specifically in the load_image function, which fails to validate internal or private IP addresses when fetching URLs.

Score total

0.96

Momentum 24h

Posts

Origins

Source types

Duplicate ratio

All evidence

Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE

The Hacker News · thehackernews.com · 2026-04-28 11:18 UTC

LMDeploy vulnerability exploited, highlighting AI infrastructure risks

SC Media · scworld.com · 2026-04-27 23:43 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 2Origin domains: 2Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 2 / 0

Top publishers (this list)

The Hacker News (1)
SC Media (1)

Top origin domains (this list)

thehackernews.com (1)
scworld.com (1)