CVE-2026-27893

High CVSS: 8.8

vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.18.0, two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust. Version 0.18.0 patches the issue.

Vendor

Vllm

Product

Vllm

CWE

CWE-693

Yayın Tarihi

2026-03-27 00:16:22

Güncelleme

2026-03-30 18:56:21

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-693 Vllm HIGH Vllm 2026

Referanslar

https://github.com/vllm-project/vllm/commit/00bd08edeee5dd4d4c13277c0114a464011acf72 https://github.com/vllm-project/vllm/pull/36192 https://github.com/vllm-project/vllm/security/advisories/GHSA-7972-pg2x-xr59

Benzer Kayıtlar

High

CVE-2026-25960

vLLM is an inference and serving engine for large language models (LLMs). The SSRF protection fix for CVE-2026-24779 add…

Critical

CVE-2026-22778

vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid i…

High

CVE-2026-24779

vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.14.1, a Server-Side Request…

High

CVE-2026-22807

vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to versio…

Medium

CVE-2026-22773

vLLM is an inference and serving engine for large language models (LLMs). In versions from 0.6.4 to before 0.12.0, users…

High

CVE-2025-66448

vLLM is an inference and serving engine for large language models (LLMs). Prior to 0.11.1, vllm has a critical remote co…