Code Execution
Remote code execution is unusually common in the AI/ML ecosystem because two long-standing patterns persist: pickle-based model loading and Jinja-style template rendering. Pickle is Python's default serialisation format and it executes arbitrary code on deserialisation; PyTorch models, scikit-learn pipelines, and many older HuggingFace artefacts are pickle files, so loading an untrusted model file is equivalent to running an untrusted script. HuggingFace addressed this with safetensors, but the older format is still widespread. The second pattern is template injection in LLM application frameworks that render Jinja-like syntax inside user-controlled prompts; LangChain, LlamaIndex, and several agent frameworks have shipped CVEs of this shape. Inference servers (vLLM, Triton, BentoML, Ray Serve) round out the RCE landscape with the usual web-app issues. Defenses: never load model files from untrusted sources, prefer safetensors, sandbox inference, and audit any code path that combines user input with template rendering.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| UNKNOWN | CVE-2020-18325 | Subrion CMS: stored XSS in admin config panel | - | |
| UNKNOWN | CVE-2021-42950 | Zepl Notebooks: RCE via malicious notebook code | - | |
| UNKNOWN | CVE-2022-23321 | XMPie UStore: persistent XSS in admin user panel | - | |
| UNKNOWN | CVE-2021-42952 | Zepl Notebooks: sandbox escape exposes cloud metadata | - | |
| CRITICAL | CVE-2022-44194 | Netgear R7000P: buffer overflow via DNS params | 9.8 | |
| MEDIUM | CVE-2026-40257 | OP-TEE: off-by-one in SHA-3 CE overflows TEE kernel heap | 5.5 | |
| HIGH | CVE-2026-33846 | GnuTLS: DTLS fragment heap overflow, DoS on AI inference | rhaiis/vllm-rocm-rhel9 | 7.5 |
| CRITICAL | CVE-2024-23827 | Nginx-UI: arbitrary file write via cert import leads to RCE | github.com/0xJacky/Nginx-UI | 9.8 |
| HIGH | CVE-2024-22197 | Nginx-UI: authenticated command injection to RCE | github.com/0xJacky/Nginx-UI | 7.7 |
| HIGH | CVE-2024-22198 | Nginx-UI: command injection via settings API | github.com/0xJacky/Nginx-UI | 7.1 |
| UNKNOWN | CVE-2026-55615 | Langroid: unvalidated LLM Cypher enables graph RCE | langroid | - |
| HIGH | CVE-2026-54771 | Langroid: auth bypass invokes disabled tools via raw JSON | langroid | 8.1 |
| CRITICAL | CVE-2026-54769 | Langroid: prompt injection to RCE via broken eval() sandbox | langroid | 10.0 |
| HIGH | CVE-2026-55427 | Coder: SSH config injection via config-ssh enables RCE | github.com/coder/coder/v2 | 8.3 |
| HIGH | CVE-2026-55077 | Coder: user-admin can hijack owner accounts | github.com/coder/coder/v2 | 7.2 |
| HIGH | CVE-2026-6101 | AMP for WP: unsafe ZIP extraction enables file write | 7.5 | |
| HIGH | CVE-2026-26193 | Open WebUI: stored XSS via chat 'embeds' iframe escape | open-webui | 7.3 |
| HIGH | CVE-2026-26192 | Open WebUI: stored XSS via citation iFrame → admin RCE | open-webui | 7.3 |
| HIGH | CVE-2025-46719 | Open WebUI: chat XSS steals tokens, admin RCE | open-webui | - |
| MEDIUM | CVE-2025-46571 | Open WebUI: Stored XSS via HTML upload enables admin RCE | open-webui | - |