ISO 42001 Compliance Tracker

ISO/IEC 42001 is the international standard for AI management systems (AIMS). It provides a framework for organizations to manage the development, deployment, and use of AI systems responsibly. Each control below maps to specific AI security vulnerabilities found in real-world AI/ML packages.

2452
CVEs Mapped
6
Controls with CVEs
3246
Total Mappings

Controls & Mapped Vulnerabilities

A.5.4

AI system impact assessment process

0 CVEs
A.6.2.4

AI system risk assessment

42 CVEs
CRITICAL
CVE-2024-41112 CVSS 9.8

streamlit-geospatial: RCE via eval() on palette input

CRITICAL
CVE-2023-38896 CVSS 9.8

LangChain: RCE via unsandboxed LLM code execution

CRITICAL
CVE-2026-32924 CVSS 9.8

OpenClaw: auth bypass via Feishu reaction misclassification

+ 39 more CVEs mapped to this control

A.6.2.6

AI system risk treatment

397 CVEs
CRITICAL
CVE-2026-45829 CVSS 10.0

ChromaDB: pre-auth RCE via trust_remote_code injection

CRITICAL
CVE-2024-2912 CVSS 10.0

BentoML: RCE via insecure deserialization (CVSS 10)

CRITICAL
GHSA-wpqr-6v78-jr5g CVSS 10.0

Gemini CLI: RCE via malicious workspace in CI/CD

+ 394 more CVEs mapped to this control

A.7.3

Awareness — AI-specific threats

12 CVEs
CRITICAL
CVE-2025-6853 CVSS 9.8

Langchain-Chatchat: path traversal in KB upload

CRITICAL
CVE-2025-59434 CVSS 9.6

Flowise Cloud: cross-tenant env var exposure leaks API keys

HIGH
GHSA-j7w6-vpvq-j3gm CVSS 8.8

diffusers: silent RCE via None.py trust_remote_code bypass

+ 9 more CVEs mapped to this control

A.10.2

AI system lifecycle

24 CVEs
CRITICAL
CVE-2025-54381 CVSS 9.9

BentoML: unauthenticated SSRF via file upload URLs

CRITICAL
GHSA-8whc-2wmv-ww35 CVSS 9.6

AVideo YPTSocket: Stored DOM XSS enables admin takeover

HIGH
CVE-2024-39720 CVSS 8.2

Ollama: OOB read in GGUF parser enables remote DoS

+ 21 more CVEs mapped to this control

A.10.3

Data quality for AI systems

20 CVEs
CRITICAL
CVE-2023-25664 CVSS 9.8

TensorFlow: heap overflow in AvgPoolGrad, RCE risk

CRITICAL
GHSA-9qhq-v63v-fv3j CVSS 9.8

PraisonAI: RCE via MCP command injection

CRITICAL
CVE-2026-33475 CVSS 9.1

langflow: security flaw enables exploitation

+ 17 more CVEs mapped to this control

A.10.4

AI system testing and validation

2 CVEs
CRITICAL
CVE-2020-15205 CVSS 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

HIGH
CVE-2026-45136

claude-code-cache-fix: hook path injection → RCE

B.4

Monitoring and measurement of AI risks

0 CVEs

Download Full Evidence Pack

Get the complete ISO 42001 evidence pack with all CVE-to-control mappings, rationale, and audit-ready documentation. Exportable as CSV.

Get Evidence Pack