Model
The model itself is an attack surface separate from the code that runs it. The model file is the first concern: pickle-based formats (PyTorch .bin, joblib, older HuggingFace) execute arbitrary code on load, so loading an untrusted model is loading untrusted code; safetensors solves this but adoption is incomplete. The model's behaviour is the second concern: adversarial examples bypass classifiers used as security controls, backdoor patterns planted during training survive deployment unless explicitly tested for, and model-extraction queries can clone proprietary fine-tunes. Production model registries (HuggingFace Hub, Ollama Library) have hosted backdoored variants of popular base models; HuggingFace now scans uploads for known-bad patterns, but defenses lag attacks. We track CVEs against model formats, model-loader libraries, and published research demonstrating new model-level attack classes against shipped commercial models.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2025-71340 | picklescan: scanner bypass enables RCE via pickle supply chain | picklescan | 8.1 |
| HIGH | CVE-2026-5757 | Ollama: unauthenticated heap memory disclosure | Ollama | 7.5 |
| CRITICAL | CVE-2026-2651 | MLflow: auth bypass on artifact uploads enables RCE | mlflow/mlflow | 9.0 |
| HIGH | CVE-2026-4775 | libtiff: integer overflow causes heap OOB write | rhaiis/vllm-spyre-rhel9 | 7.8 |
| HIGH | CVE-2026-58116 | LLaMA-Factory: RCE via malicious model path | llama-factory | 8.8 |
| HIGH | CVE-2025-71349 | picklescan: bypass allows undetected pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71350 | picklescan: scanner bypass enables pickle RCE | torch | 8.1 |
| HIGH | CVE-2025-71352 | picklescan: RCE bypass via trace.Trace.runctx | picklescan | 8.1 |
| UNKNOWN | CVE-2025-71355 | Picklescan: NumPy gadget bypass enables pickle RCE | picklescan | - |
| HIGH | CVE-2025-71363 | picklescan: scanner bypass enables pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71368 | picklescan: scan bypass lets malicious pickles hit RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71371 | picklescan: malicious pickle bypasses RCE scan | picklescan | 8.1 |
| HIGH | CVE-2025-71374 | picklescan: scanner bypass enables pickle RCE | picklescan | 8.1 |
| UNKNOWN | CVE-2026-12480 | Keras: incomplete fix reopens HDF5 arbitrary file read | keras | - |
| UNKNOWN | CVE-2026-8387 | ClearML: path traversal in zip extraction enables RCE | allegroai/clearml | - |
| HIGH | CVE-2026-4372 | transformers: config.json RCE bypasses trust_remote_code | transformers | 7.8 |
| CRITICAL | CVE-2026-12481 | Keras: safe_mode=None bypass enables Lambda RCE | keras | 9.8 |
| HIGH | CVE-2025-71342 | picklescan: idlelib bypass hides pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71372 | Picklescan: RCE gadget bypasses pickle safety scanner | picklescan | 8.1 |
| HIGH | CVE-2025-71343 | picklescan: scanner bypass lets malicious pickle files evade detection | picklescan | 8.1 |