Package impact
PyPI / lmdeploy
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-46517 | high | — | 8.0 | 8d ago | lmdeploy: Hardcoded trust_remote_code=True is an implicit unsafe remote-code load path with no user opt-out | |||
| CVE-2026-46432 | high | — | 8.0 | 8d ago | LMDeploy: Arbitrary code execution via hardcoded trust_remote_code=True in lmdeploy model initialization | |||
| CVE-2026-33626 | unknown | — | — | 1mo ago | LMDeploy has Server-Side Request Forgery (SSRF) via Vision-Language Image Loading | |||
| CVE-2025-67729 | unknown | — | — | 5mo ago | lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load() | |||
| CVE-2025-3163 | unknown | — | — | 1y ago | InternLM LMDeploy code injection vulnerability | |||
| CVE-2025-3162 | unknown | — | — | 1y ago | LMDeploy Improper Input Validation Vulnerability |