CVE Catalog

CVE-2026-46517

HighCVSS 7.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.01%

3th percentile - higher than 3% of all known CVEs

Summary

LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, hardcoded 'trust_remote_code=True' enables HF supply-chain RCE without user opt-in.

Risk Assessment

The lack of publicly available patches exposes organizations to the risk of remote code execution, potentially leading to serious security breaches.

Recommendation

It is recommended to upgrade to the latest version of LMDeploy to mitigate the risk associated with this vulnerability.

Original NVD description (English source)

LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, hardcoded "trust_remote_code=True" enables HF supply-chain RCE without user opt-in. At time of publication, there are no publicly available patches.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS