Data Extraction
Data extraction attacks target the information processed or memorised by AI/ML systems. They take three main forms. First, training-data extraction: large language models can memorise verbatim spans of their training corpus, and an attacker who crafts the right prompts can pull back PII, API keys, or copyrighted text — a result demonstrated against GPT-2 by Carlini et al. and reproduced against several production models. Second, model extraction: by repeatedly querying a hosted model and observing outputs, an attacker can reconstruct enough behaviour to clone proprietary fine-tunes. Third, system-prompt and conversation leakage: indirect prompt injection or insecure logging can leak the application's instructions and other users' conversations. Multi-tenant inference platforms (vLLM, Triton, hosted APIs) and RAG systems are particularly exposed. Defenses: output filtering, differential privacy in training, rate limits, and strict tenant isolation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-53872 | picklescan: arbitrary file read bypasses RCE blocklist | picklescan | 7.5 |
| CRITICAL | CVE-2026-35304 | Oracle Coherence: unauthenticated HTTPS takeover | coherence | 9.8 |
| CRITICAL | CVE-2026-35305 | Oracle Coherence: unauth data exfiltration via bundled libs | coherence | 9.3 |
| CRITICAL | CVE-2026-35306 | Oracle Coherence: unauthenticated data access via HTTP | coherence | 9.3 |
| CRITICAL | CVE-2026-35307 | Oracle Coherence: unauthenticated RCE, CVSS 10.0 | coherence | 10.0 |
| CRITICAL | CVE-2026-35309 | Oracle Coherence: unauthenticated RCE via HTTP (CVSS 9.8) | coherence | 9.8 |
| CRITICAL | CVE-2026-35310 | Oracle Coherence: unauthenticated HTTP full takeover | coherence | 9.8 |
| MEDIUM | CVE-2026-54022 | open-webui: Yjs auth bypass exposes all user notes | open-webui | 5.3 |
| MEDIUM | CVE-2026-54019 | open-webui: RAG ACL bypass exposes private KB chunks | open-webui | 6.5 |
| HIGH | CVE-2026-54018 | open-webui: SSRF via redirect bypass in Playwright loader | open-webui | 7.7 |
| HIGH | CVE-2026-54017 | open-webui: double-encoded path traversal in terminal proxy | open-webui | 7.7 |
| HIGH | CVE-2026-55405 | langchain4j: SQL injection in vector store filters | dev.langchain4j:langchain4j-pgvector | 7.6 |
| MEDIUM | CVE-2026-54386 | marimo: reflected XSS enables JS injection in notebooks | marimo | 6.1 |
| CRITICAL | CVE-2026-44727 | jupyter-server: stored XSS yields kernel RCE | notebook | 9.0 |
| HIGH | GHSA-6jcq-6546-qrrw | PraisonAI: sandbox escape via silent Landlock fallback | praisonaiagents | 8.8 |
| HIGH | GHSA-4pcv-mg8v-vrgf | praisonaiagents: SSRF + prompt injection, IAM cred exposure | praisonaiagents | 8.8 |
| CRITICAL | GHSA-29w3-p9w9-wc47 | PraisonAI: multiedit path traversal, arbitrary file R/W | praisonai | 9.1 |
| HIGH | GHSA-jxcw-qp4h-6jfq | praisonai: incomplete auth fix exposes A2U agent streams | praisonai | 7.5 |
| HIGH | GHSA-c969-5x3p-vq3v | praisonaiagents: IMAP injection via prompt → email exfil | praisonaiagents | 8.1 |
| HIGH | GHSA-gcq3-mfvh-3x25 | PraisonAI: workspace bypass allows arbitrary file read/write | praisonai | 7.3 |