Model
The model itself is an attack surface separate from the code that runs it. The model file is the first concern: pickle-based formats (PyTorch .bin, joblib, older HuggingFace) execute arbitrary code on load, so loading an untrusted model is loading untrusted code; safetensors solves this but adoption is incomplete. The model's behaviour is the second concern: adversarial examples bypass classifiers used as security controls, backdoor patterns planted during training survive deployment unless explicitly tested for, and model-extraction queries can clone proprietary fine-tunes. Production model registries (HuggingFace Hub, Ollama Library) have hosted backdoored variants of popular base models; HuggingFace now scans uploads for known-bad patterns, but defenses lag attacks. We track CVEs against model formats, model-loader libraries, and published research demonstrating new model-level attack classes against shipped commercial models.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-1462 | Keras: safe_mode bypass allows RCE via model deserialization | keras | 8.8 |
| HIGH | CVE-2026-6859 | InstructLab: RCE via hardcoded trust_remote_code flag | instructlab | 8.8 |
| LOW | CVE-2026-7020 | Ollama: path traversal in tensor model transfer handler | ollama | 3.7 |
| CRITICAL | CVE-2026-7482 | Ollama: heap OOB read leaks API keys and chat data | ollama | 9.1 |
| MEDIUM | CVE-2026-44222 | vLLM: token injection DoS via multimodal placeholders | vllm | 6.5 |
| HIGH | GHSA-j7w6-vpvq-j3gm | diffusers: silent RCE via None.py trust_remote_code bypass | diffusers | 8.8 |
| HIGH | CVE-2026-44513 | diffusers: trust_remote_code bypass enables silent RCE | diffusers | 8.8 |
| MEDIUM | CVE-2026-44562 | open-webui: missing authz enables model hijacking | open-webui | 6.5 |
| HIGH | CVE-2026-44556 | open-webui: auth bypass allows unrestricted model access | open-webui | 7.1 |
| HIGH | CVE-2026-44555 | open-webui: access control bypass via model chaining | open-webui | 7.6 |
| HIGH | CVE-2026-44566 | Open WebUI: path traversal + file upload leads to RCE | open-webui | 7.3 |
| UNKNOWN | CVE-2026-31249 | CosyVoice: insecure deserialization RCE via .pt files | - | |
| UNKNOWN | CVE-2026-31250 | CosyVoice: RCE via unsafe torch.load() in model averaging | - | |
| UNKNOWN | CVE-2026-31251 | CosyVoice: RCE via unsafe torch.load() deserialization | - | |
| UNKNOWN | CVE-2026-31252 | CosyVoice: RCE via unsafe torch.load() deserialization | - | |
| CRITICAL | CVE-2026-31214 | torch-checkpoint: unsafe pickle deserialization RCE | 9.8 | |
| HIGH | CVE-2026-31221 | pytorch-lightning: RCE via insecure checkpoint deserialization | pytorch-lightning | 7.8 |
| UNKNOWN | CVE-2026-31218 | optimate: unsafe torch.load() enables RCE via model file | - | |
| UNKNOWN | CVE-2026-31219 | optimate: RCE via unsafe torch.load() deserialization | - | |
| HIGH | CVE-2026-31222 | snorkel: RCE via insecure model checkpoint loading | snorkel | 8.8 |