A vulnerability classified as critical has been found in huggingface diffusers up to 0.37.x . Impacted is the function DiffusionPipeline.from_pretrained of the file pipeline_loading_utils.py . The manipulation of the argument custom_pipeline leads to code injection. This vulnerability is traded as CVE-2026-44827 . It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.