Inference
Inference servers are the most actively-exploited component of the AI stack because they sit between the model and the public internet and they hold the GPU. The shape of the bugs is mostly web-app classes magnified by the cost of compute: missing auth on /v1 endpoints, SSRF that escapes the sandbox onto the platform's control plane, unsafe deserialization on model-loading paths, and path traversal in artifact-management endpoints. vLLM, Triton, TGI, BentoML, Ray Serve, and Ollama have each shipped multiple high-severity CVEs since 2023; CVE-2024-11041 in vLLM was a notable example combining prompt injection with code execution. Multi-tenant deployments are particularly exposed because a single bug typically crosses tenant boundaries. Defenses: aggressive patching, mandatory auth, network segmentation between inference and control plane, and per-tenant resource quotas to bound abuse.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| LOW | CVE-2025-5320 | Gradio: CORS origin bypass in ML UI handler | gradio | 3.7 |
| CRITICAL | CVE-2024-41114 | streamlit-geospatial: RCE via eval() on palette input | streamlit-geospatial | 9.8 |
| CRITICAL | CVE-2024-41119 | streamlit-geospatial: RCE via eval() on vis_params input | streamlit-geospatial | 9.8 |
| UNKNOWN | CVE-2024-4897 | lollms-webui: RCE via malicious GGUF model loading | - | |
| HIGH | CVE-2020-28975 | scikit-learn: DoS via crafted SVM model deserialization | scikit-learn | 7.5 |
| HIGH | CVE-2024-43598 | LightGBM: heap buffer overflow enables network RCE | lightgbm | 8.1 |
| CRITICAL | CVE-2024-2912 | BentoML: RCE via insecure deserialization (CVSS 10) | 10.0 | |
| HIGH | CVE-2024-9056 | BentoML: DoS via multipart boundary exhausts server | bentoml | 7.5 |
| CRITICAL | CVE-2024-9070 | BentoML: unauthenticated RCE via runner deserialization | bentoml | 9.8 |
| CRITICAL | CVE-2025-27520 | BentoML: unauthenticated RCE via insecure deserialization | bentoml | 9.8 |
| CRITICAL | CVE-2025-32375 | BentoML: RCE via insecure deserialization in runner | bentoml | 9.8 |
| CRITICAL | CVE-2025-54381 | BentoML: unauthenticated SSRF via file upload URLs | bentoml | 9.9 |
| MEDIUM | CVE-2026-24123 | bentoml: Path Traversal enables file access | bentoml | 6.5 |
| HIGH | CVE-2024-10188 | litellm: unauthenticated DoS crashes LLM proxy server | litellm | 7.5 |
| UNKNOWN | CVE-2025-11203 | LiteLLM: Info Disclosure leaks sensitive data | - | |
| MEDIUM | CVE-2026-30886 | AI component: IDOR enables unauthorized data access | 6.5 | |
| HIGH | CVE-2026-25048 | xgrammar: security flaw enables exploitation | xgrammar | 7.5 |
| HIGH | GHSA-wccx-j62j-r448 | fickling: Protection Bypass circumvents security controls | fickling | - |
| MEDIUM | CVE-2026-27482 | ray: Missing Auth allows unauthenticated access | ray | 5.9 |
| MEDIUM | CVE-2026-1778 | sagemaker: security flaw enables exploitation | sagemaker | 5.9 |