CVE-2026-46432

Published: Giu 10, 2026 Last Modified: Giu 10, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,8

Source: [email protected]

Attack Vector: local

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, LMDeploy is vulnerable to arbitrary code execution through hardcoded 'trust_remote_code=True' in multiple HuggingFace model-loading call sites. At time of publication, there are no publicly available patches.

Improper Control of Generation of Code ('Code Injection')

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control Integrity Confidentiality Availability Non-Repudiation

Potential Impacts:

Bypass Protection Mechanism Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands Hide Activities

Applicable Platforms

Languages: Interpreted

Technologies: AI/ML

Likelihood of Exploit: Medium

View CWE Details

https://github.com/InternLM/lmdeploy/security/advisories/GH…

https://github.com/InternLM/lmdeploy/security/advisories/GHSA-m549-qq94-fvhg

CVE-2026-46432

Description

Improper Control of Generation of Code ('Code Injection')

Common Consequences

Applicable Platforms

Iscriviti alla newsletter