Key Findings CVE-2026-25874 (CVSS 9.3) in Hugging Face LeRobot allows unauthenticated remote code execution via unsafe pickle deserialization Vulnerability exists in PolicyServer and robot client components using unencrypted gRPC channels without TLS Flaw remains unpatched as of now, with fix planned for version 0.6.0 Nearly 24,000 GitHub stars indicate significant adoption despite the critical security issue Attackers can steal credentials, compromise connected robots, and m
