← back
CVE-2026-58116

LLaMA-Factory 0.9.5 Remote Code Execution via WebUI Model Path

CVSS 9.3 CRITICALCWE-829CWE-94
Vexday Risk Score
45Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 9.3EPSS KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
30 Jun 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
LLaMA-Factory through 0.9.5 contains a remote code execution vulnerability that allows attackers with WebUI access to execute arbitrary Python code by supplying a malicious model path in the Chat or Training interfaces. The application passes user-supplied model path input unvalidated into AutoTokenizer.from_pretrained() and AutoModel.from_pretrained() with a hardcoded trust_remote_code=True parameter, causing the Hugging Face transformers library to fetch and execute arbitrary code from a remote or local model repository with the privileges of the server process.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
hiyouga · LlamaFactory
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →