Model
The model itself is an attack surface separate from the code that runs it. The model file is the first concern: pickle-based formats (PyTorch .bin, joblib, older HuggingFace) execute arbitrary code on load, so loading an untrusted model is loading untrusted code; safetensors solves this but adoption is incomplete. The model's behaviour is the second concern: adversarial examples bypass classifiers used as security controls, backdoor patterns planted during training survive deployment unless explicitly tested for, and model-extraction queries can clone proprietary fine-tunes. Production model registries (HuggingFace Hub, Ollama Library) have hosted backdoored variants of popular base models; HuggingFace now scans uploads for known-bad patterns, but defenses lag attacks. We track CVEs against model formats, model-loader libraries, and published research demonstrating new model-level attack classes against shipped commercial models.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-53873 | picklescan: blocklist bypass allows arbitrary code exec | picklescan | 9.8 |
| MEDIUM | CVE-2026-55832 | tract-onnx: path traversal exposes arbitrary local files | tract-onnx | 6.1 |
| HIGH | CVE-2026-54499 | Stanza: pickle fallback bypass enables model RCE | torch | 7.5 |
| MEDIUM | CVE-2026-56304 | picklescan: FileHandler bypass creates filesystem artifacts | picklescan | 6.5 |
| HIGH | CVE-2025-71348 | picklescan: scanner bypass enables supply chain RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71378 | picklescan: detection bypass enables RCE via pickle files | picklescan | 8.1 |
| HIGH | CVE-2025-71357 | picklescan: detection bypass enables RCE via malicious models | picklescan | 8.1 |
| HIGH | CVE-2025-71351 | picklescan: scanner bypass enables RCE via pickle files | picklescan | - |
| UNKNOWN | CVE-2026-12479 | Keras: path traversal via layer names allows arbitrary file write | keras-team/keras | - |
| HIGH | CVE-2025-71339 | picklescan: scanner bypass enables arbitrary code execution | picklescan | 8.1 |
| HIGH | CVE-2025-71344 | picklescan: scanner bypass enables undetected pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71358 | picklescan: scanner bypass enables RCE via pickle | picklescan | 8.1 |
| HIGH | CVE-2025-71341 | picklescan: scanner bypass enables undetected RCE via pickle | picklescan | 8.1 |
| HIGH | CVE-2025-71365 | picklescan: detection bypass enables RCE via numpy.f2py | picklescan | 8.1 |
| HIGH | CVE-2025-71370 | picklescan: scanner bypass enables arbitrary code execution | picklescan | 8.1 |
| HIGH | CVE-2025-71376 | picklescan: scanner bypass enables undetected RCE | picklescan | 8.1 |
| CRITICAL | CVE-2026-56315 | picklescan: stdlib bypass enables arbitrary RCE | picklescan | 9.8 |
| HIGH | CVE-2026-52812 | Gogs LFS: cross-tenant object disclosure via dedupe bypass | gogs.io/gogs | - |
| HIGH | CVE-2025-71354 | picklescan: scanner bypass enables arbitrary code execution | picklescan | 8.1 |
| HIGH | CVE-2025-71361 | picklescan: scanner bypass allows RCE via pickle load | picklescan | 8.1 |