Model
The model itself is an attack surface separate from the code that runs it. The model file is the first concern: pickle-based formats (PyTorch .bin, joblib, older HuggingFace) execute arbitrary code on load, so loading an untrusted model is loading untrusted code; safetensors solves this but adoption is incomplete. The model's behaviour is the second concern: adversarial examples bypass classifiers used as security controls, backdoor patterns planted during training survive deployment unless explicitly tested for, and model-extraction queries can clone proprietary fine-tunes. Production model registries (HuggingFace Hub, Ollama Library) have hosted backdoored variants of popular base models; HuggingFace now scans uploads for known-bad patterns, but defenses lag attacks. We track CVEs against model formats, model-loader libraries, and published research demonstrating new model-level attack classes against shipped commercial models.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2025-71345 | picklescan: scanner blocklist bypass hides pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71347 | picklescan: numpy.f2py bypass lets malicious pickle evade scan | picklescan | 8.1 |
| HIGH | CVE-2025-71353 | picklescan: detection bypass allows pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71356 | picklescan: torch.fx gadget bypasses malicious-pickle detection | picklescan | 8.1 |
| HIGH | CVE-2025-71359 | picklescan: scan bypass lets malicious models RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71360 | picklescan: scanner bypass enables pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71362 | picklescan: scanner bypass enables RCE via numpy eval | picklescan | 8.1 |
| HIGH | CVE-2025-71364 | picklescan: scanner blind spot enables pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71366 | picklescan: scan bypass lets malicious pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71367 | picklescan: attrgetter bypass evades malicious pickle scan | picklescan | 8.1 |
| HIGH | CVE-2025-71369 | picklescan misses malicious pickles via torch decoder | picklescan | 8.1 |
| HIGH | CVE-2025-71373 | picklescan: methodcaller bypass enables pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71375 | picklescan: detection bypass enables pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2026-14535 | fickling: shared-state bug disables ML pickle allowlist check | fickling | 8.8 |
| HIGH | CVE-2026-14534 | fickling: denylist gaps let malicious pickles execute | fickling | 8.8 |
| MEDIUM | CVE-2026-14647 | ONNX: OOB read in shape inference parsing untrusted models | onnx | 4.3 |
| MEDIUM | CVE-2026-40257 | OP-TEE: off-by-one in SHA-3 CE overflows TEE kernel heap | 5.5 | |
| MEDIUM | CVE-2026-55514 | vLLM: malformed prompt embeds crash serving via M-RoPE | vllm | 6.5 |
| MEDIUM | CVE-2026-44512 | onnx: crafted model triggers SIGSEGV in version_converter | onnx | 5.5 |
Page 17 of 17