Model
The model itself is an attack surface separate from the code that runs it. The model file is the first concern: pickle-based formats (PyTorch .bin, joblib, older HuggingFace) execute arbitrary code on load, so loading an untrusted model is loading untrusted code; safetensors solves this but adoption is incomplete. The model's behaviour is the second concern: adversarial examples bypass classifiers used as security controls, backdoor patterns planted during training survive deployment unless explicitly tested for, and model-extraction queries can clone proprietary fine-tunes. Production model registries (HuggingFace Hub, Ollama Library) have hosted backdoored variants of popular base models; HuggingFace now scans uploads for known-bad patterns, but defenses lag attacks. We track CVEs against model formats, model-loader libraries, and published research demonstrating new model-level attack classes against shipped commercial models.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-31224 | snorkel: RCE via unsafe model deserialization | snorkel | 8.8 |
| CRITICAL | CVE-2026-31238 | Ludwig: RCE via unsafe pickle deserialization in model serve | ludwig | 9.8 |
| CRITICAL | CVE-2026-31239 | mamba: RCE via unsafe torch.load() on model load | mamba-ssm | 9.8 |
| CRITICAL | CVE-2026-31229 | ART: torch.load() RCE via insecure deserialization | 9.8 | |
| HIGH | CVE-2026-31232 | CosyVoice: RCE via unsafe torch.load() model deserialization | 8.8 | |
| HIGH | CVE-2026-8597 | SageMaker: RCE via poisoned Triton model artifacts in S3 | sagemaker | 7.2 |
| MEDIUM | CVE-2026-45396 | open-webui: mass assignment enables leaderboard poisoning | open-webui | 5.4 |
| MEDIUM | CVE-2026-45387 | open-webui: system prompt leakage via model read API | open-webui | 4.3 |
| MEDIUM | CVE-2026-45351 | Open WebUI: admin system prompts exposed to all users | open-webui | 6.5 |
| MEDIUM | CVE-2026-45345 | open-webui: IDOR allows unauthorized model modification | open-webui | 6.5 |
| HIGH | CVE-2026-4137 | MLflow: insecure tmp dir perms enable model artifact RCE | mlflow | 7.0 |
| HIGH | CVE-2026-45804 | diffusers: TOCTOU race bypasses trust_remote_code, RCE | diffusers | 7.5 |
| MEDIUM | CVE-2026-2734 | MLflow: missing authz exposes all model versions | mlflow | 6.5 |
| HIGH | CVE-2026-8596 | SageMaker SDK: cleartext HMAC key enables model artifact RCE | sagemaker | 7.2 |
| HIGH | CVE-2026-46432 | lmdeploy: hardcoded trust_remote_code enables RCE | lmdeploy | 7.8 |
| HIGH | CVE-2026-24162 | NVIDIA Transformers4Rec: deserialization RCE | 7.8 | |
| MEDIUM | CVE-2026-45907 | Linux mlx5e: deadlock DoS in Mellanox NIC recovery paths | 5.5 | |
| UNKNOWN | CVE-2026-4944 | vllm: trust_remote_code bypass enables RCE via HuggingFace | vllm | - |
| HIGH | CVE-2026-38950 | AnomalyMatch: RCE via torch.load() unsafe deserialization | 7.8 | |
| CRITICAL | CVE-2026-47117 | OpenMed: RCE via trust_remote_code model loading | openmed | 9.8 |