ZDI: Published Advisories The following is a list of publicly disclosed vulnerabilities discovered by Zero Day Initiative researchers. While the affected vendor is working on a patch for these vulnerabilities, Trend Micro customers are protected from exploitation by security filters delivered ahead of public disclosure. All security vulnerabilities that are acquired by the Zero Day Initiative are handled according to the ZDI Disclosure Policy.
- ZDI-25-1142: (0Day) Hugging Face Diffusers CogView4 Deserialization of Untrusted Data Remote Code Execution Vulnerability
on December 18, 2025 at 6:00 amThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Diffusers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-14922.
- ZDI-25-1144: (0Day) Hugging Face Transformers X-CLIP Checkpoint Conversion Deserialization of Untrusted Data Remote Code Execution Vulnerabilityon December 18, 2025 at 6:00 am
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-14929.
- ZDI-25-1143: (0Day) Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerabilityon December 18, 2025 at 6:00 am
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face smolagents. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 10.0. The following CVEs are assigned: CVE-2025-14931.
- ZDI-25-1146: (0Day) Hugging Face Transformers HuBERT convert_config Code Injection Remote Code Execution Vulnerabilityon December 18, 2025 at 6:00 am
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-14928.
- ZDI-25-1145: (0Day) Hugging Face Transformers GLM4 Deserialization of Untrusted Data Remote Code Execution Vulnerabilityon December 18, 2025 at 6:00 am
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-14930.
- ZDI-25-1148: (0Day) Hugging Face Transformers SEW-D convert_config Code Injection Remote Code Execution Vulnerabilityon December 18, 2025 at 6:00 am
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-14927.
- ZDI-25-1147: (0Day) Hugging Face Transformers SEW convert_config Code Injection Remote Code Execution Vulnerabilityon December 18, 2025 at 6:00 am
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must convert a malicious checkpoint. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-14926.
- ZDI-25-1150: (0Day) Hugging Face Transformers Perceiver Model Deserialization of Untrusted Data Remote Code Execution Vulnerabilityon December 18, 2025 at 6:00 am
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-14920.
- ZDI-25-1149: (0Day) Hugging Face Transformers Transformer-XL Model Deserialization of Untrusted Data Remote Code Execution Vulnerabilityon December 18, 2025 at 6:00 am
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-14921.
- ZDI-25-1151: (0Day) NSF Unidata NetCDF-C NC Variable Integer Overflow Remote Code Execution Vulnerabilityon December 18, 2025 at 6:00 am
This vulnerability allows remote attackers to execute arbitrary code on affected installations of NSF Unidata NetCDF-C. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-14933.
