{"uuid": "4b7e23b9-c637-4190-aa62-0e5f12b323a9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2026-25874", "type": "published-proof-of-concept", "source": "https://t.me/thehackernews/8888", "content": "\u26a0\ufe0f An unpatched critical flaw in Hugging Face\u2019s LeRobot enables remote code execution (CVSS 9.3).\n\nUntrusted pickle over unauthenticated gRPC (no TLS) lets attackers take over servers, steal keys and models, and impact connected robots.\n\n\ud83d\udd17 Details \u2192 https://thehackernews.com/2026/04/critical-cve-2026-25874-leaves-hugging.html", "creation_timestamp": "2026-04-28T11:42:27.000000Z"}