CVE ID :CVE-2026-4944 Published : May 28, 2026, 7:16 p.m. | 1 hour, 5 minutes ago Description :vllm-project/vllm version 0.14.1 contains a vulnerability where the `trust_remote_code=True` parameter is hardcoded in two model implementation files (`vllm/model_executor/models/nemotron_vl.py` and `vllm/model_executor/models/kimi_k25.py`). This bypasses the user's explicit `--trust-remote-code=False` setting, enabling remote code execution via malicious HuggingFace model repositories. This issue is an incomplete fix for CVE-2025-66448 and CVE-2026-22807, as it affects separate code paths in model implementation files. Deployments loading NemotronVL or KimiK25 models are particularly impacted. Severity: 8.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...