216.73.217.176

CVE-2026-46517

· Published 10/06/2026 00:16 · Modified 11/06/2026 12:16

Labels: CVE-2026-46517 2026-06-10CVE-2026-46517CWE-94[email protected]

Essential information

Published
10/06/2026 00:16
Modified
11/06/2026 12:16
Author
Creator
CVSS
7.8 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS metrics

Description

LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, hardcoded "trust_remote_code=True" enables HF supply-chain RCE without user opt-in. At time of publication, there are no publicly available patches.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
github / lmdeploy cpe:2.3:a:github:lmdeploy:0.12.3:*:*:*:*:*:*:*

References