Vulnerabilities

Report: CVE-2026-6859 - Instructlab: instructlab: arbitrary code execution due to hardcoded `trust_remote

2026-04-22 0 views admin

CVE ID :CVE-2026-6859 Published : April 22, 2026, 2:17 p.m. | 58 minutes ago Description :A flaw was found in InstructLab. The `linux_train.py` script hardcodes `trust_remote_code=True` when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to run `ilab train/download/generate` with a specially crafted malicious model from the HuggingFace Hub. This vulnerability can lead to complete system compromise. Severity: 8.8 | HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE Details

CVE ID

CVE-2026-6859

Severity

HIGH

Published

April 22, 2026

Affected Product: Python

Impact: code execution

🏷️ Tags

reportinstructlabarbitraryexecutionhardcodedtrust_remotepublishedminutescvecve-2026-6859

InfinitSec - Latest Cybersecurity, Technology & Gaming News

Report: CVE-2026-6859 - Instructlab: instructlab: arbitrary code execution due to hardcoded `trust_remote

CVE Details

🏷️ Tags

More from Vulnerabilities

Report: CVE-2026-31530 - cxl/port: Fix use after free of parent_port in cxl_detach_ep() - Full Analysis

Report: CVE-2026-31528 - perf: Make sure to use pmu_ctx->pmu for groups

Report: CVE-2026-31529 - cxl/region: Fix leakage in __construct_region() - Guide

Report: Complete Guide to CVE-2026-33602 - Off-by-one access when processing crafted UDP responses

Trending

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

CVE-2025-43939: Dell Unity OS Command Injection (High)

Google disputes false claims of massive Gmail data breach

Microsoft: DNS outage impacts Azure and Microsoft 365 services

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting