top of page
ALL POSTS
Critical Unpatched Vulnerability in Hugging Face LeRobot Enables Unauthenticated Remote Code Execution
Key Findings CVE-2026-25874 (CVSS 9.3) in Hugging Face LeRobot allows unauthenticated remote code execution via unsafe pickle deserialization Vulnerability exists in PolicyServer and robot client components using unencrypted gRPC channels without TLS Flaw remains unpatched as of now, with fix planned for version 0.6.0 Nearly 24,000 GitHub stars indicate significant adoption despite the critical security issue Attackers can steal credentials, compromise connected robots, and m
Apr 292 min read
Attackers Exploiting Unpatched ShowDoc Servers Via CVE-2025-0520
Key Findings Critical remote code execution vulnerability CVE-2025-0520 in ShowDoc is under active exploitation in the wild with a CVSS score of 9.4 Unrestricted file upload flaw allows unauthenticated attackers to deploy web shells and execute arbitrary code on vulnerable servers Vulnerability affects all ShowDoc versions prior to 2.8.7, which was released in October 2020 Over 2,000 exposed ShowDoc instances remain online, with the majority located in China Threat actors hav
Apr 142 min read
bottom of page
