Code Execution
Remote code execution is unusually common in the AI/ML ecosystem because two long-standing patterns persist: pickle-based model loading and Jinja-style template rendering. Pickle is Python's default serialisation format and it executes arbitrary code on deserialisation; PyTorch models, scikit-learn pipelines, and many older HuggingFace artefacts are pickle files, so loading an untrusted model file is equivalent to running an untrusted script. HuggingFace addressed this with safetensors, but the older format is still widespread. The second pattern is template injection in LLM application frameworks that render Jinja-like syntax inside user-controlled prompts; LangChain, LlamaIndex, and several agent frameworks have shipped CVEs of this shape. Inference servers (vLLM, Triton, BentoML, Ray Serve) round out the RCE landscape with the usual web-app issues. Defenses: never load model files from untrusted sources, prefer safetensors, sandbox inference, and audit any code path that combines user input with template rendering.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-24162 | NVIDIA Transformers4Rec: deserialization RCE | 7.8 | |
| HIGH | CVE-2026-44175 | Kirby CMS: stored XSS in list field enables session hijack | getkirby/cms | - |
| HIGH | CVE-2026-44174 | Kirby: unsafe reflection allows privilege escalation | getkirby/cms | - |
| CRITICAL | CVE-2026-7524 | Langflow: RCE via symlink traversal in archive extraction | langflow | 9.8 |
| MEDIUM | CVE-2026-46032 | Linux Kernel KVM: nSVM VMEXIT host state corruption | 5.5 | |
| CRITICAL | CVE-2026-25879 | langroid: Prompt-to-SQL injection enables RCE on DB host | langroid | 9.8 |
| HIGH | CVE-2026-45368 | Kirby CMS: Stored XSS via javascript: URI scheme bypass | getkirby/cms | - |
| CRITICAL | CVE-2026-31233 | guardrails-ai: RCE via malicious Hub package manifest | guardrails-ai | 9.8 |
| UNKNOWN | CVE-2026-9806 | CTI Transmute: stored XSS in notification panel | - | |
| MEDIUM | CVE-2026-46236 | Linux Kernel: DMA coherency bug in xbox_remote driver | 5.5 | |
| HIGH | CVE-2026-46176 | Linux mlx5 RDMA: use-after-free in SRQ init path | 7.8 | |
| MEDIUM | CVE-2026-47128 | nono-cli: sandbox escape via Unix socket bypass | nono-cli | 6.1 |
| UNKNOWN | CVE-2026-4944 | vllm: trust_remote_code bypass enables RCE via HuggingFace | vllm | - |
| HIGH | CVE-2026-41236 | Froxlor: symlink-following grants customer root SSH access | froxlor/froxlor | 8.8 |
| HIGH | CVE-2026-41235 | Froxlor: shell whitelist bypass grants host shell access | froxlor/froxlor | - |
| HIGH | CVE-2026-32905 | OpenClaw: auth bypass enables persistent device enrollment | openclaw | 8.3 |
| MEDIUM | CVE-2026-32906 | OpenClaw: privilege escalation bypasses Slack plugin approval gate | openclaw | 4.3 |
| HIGH | CVE-2026-35630 | OpenClaw: auth bypass enables unauthorized agent approval | openclaw | 8.0 |
| HIGH | CVE-2026-35674 | OpenClaw: scope bypass enables full agent admin takeover | openclaw | 8.8 |
| CRITICAL | CVE-2026-47744 | Shopper: RBAC bypass allows full admin takeover | shopper/framework | 9.9 |