Code Execution
Remote code execution is unusually common in the AI/ML ecosystem because two long-standing patterns persist: pickle-based model loading and Jinja-style template rendering. Pickle is Python's default serialisation format and it executes arbitrary code on deserialisation; PyTorch models, scikit-learn pipelines, and many older HuggingFace artefacts are pickle files, so loading an untrusted model file is equivalent to running an untrusted script. HuggingFace addressed this with safetensors, but the older format is still widespread. The second pattern is template injection in LLM application frameworks that render Jinja-like syntax inside user-controlled prompts; LangChain, LlamaIndex, and several agent frameworks have shipped CVEs of this shape. Inference servers (vLLM, Triton, BentoML, Ray Serve) round out the RCE landscape with the usual web-app issues. Defenses: never load model files from untrusted sources, prefer safetensors, sandbox inference, and audit any code path that combines user input with template rendering.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| UNKNOWN | CVE-2026-33873 | Langflow: server-side RCE via LLM-generated code exec | langflow | - |
| HIGH | CVE-2026-33744 | BentoML: command injection in bentofile.yaml containerize | bentoml | 7.8 |
| CRITICAL | CVE-2026-33660 | TensorFlow: type confusion NPD in tensor conversion | n8n | 10.0 |
| HIGH | CVE-2026-33665 | n8n: LDAP email match enables permanent account takeover | n8n | 8.2 |
| HIGH | CVE-2026-33696 | n8n: Prototype pollution enables RCE via workflow nodes | n8n | 8.8 |
| HIGH | CVE-2026-33713 | n8n: SQLi in Data Table node, full DB compromise | n8n | 8.8 |
| CRITICAL | CVE-2026-33749 | n8n: stored XSS enables credential theft via workflow | n8n | 9.0 |
| CRITICAL | GHSA-5mg7-485q-xm76 | litellm: supply chain attack harvests AI API credentials | litellm | - |
| MEDIUM | GHSA-h8r8-wccr-v5f2 | DOMPurify: mXSS bypass achieves XSS via parse-context switch | - | |
| HIGH | CVE-2026-33989 | @mobilenext/mobile-mcp: path traversal via AI agent tool | @mobilenext/mobile-mcp | 8.1 |
| MEDIUM | GHSA-364x-8g5j-x2pr | n8n: stored XSS via malicious OAuth2 Authorization URL | n8n | 5.4 |
| MEDIUM | GHSA-3c7f-5hgj-h279 | n8n: Stored XSS in Chat Trigger via CSS injection | n8n | 5.4 |
| CRITICAL | CVE-2025-15036 | MLflow: path traversal enables sandbox escape, file overwrite | mlflow | 9.6 |
| CRITICAL | CVE-2025-15379 | MLflow: RCE via unsanitized model dependency specs | mlflow | 10.0 |
| CRITICAL | CVE-2026-2275 | CrewAI: RCE via Docker fallback in CodeInterpreter | 9.6 | |
| CRITICAL | CVE-2026-2287 | CrewAI: Docker sandbox fallback enables RCE | 9.8 | |
| CRITICAL | GHSA-955r-262c-33jc | telnyx: PyPI supply chain attack steals cloud creds | - | |
| HIGH | GHSA-m3mh-3mpg-37hw | OpenClaw: .npmrc hijack enables RCE on plugin install | openclaw | 8.6 |
| CRITICAL | CVE-2026-0596 | MLflow: command injection via model_uri in mlserver mode | mlflow | 9.6 |
| HIGH | CVE-2026-22561 | Claude Setup: DLL search-order hijacking LPE | 7.8 |