Critical Unpatched Vulnerability CVE-2026-25874 Discovered in Hugging Face LeRobot Platform

Cybersecurity researchers disclosed a critical unpatched vulnerability (CVE-2026-25874, CVSS score: 9.3) in Hugging Face's open-source robotics platform, LeRobot, which has nearly 24,000 GitHub stars. The flaw stems from untrusted data deserialization and could enable unauthenticated remote code execution (RCE). No specific exploitation timeline or affected versions were provided, but the issue was publicly reported in April 2026. The vulnerability impacts LeRobot's implementation, though further technical details on the attack vector remain undisclosed. Hugging Face has not yet released a patch for the flaw.