GHSA-7972-pg2x-xr59

### Summary

Two model implementation files hardcode `trust_remote_code=True` when loading sub-components, bypassing the user's explicit `--trust-remote-code=False` security opt-out. This enables remote code execution via malicious model repositories even when the user has explicitly disabled remote code trust.

### Details

**Affected files (latest main branch):**

1. `vllm/model_executor/models/nemotron_vl.py:430` ```python vision_model = AutoModel.from_config(config.vision_config, trust_remote_code=True) ```

2. vllm/model_executor/models/kimi_k25.py:177 ```python cached_get_image_processor(self.ctx.model_config.model, trust_remote_code=True) ```

Both pass a hardcoded trust_remote_code=True to HuggingFace API calls, overriding the user's global --trust-remote-code=False setting.

Relation to prior CVEs: - CVE-2025-66448 fixed auto_map resolution in vllm/transformers_utils/config.py (config loading path) - CVE-2026-22807 fixed broader auto_map at startup - Both fixes are present in the current code. These hardcoded instances in model files survived both patches — different code paths.

### Impact

Remote code execution. An attacker can craft a malicious model repository that executes arbitrary Python code when loaded by vLLM, even when the user has explicitly set --trust-remote-code=False. This undermines the security guarantee that trust_remote_code=False is intended to provide.

Remediation: Replace hardcoded trust_remote_code=True with self.config.model_config.trust_remote_code in both files. Raise a clear error if the model component requires remote code but the user hasn't opted in.