A vulnerability was found in huggingface diffusers up to 0.37.x . It has been rated as critical . This affects the function DiffusionPipeline.download . This manipulation causes code injection. This vulnerability is tracked as CVE-2026-44513 . The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is advised.