Inference
Inference servers are the most actively-exploited component of the AI stack because they sit between the model and the public internet and they hold the GPU. The shape of the bugs is mostly web-app classes magnified by the cost of compute: missing auth on /v1 endpoints, SSRF that escapes the sandbox onto the platform's control plane, unsafe deserialization on model-loading paths, and path traversal in artifact-management endpoints. vLLM, Triton, TGI, BentoML, Ray Serve, and Ollama have each shipped multiple high-severity CVEs since 2023; CVE-2024-11041 in vLLM was a notable example combining prompt injection with code execution. Multi-tenant deployments are particularly exposed because a single bug typically crosses tenant boundaries. Defenses: aggressive patching, mandatory auth, network segmentation between inference and control plane, and per-tenant resource quotas to bound abuse.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-1117 | lollms: Access Control bypass enables privilege escalation | lollms | 8.2 |
| HIGH | CVE-2026-22607 | fickling: Allowlist Bypass evades input filtering | fickling | - |
| HIGH | GHSA-mcmc-2m55-j8jj | vllm: Input Validation flaw enables exploitation | vllm | 8.8 |
| HIGH | CVE-2025-67729 | lmdeploy: Deserialization enables RCE | lmdeploy | 8.8 |
| LOW | CVE-2025-63681 | open-webui: Access Control bypass enables privilege escalation | open-webui | - |
| CRITICAL | CVE-2025-34351 | ray: security flaw enables exploitation | ray | - |
| HIGH | CVE-2025-64496 | open-webui: Code Injection enables RCE | open-webui | 7.3 |
| MEDIUM | CVE-2025-61620 | vllm: DoS via Jinja template injection in chat API | vllm | 6.5 |
| MEDIUM | CVE-2026-33401 | Wallos: SSRF allows internal network access | 6.5 | |
| HIGH | CVE-2025-30402 | ExecuTorch: heap overflow in method load, RCE risk | executorch | 8.1 |
| CRITICAL | CVE-2023-48022 | Ray: unauthenticated RCE via job submission API | ray | 9.8 |
| MEDIUM | CVE-2025-58446 | xgrammar: DoS via oversized JSON schema grammar parsing | xgrammar | - |
| HIGH | CVE-2025-57809 | xgrammar: uncontrolled recursion in grammar parsing causes DoS | xgrammar | 7.5 |
| HIGH | CVE-2025-9141 | vLLM: RCE via eval() in Qwen3 Coder tool parser | vllm | 8.8 |
| CRITICAL | CVE-2025-54950 | ExecuTorch: OOB read in model loader enables RCE | executorch | 9.8 |
| CRITICAL | CVE-2025-54951 | ExecuTorch: heap buffer overflow RCE in model loading | executorch | 9.8 |
| CRITICAL | CVE-2025-30405 | ExecuTorch: integer overflow in model load → RCE | executorch | 9.8 |
| CRITICAL | CVE-2025-30404 | ExecuTorch: integer overflow RCE on model load | executorch | 9.8 |
| MEDIUM | CVE-2025-54952 | ExecuTorch: integer overflow enables RCE via model loading | executorch | - |
| MEDIUM | GHSA-j828-28rj-hfhp | vllm: ReDoS in inference endpoints enables DoS | vllm | 4.3 |