Code Execution
Remote code execution is unusually common in the AI/ML ecosystem because two long-standing patterns persist: pickle-based model loading and Jinja-style template rendering. Pickle is Python's default serialisation format and it executes arbitrary code on deserialisation; PyTorch models, scikit-learn pipelines, and many older HuggingFace artefacts are pickle files, so loading an untrusted model file is equivalent to running an untrusted script. HuggingFace addressed this with safetensors, but the older format is still widespread. The second pattern is template injection in LLM application frameworks that render Jinja-like syntax inside user-controlled prompts; LangChain, LlamaIndex, and several agent frameworks have shipped CVEs of this shape. Inference servers (vLLM, Triton, BentoML, Ray Serve) round out the RCE landscape with the usual web-app issues. Defenses: never load model files from untrusted sources, prefer safetensors, sandbox inference, and audit any code path that combines user input with template rendering.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | GHSA-8whc-2wmv-ww35 | AVideo YPTSocket: Stored DOM XSS enables admin takeover | WWBN/AVideo | 9.6 |
| CRITICAL | CVE-2026-46442 | Flowise: sandbox escape enables authenticated RCE | flowise | 9.9 |
| MEDIUM | CVE-2026-20258 | Splunk: stored XSS hijacks dashboards via HTML panel | 5.4 | |
| MEDIUM | CVE-2026-46642 | draw.io: stored XSS executes JS via crafted diagram file | 6.1 | |
| HIGH | CVE-2026-42558 | Xibo CMS: Stored XSS + iframe sandbox escape via DataSet | 7.6 | |
| CRITICAL | CVE-2026-46703 | Boxlite: OCI symlink traversal enables host RCE | boxlite | 9.6 |
| HIGH | CVE-2026-11816 | Keras: path traversal allows arbitrary file write | keras | 8.1 |
| HIGH | CVE-2026-53807 | OpenClaw: auth bypass allows unauthorized command execution | OpenClaw | 8.8 |
| HIGH | CVE-2026-53806 | OpenClaw: shell flag bypass enables RCE in agent exec | openclaw | 8.8 |
| HIGH | CVE-2026-53813 | OpenClaw: path traversal enables RCE via memory-core artifacts | openclaw | 7.8 |
| HIGH | CVE-2026-53810 | OpenClaw: extension metadata bypass enables agent RCE | openclaw | 8.8 |
| HIGH | CVE-2026-53819 | OpenClaw: RCE via workspace .env executable override | openclaw | 8.8 |
| HIGH | CVE-2026-53816 | OpenClaw: node event forgery bypasses exec authorization | openclaw | 7.2 |
| HIGH | CVE-2026-53814 | OpenClaw: privilege escalation via hook-triggered MCP scope | openclaw | 8.3 |
| HIGH | CVE-2026-53817 | OpenClaw: locality spoof yields durable admin credentials | openclaw | 8.8 |
| MEDIUM | CVE-2026-53818 | OpenClaw: MCP loopback auth bypass enables policy evasion | openclaw | 6.6 |
| MEDIUM | CVE-2026-10127 | Edimax BR-6478AC: RCE via rootAPmac command injection | 6.3 | |
| MEDIUM | CVE-2026-10166 | Edimax BR-6478AC: RCE via command injection in Wi-Fi handler | 6.3 | |
| CRITICAL | CVE-2024-13152 | Mobuy Panel: SQLi allows unauthenticated DB takeover | Mobuy Online Machinery Monitoring Panel | 10.0 |
| MEDIUM | CVE-2024-11831 | serialize-javascript: XSS via regex in AI/ML dashboards | odh-kf-notebook-controller-rhel8 | 5.4 |