CVE-2026-47748: stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Ima
Summary
stable-diffusion.cpp is a C/C++ library for running image generation models, but versions before master-584-0a7ae07 have an out-of-bounds reads error (a bug where the program accesses memory beyond its allocated space) when parsing .ckpt checkpoint files (model weight files saved in a specific format). A specially crafted or incomplete .ckpt file could crash the program or cause security issues if loaded from an untrusted source like a public model-sharing website.
Solution / Mitigation
Update to version master-584-0a7ae07 or later. If immediate updating is not possible, avoid loading .ckpt files from untrusted sources and use safer formats such as .safetensors instead.
Vulnerability Details
5.5(medium)
EPSS: 0.0%
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
local
low
none
required
June 16, 2026
Classification
Affected Vendors
Related Issues
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-47748
First tracked: June 17, 2026 at 08:03 AM
Classified by LLM (prompt v3) · confidence: 92%