Code Execution
Remote code execution is unusually common in the AI/ML ecosystem because two long-standing patterns persist: pickle-based model loading and Jinja-style template rendering. Pickle is Python's default serialisation format and it executes arbitrary code on deserialisation; PyTorch models, scikit-learn pipelines, and many older HuggingFace artefacts are pickle files, so loading an untrusted model file is equivalent to running an untrusted script. HuggingFace addressed this with safetensors, but the older format is still widespread. The second pattern is template injection in LLM application frameworks that render Jinja-like syntax inside user-controlled prompts; LangChain, LlamaIndex, and several agent frameworks have shipped CVEs of this shape. Inference servers (vLLM, Triton, BentoML, Ray Serve) round out the RCE landscape with the usual web-app issues. Defenses: never load model files from untrusted sources, prefer safetensors, sandbox inference, and audit any code path that combines user input with template rendering.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-41138 | Flowise: RCE via unsanitized input in AirtableAgent | flowise | 8.8 |
| CRITICAL | CVE-2026-41268 | Flowise: unauthenticated RCE via NODE_OPTIONS env injection | flowise | 9.8 |
| HIGH | CVE-2026-41269 | Flowise: unrestricted file upload enables persistent RCE | flowise | 8.8 |
| CRITICAL | CVE-2026-41276 | Flowise: auth bypass enables full account takeover via reset | flowise | 9.8 |
| CRITICAL | CVE-2026-41274 | Flowise: Cypher injection via GraphCypherQAChain node | flowise | 9.8 |
| HIGH | CVE-2026-41486 | Ray: Parquet RCE via Arrow extension deserialization | ray | - |
| HIGH | GHSA-xqmj-j6mv-4862 | LiteLLM: RCE via unsandboxed prompt template rendering | litellm | - |
| CRITICAL | GHSA-wpqr-6v78-jr5g | Gemini CLI: RCE via malicious workspace in CI/CD | @google/gemini-cli | 10.0 |
| HIGH | CVE-2026-40068 | Claude Code: git worktree trust bypass executes hooks | @anthropic-ai/claude-code | - |
| HIGH | GHSA-v4p8-mg3p-g94g | litellm: RCE via MCP test endpoints privilege bypass | litellm | - |
| MEDIUM | GHSA-qrp5-gfw2-gxv4 | openclaw: tool policy bypass via bundled MCP/LSP tools | openclaw | - |
| MEDIUM | GHSA-mj59-h3q9-ghfh | openclaw: env var injection via MCP stdio config | openclaw | - |
| MEDIUM | GHSA-hxvm-xjvf-93f3 | openclaw: env namespace injection steers agent runtime | openclaw | - |
| LOW | CVE-2026-7020 | Ollama: path traversal in tensor model transfer handler | ollama | 3.7 |
| CRITICAL | CVE-2026-42248 | Ollama: silent auto-update bypasses signature check on Windows | ollama | 9.8 |
| CRITICAL | CVE-2026-42249 | Ollama: path traversal + unsigned update = silent RCE | ollama | 9.8 |
| UNKNOWN | CVE-2026-42232 | n8n: XML Node prototype pollution → RCE | n8n | - |
| UNKNOWN | CVE-2026-42231 | n8n: prototype pollution → RCE via Git node SSH | n8n | - |
| UNKNOWN | CVE-2026-42235 | n8n: stored XSS via MCP OAuth steals agent sessions | n8n | - |
| UNKNOWN | CVE-2026-42234 | n8n: Python sandbox escape enables container RCE | n8n | - |