{"data":{"id":"202b1d0a-a118-485b-bcfc-a7a89f23ada2","title":"CVE-2026-4944: vllm-project/vllm version 0.14.1 contains a vulnerability where the `trust_remote_code=True` parameter is hardcoded in t","summary":"vLLM version 0.14.1 has a security flaw where a setting called `trust_remote_code` is permanently turned on in two model files, even when users try to turn it off. This allows RCE (remote code execution, where attackers can run harmful code on your computer) through malicious models downloaded from HuggingFace, a popular model repository. This is a partial fix attempt for two earlier vulnerabilities that didn't fully solve the problem.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-4944","publishedAt":"2026-05-28T19:16:42.677Z","cveId":"CVE-2026-4944","cweIds":["CWE-22"],"cvssScore":null,"cvssSeverity":null,"severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["vLLM","HuggingFace","NemotronVL","KimiK25"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-05-28T19:16:42.677Z","capecIds":["CAPEC-126"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"inference","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":["AML.T0010"]}}