CVE-2026-46517
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk3th percentile - higher than 3% of all known CVEs
Summary
LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, hardcoded 'trust_remote_code=True' enables HF supply-chain RCE without user opt-in.
Risk Assessment
The lack of publicly available patches exposes organizations to the risk of remote code execution, potentially leading to serious security breaches.
Recommendation
It is recommended to upgrade to the latest version of LMDeploy to mitigate the risk associated with this vulnerability.
Original NVD description (English source)
LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, hardcoded "trust_remote_code=True" enables HF supply-chain RCE without user opt-in. At time of publication, there are no publicly available patches.

