{"data":{"slug":"tloen-alpaca-lora","name":"alpaca-lora","trust":{"provenance":{"is_fork":false,"github_id":613591358,"owner_type":"User","methodology":"github_public_v1","parent_repo":null,"near_duplicate_slugs":[]},"computed_at":"2026-07-11T23:21:55.583Z","maintenance":{"label":"Dormant","score":18,"methodology":"github_public_v1","releases_90d":0,"days_since_push":712,"last_release_at":null},"security_summary":{"status":"findings","scanner":"osv@v1","low_count":28,"high_count":5,"last_scan_at":"2026-07-11T23:21:56.017Z","medium_count":12,"scan_profile":"deps","critical_count":1}},"findings":[{"id":"GHSA-282v-666c-3fvg","severity":"medium","title":"transformers has Insecure Temporary File","package":"transformers@4.28.0","cve":"CVE-2023-2800","location":"requirements.txt"},{"id":"GHSA-29pf-2h5f-8g72","severity":"high","title":"HuggingFace transformers vulnerable to remote code execution","package":"transformers@4.28.0","cve":"CVE-2026-4372","location":"requirements.txt"},{"id":"GHSA-37mw-44qp-f5jm","severity":"medium","title":"Transformers is vulnerable to ReDoS attack through its DonutProcessor class","package":"transformers@4.28.0","cve":"CVE-2025-3933","location":"requirements.txt"},{"id":"GHSA-37q5-v5qm-c9v8","severity":"low","title":"Transformers Deserialization of Untrusted Data vulnerability","package":"transformers@4.28.0","cve":"CVE-2024-3568","location":"requirements.txt"},{"id":"GHSA-3863-2447-669p","severity":"critical","title":"transformers has a Deserialization of Untrusted Data vulnerability","package":"transformers@4.28.0","cve":"CVE-2023-6730","location":"requirements.txt"},{"id":"GHSA-4w7r-h757-3r74","severity":"medium","title":"Hugging Face Transformers vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer","package":"transformers@4.28.0","cve":"CVE-2025-6921","location":"requirements.txt"},{"id":"GHSA-59p9-h35m-wg4g","severity":"medium","title":"Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer","package":"transformers@4.28.0","cve":"CVE-2025-6638","location":"requirements.txt"},{"id":"GHSA-69w3-r845-3855","severity":"medium","title":"HuggingFace Transformers allows for arbitrary code execution in the `Trainer` class","package":"transformers@4.28.0","cve":"CVE-2026-1839","location":"requirements.txt"},{"id":"GHSA-6rvg-6v2m-4j46","severity":"medium","title":"Transformers Regular Expression Denial of Service (ReDoS) vulnerability","package":"transformers@4.28.0","cve":"CVE-2024-12720","location":"requirements.txt"},{"id":"GHSA-9356-575x-2w9m","severity":"medium","title":"Hugging Face Transformers Regular Expression Denial of Service (ReDoS) vulnerability","package":"transformers@4.28.0","cve":"CVE-2025-5197","location":"requirements.txt"},{"id":"GHSA-fpwr-67px-3qhx","severity":"medium","title":"Transformers Regular Expression Denial of Service (ReDoS) vulnerability","package":"transformers@4.28.0","cve":"CVE-2025-1194","location":"requirements.txt"},{"id":"GHSA-hxxf-235m-72v3","severity":"high","title":"Deserialization of Untrusted Data in Hugging Face Transformers","package":"transformers@4.28.0","cve":"CVE-2024-11394","location":"requirements.txt"},{"id":"GHSA-jjph-296x-mrcr","severity":"medium","title":"Transformers vulnerable to ReDoS attack through its get_imports() function","package":"transformers@4.28.0","cve":"CVE-2025-3264","location":"requirements.txt"},{"id":"GHSA-phhr-52qp-3mj4","severity":"low","title":"Transformers's Improper Input Validation vulnerability can be exploited through username injection","package":"transformers@4.28.0","cve":"CVE-2025-3777","location":"requirements.txt"},{"id":"GHSA-q2wp-rjmx-x6x9","severity":"medium","title":"Transformers's ReDoS vulnerability in get_configuration_file can lead to catastrophic backtracking","package":"transformers@4.28.0","cve":"CVE-2025-3263","location":"requirements.txt"},{"id":"GHSA-qq3j-4f4f-9583","severity":"medium","title":"Hugging Face Transformers Regular Expression Denial of Service","package":"transformers@4.28.0","cve":"CVE-2025-2099","location":"requirements.txt"},{"id":"GHSA-qxrp-vhvm-j765","severity":"high","title":"Deserialization of Untrusted Data in Hugging Face Transformers","package":"transformers@4.28.0","cve":"CVE-2024-11392","location":"requirements.txt"},{"id":"GHSA-rcv9-qm8p-9p6j","severity":"medium","title":"Hugging Face Transformers library has Regular Expression Denial of Service","package":"transformers@4.28.0","cve":"CVE-2025-6051","location":"requirements.txt"},{"id":"GHSA-v68g-wm8c-6x7j","severity":"high","title":"transformers has a Deserialization of Untrusted Data vulnerability","package":"transformers@4.28.0","cve":"CVE-2023-7018","location":"requirements.txt"},{"id":"GHSA-wrfc-pvp9-mr9g","severity":"high","title":"Deserialization of Untrusted Data in Hugging Face Transformers","package":"transformers@4.28.0","cve":"CVE-2024-11393","location":"requirements.txt"},{"id":"PYSEC-2023-299","severity":"low","title":"PYSEC-2023-299","package":"transformers@4.28.0","cve":"CVE-2023-2800","location":"requirements.txt"},{"id":"PYSEC-2023-300","severity":"low","title":"PYSEC-2023-300","package":"transformers@4.28.0","cve":"CVE-2023-6730","location":"requirements.txt"},{"id":"PYSEC-2023-301","severity":"low","title":"PYSEC-2023-301","package":"transformers@4.28.0","cve":"CVE-2023-7018","location":"requirements.txt"},{"id":"PYSEC-2024-227","severity":"low","title":"PYSEC-2024-227","package":"transformers@4.28.0","cve":"CVE-2024-11392","location":"requirements.txt"},{"id":"PYSEC-2024-228","severity":"low","title":"PYSEC-2024-228","package":"transformers@4.28.0","cve":"CVE-2024-11393","location":"requirements.txt"},{"id":"PYSEC-2024-229","severity":"low","title":"PYSEC-2024-229","package":"transformers@4.28.0","cve":"CVE-2024-11394","location":"requirements.txt"},{"id":"PYSEC-2025-211","severity":"low","title":"PYSEC-2025-211","package":"transformers@4.28.0","cve":"CVE-2025-14920","location":"requirements.txt"},{"id":"PYSEC-2025-212","severity":"low","title":"PYSEC-2025-212","package":"transformers@4.28.0","cve":"CVE-2025-14921","location":"requirements.txt"},{"id":"PYSEC-2025-213","severity":"low","title":"PYSEC-2025-213","package":"transformers@4.28.0","cve":"CVE-2025-14924","location":"requirements.txt"},{"id":"PYSEC-2025-214","severity":"low","title":"PYSEC-2025-214","package":"transformers@4.28.0","cve":"CVE-2025-14926","location":"requirements.txt"},{"id":"PYSEC-2025-215","severity":"low","title":"PYSEC-2025-215","package":"transformers@4.28.0","cve":"CVE-2025-14927","location":"requirements.txt"},{"id":"PYSEC-2025-216","severity":"low","title":"PYSEC-2025-216","package":"transformers@4.28.0","cve":"CVE-2025-14928","location":"requirements.txt"},{"id":"PYSEC-2025-217","severity":"low","title":"PYSEC-2025-217","package":"transformers@4.28.0","cve":"CVE-2025-14929","location":"requirements.txt"},{"id":"PYSEC-2025-218","severity":"low","title":"PYSEC-2025-218","package":"transformers@4.28.0","cve":"CVE-2025-14930","location":"requirements.txt"},{"id":"PYSEC-2025-40","severity":"low","title":"PYSEC-2025-40","package":"transformers@4.28.0","cve":"CVE-2025-2099","location":"requirements.txt"},{"id":"PYSEC-2026-1977","severity":"low","title":"Transformers is vulnerable to ReDoS attack through its DonutProcessor class","package":"transformers@4.28.0","cve":"CVE-2025-3933","location":"requirements.txt"},{"id":"PYSEC-2026-1978","severity":"low","title":"Transformers Deserialization of Untrusted Data vulnerability","package":"transformers@4.28.0","cve":"CVE-2024-3568","location":"requirements.txt"},{"id":"PYSEC-2026-1980","severity":"low","title":"Hugging Face Transformers vulnerable to Regular Expression Denial of Service (ReDoS) in the AdamWeightDecay optimizer","package":"transformers@4.28.0","cve":"CVE-2025-6921","location":"requirements.txt"},{"id":"PYSEC-2026-1981","severity":"low","title":"Hugging Face Transformers is vulnerable to ReDoS through its MarianTokenizer","package":"transformers@4.28.0","cve":"CVE-2025-6638","location":"requirements.txt"},{"id":"PYSEC-2026-1982","severity":"low","title":"Transformers Regular Expression Denial of Service (ReDoS) vulnerability","package":"transformers@4.28.0","cve":"CVE-2024-12720","location":"requirements.txt"},{"id":"PYSEC-2026-1983","severity":"low","title":"Hugging Face Transformers Regular Expression Denial of Service (ReDoS) vulnerability","package":"transformers@4.28.0","cve":"CVE-2025-5197","location":"requirements.txt"},{"id":"PYSEC-2026-1984","severity":"low","title":"Transformers Regular Expression Denial of Service (ReDoS) vulnerability","package":"transformers@4.28.0","cve":"CVE-2025-1194","location":"requirements.txt"},{"id":"PYSEC-2026-1985","severity":"low","title":"Transformers vulnerable to ReDoS attack through its get_imports() function","package":"transformers@4.28.0","cve":"CVE-2025-3264","location":"requirements.txt"},{"id":"PYSEC-2026-1986","severity":"low","title":"Transformers's Improper Input Validation vulnerability can be exploited through username injection","package":"transformers@4.28.0","cve":"CVE-2025-3777","location":"requirements.txt"},{"id":"PYSEC-2026-1987","severity":"low","title":"Transformers's ReDoS vulnerability in get_configuration_file can lead to catastrophic backtracking","package":"transformers@4.28.0","cve":"CVE-2025-3263","location":"requirements.txt"},{"id":"PYSEC-2026-1988","severity":"low","title":"Hugging Face Transformers library has Regular Expression Denial of Service","package":"transformers@4.28.0","cve":"CVE-2025-6051","location":"requirements.txt"}],"methodology":"github_public_v1"}}