Code Execution
Remote code execution is unusually common in the AI/ML ecosystem because two long-standing patterns persist: pickle-based model loading and Jinja-style template rendering. Pickle is Python's default serialisation format and it executes arbitrary code on deserialisation; PyTorch models, scikit-learn pipelines, and many older HuggingFace artefacts are pickle files, so loading an untrusted model file is equivalent to running an untrusted script. HuggingFace addressed this with safetensors, but the older format is still widespread. The second pattern is template injection in LLM application frameworks that render Jinja-like syntax inside user-controlled prompts; LangChain, LlamaIndex, and several agent frameworks have shipped CVEs of this shape. Inference servers (vLLM, Triton, BentoML, Ray Serve) round out the RCE landscape with the usual web-app issues. Defenses: never load model files from untrusted sources, prefer safetensors, sandbox inference, and audit any code path that combines user input with template rendering.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-13731 | WPBot: unauthenticated stored XSS via chatbot conversation field | wpbot | 7.2 |
| HIGH | CVE-2026-57516 | Ray: RCE via pickle/torch deserialization in WebDataset | ray | 8.8 |
| UNKNOWN | CVE-2026-8387 | ClearML: path traversal in zip extraction enables RCE | allegroai/clearml | - |
| CRITICAL | CVE-2026-23537 | Feast: unauth file write to RCE via /save-document | rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9 | 9.1 |
| HIGH | CVE-2026-4372 | transformers: config.json RCE bypasses trust_remote_code | transformers | 7.8 |
| HIGH | GHSA-2j8v-hwgc-x698 | OpenClaw: TOCTOU in shell wrapper bypasses command allowlist | Openclaw | - |
| MEDIUM | GHSA-qh2f-99mv-mrcf | OpenClaw: exec denylist bypass in bundled MCP loopback | openclaw | - |
| HIGH | GHSA-xww8-gqvh-92x9 | OpenClaw: truncated approval UI masks exec payload | openclaw | 8.0 |
| HIGH | GHSA-p73f-w79w-jqr5 | OpenClaw: owner-command auth bypass via native cmds | openclaw | - |
| HIGH | GHSA-j472-gf56-x589 | OpenClaw: PowerShell alias bypasses exec allowlist | openclaw | - |
| HIGH | GHSA-w5ww-7chg-mxcq | OpenClaw: Telegram callback bypasses sender allowlist | openclaw | - |
| HIGH | GHSA-83w9-h5wv-j9xm | OpenClaw: TOCTOU race bypasses node approval scope | openclaw | - |
| MEDIUM | GHSA-wv26-j37q-2g7p | OpenClaw: exec approver can bypass plugin approval gate | openclaw | - |
| HIGH | GHSA-hw9r-h9mr-4jff | OpenClaw: chat.send routing bypasses admin auth scopes | openclaw | 8.8 |
| HIGH | GHSA-mgq6-vr84-7m2j | OpenClaw: QQBot approval button auth bypass | openclaw | 8.0 |
| HIGH | CVE-2026-56208 | libaom: heap overflow in AV1 encoder LAP mode | rhaiis/vllm-cpu-rhel9 | 7.6 |
| HIGH | CVE-2026-56211 | libaom: AV1 SVC OOB write enables RCE | rhaiis/vllm-cpu-rhel9 | 7.1 |
| HIGH | CVE-2026-56209 | libaom: arbitrary address write in AV1 SVC codec | rhaiis/vllm-cpu-rhel9 | 7.1 |
| CRITICAL | CVE-2026-12481 | Keras: safe_mode=None bypass enables Lambda RCE | keras | 9.8 |
| HIGH | CVE-2025-71342 | picklescan: idlelib bypass hides pickle RCE | picklescan | 8.1 |