Security News Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE TheHackerNews Daniel Bender 28 Apr 2026 CVE-2026-25874 (CVSS 9.3) in LeRobot 0.4.3 allows unauthenticated RCE via pickle over gRPC, risking AI systems and sensitive data.
