CVE-2026-0599: A vulnerability in huggingface/text-generation-inference version 3.3.6 allows unauthenticated remote attackers to exploi
Summary
A vulnerability in huggingface/text-generation-inference version 3.3.6 allows attackers without authentication to crash servers by sending images in requests. The problem occurs because the software downloads entire image files into memory when checking inputs for Markdown image links (a way to embed images in text), even if it will later reject the request, causing the system to run out of memory, bandwidth, or CPU power.
Solution / Mitigation
The issue is resolved in version 3.3.7.
Vulnerability Details
EPSS: 0.1%
Classification
Affected Vendors
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2026-26190: Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus expose
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-0599
First tracked: February 15, 2026 at 08:44 PM
Classified by LLM (prompt v3) · confidence: 95%