Code Execution
Remote code execution is unusually common in the AI/ML ecosystem because two long-standing patterns persist: pickle-based model loading and Jinja-style template rendering. Pickle is Python's default serialisation format and it executes arbitrary code on deserialisation; PyTorch models, scikit-learn pipelines, and many older HuggingFace artefacts are pickle files, so loading an untrusted model file is equivalent to running an untrusted script. HuggingFace addressed this with safetensors, but the older format is still widespread. The second pattern is template injection in LLM application frameworks that render Jinja-like syntax inside user-controlled prompts; LangChain, LlamaIndex, and several agent frameworks have shipped CVEs of this shape. Inference servers (vLLM, Triton, BentoML, Ray Serve) round out the RCE landscape with the usual web-app issues. Defenses: never load model files from untrusted sources, prefer safetensors, sandbox inference, and audit any code path that combines user input with template rendering.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-35642 | OpenClaw: auth bypass injects restricted agent events | OpenClaw | 4.3 |
| HIGH | CVE-2026-35643 | OpenClaw: WebView bridge injection enables Android RCE | OpenClaw | 8.8 |
| HIGH | CVE-2026-35641 | OpenClaw: RCE via .npmrc override in plugin install | OpenClaw | 7.8 |
| LOW | CVE-2026-35648 | OpenClaw: policy bypass via stale queued node actions | OpenClaw | 3.7 |
| MEDIUM | CVE-2026-35652 | OpenClaw: auth bypass enables unauthorized action execution | OpenClaw | 6.5 |
| HIGH | CVE-2026-35650 | OpenClaw: env var override bypass enables code execution | OpenClaw | 7.5 |
| MEDIUM | CVE-2026-35655 | OpenClaw: identity spoofing bypasses agent safety checks | OpenClaw | 5.7 |
| HIGH | CVE-2026-35663 | OpenClaw: privilege escalation to admin via backend reconnect | OpenClaw | 8.8 |
| HIGH | CVE-2026-35666 | OpenClaw: allowlist bypass enables arbitrary command exec | OpenClaw | 8.8 |
| MEDIUM | CVE-2026-52816 | Gogs: XSS via data URI in ipynb sanitizer endpoint | gogs.io/gogs | - |
| MEDIUM | GHSA-7cqp-7cfv-6c3q | AVideo Meet: Stored XSS via User-Agent → admin takeover | wwbn/avideo | - |
| HIGH | CVE-2026-54320 | Daytona: email bypass grants unauthorized org Owner access | 8.4 | |
| HIGH | CVE-2026-55249 | @rtk-ai/rtk-rewrite: RCE via shell injection in exec tool | openclaw | 8.8 |
| HIGH | CVE-2026-7574 | Claude Desktop: VM integrity bypass enables RCE | Claude Desktop Cowork | 8.7 |
| MEDIUM | CVE-2025-71332 | Flowise: SQL injection exposes AI credential store | Flowise | 6.5 |
| HIGH | CVE-2025-71354 | picklescan: scanner bypass enables arbitrary code execution | picklescan | 8.1 |
| HIGH | CVE-2025-71361 | picklescan: scanner bypass allows RCE via pickle load | picklescan | 8.1 |
| HIGH | CVE-2026-56351 | n8n: SQL injection in DB nodes via identifier values | n8n | 8.2 |
| MEDIUM | CVE-2026-56358 | n8n: stored XSS in Form Trigger enables form hijacking | n8n | 5.4 |
| CRITICAL | CVE-2026-12537 | Gemini CLI: OS command injection enables pre-sandbox RCE | run-gemini-cli GitHub Action | - |