Hugging Face LeRobot flaw enables unauthenticated remote code execution

A critical vulnerability in Hugging Face LeRobot can let unauthenticated attackers run commands on systems that expose the framework’s async inference service to a network. The flaw is tracked as CVE-2026-25874 and affects LeRobot versions through 0.5.1. VulnCheck rates it as critical with a 9.3 CVSS v4 score, while NVD lists a 9.8 CVSS v3.1 […] The post Hugging Face LeRobot flaw enables unauthenticated remote code execution appeared first on VPN Central.