What is the CVSS score of CVE-2026-1839?

CVE-2026-1839 has a CVSS 3.1 base score of 7.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-1839?

Yes, a patch is available for CVE-2026-1839. Update the affected software to the latest version immediately.

CVE-2026-1839

EUVD-2026-19573 HIGH

Deserialization of Untrusted Data (CWE-502)

2026-04-07 @huntr_ai

GHSA-69w3-r845-3855

RCE Deserialization

7.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 28, 2026 - 16:52 vuln.today

cvss_changed

Severity Changed

Apr 28, 2026 - 16:52 NVD

MEDIUM HIGH

CVSS changed

Apr 28, 2026 - 16:52 NVD

6.5 (MEDIUM) 7.8 (HIGH)

Patch released

Apr 08, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 07, 2026 - 05:30 euvd

EUVD-2026-19573

Analysis Generated

Apr 07, 2026 - 05:30 vuln.today

CVE Published

Apr 07, 2026 - 05:22 nvd

MEDIUM 6.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

22 pypi packages depend on transformers (18 direct, 4 indirect)

Ecosystem-wide dependent count for version 5.0.0rc3.

DescriptionNVD

A vulnerability in the HuggingFace Transformers library, specifically in the Trainer class, allows for arbitrary code execution. The _load_rng_state() method in src/transformers/trainer.py at line 3059 calls torch.load() without the weights_only=True parameter. This issue affects all versions of the library supporting torch>=2.2 when used with PyTorch versions below 2.6, as the safe_globals() context manager provides no protection in these versions. An attacker can exploit this vulnerability by supplying a malicious checkpoint file, such as rng_state.pth, which can execute arbitrary code when loaded. The issue is resolved in version v5.0.0rc3.

AnalysisAI

Remote code execution in HuggingFace Transformers library allows arbitrary code execution via malicious checkpoint files. The _load_rng_state() method in the Trainer class calls torch.load() without the weights_only=True parameter, enabling deserialization attacks when PyTorch versions below 2.6 are used with torch>=2.2. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Vendor StatusVendor

CVE-2026-1839 vulnerability details – vuln.today

Back

CVE-2026-1839

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

Vendor StatusVendor

Share

External POC / Exploit Code