Inference
Inference servers are the most actively-exploited component of the AI stack because they sit between the model and the public internet and they hold the GPU. The shape of the bugs is mostly web-app classes magnified by the cost of compute: missing auth on /v1 endpoints, SSRF that escapes the sandbox onto the platform's control plane, unsafe deserialization on model-loading paths, and path traversal in artifact-management endpoints. vLLM, Triton, TGI, BentoML, Ray Serve, and Ollama have each shipped multiple high-severity CVEs since 2023; CVE-2024-11041 in vLLM was a notable example combining prompt injection with code execution. Multi-tenant deployments are particularly exposed because a single bug typically crosses tenant boundaries. Defenses: aggressive patching, mandatory auth, network segmentation between inference and control plane, and per-tenant resource quotas to bound abuse.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-2586 | GlassFish: authenticated RCE via admin console | org.glassfish.jsftemplating:jsftemplating | 9.1 |
| LOW | CVE-2026-11329 | onnx-mlir: weak hash enables model cache poisoning | 3.6 | |
| HIGH | CVE-2026-46309 | Linux Xe iGPU: cache-bypass leaks cross-process stale data | 7.0 | |
| HIGH | CVE-2026-32981 | Ray Dashboard: unauthenticated path traversal file read | ray | 7.5 |
| MEDIUM | CVE-2026-47155 | vLLM: revision pin bypass loads unreviewed artifacts | vllm | 6.5 |
| CRITICAL | CVE-2026-46703 | Boxlite: OCI symlink traversal enables host RCE | boxlite | 9.6 |
| HIGH | CVE-2026-5497 | vLLM: unauthenticated OOM DoS via video frame parsing | vllm | 7.5 |
| MEDIUM | CVE-2026-10127 | Edimax BR-6478AC: RCE via rootAPmac command injection | 6.3 | |
| MEDIUM | CVE-2026-10166 | Edimax BR-6478AC: RCE via command injection in Wi-Fi handler | 6.3 | |
| MEDIUM | CVE-2019-6576 | SIMATIC WinCC: TLS key disclosure enables traffic decryption | SIMATIC HMI Classic Devices (TP/MP/OP/MP Mobile Panel) | 6.5 |
| CRITICAL | CVE-2024-6878 | Panel: file exposure enables sensitive ML data collection | Panel | - |
| CRITICAL | CVE-2024-5960 | Panel: plaintext credential storage enables domain compromise | Panel | 9.8 |
| CRITICAL | CVE-2024-5958 | Panel: SQL injection enables OS command execution | Panel | - |
| LOW | CVE-2026-10813 | LMCache: weak hash enables KV cache integrity bypass | 3.6 | |
| HIGH | CVE-2026-4424 | libarchive: RAR heap OOB read leaks memory in vLLM stacks | rhaiis/vllm-cuda-rhel9 | 7.5 |
| HIGH | CVE-2026-5121 | libarchive: integer overflow in zisofs hits vllm containers | rhaiis/vllm-cuda-rhel9 | 7.5 |
| HIGH | CVE-2023-52356 | libtiff: heap overflow DoS in vLLM inference via TIFF input | rhaiis/vllm-cuda-rhel9 | 7.5 |
| MEDIUM | CVE-2025-14831 | GnuTLS: TLS cert parsing DoS hits vllm inference | rhaiis/vllm-cuda-rhel9 | 5.3 |
| HIGH | CVE-2026-4111 | libarchive: infinite loop DoS in RAR5 decompression | rhaiis/vllm-cuda-rhel9 | 7.5 |
| HIGH | CVE-2026-5201 | gdk-pixbuf: JPEG heap overflow crashes vLLM inference | rhaiis/vllm-cuda-rhel9 | 7.5 |