Attack Type

Supply Chain

AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.

720
Total CVEs
36
Pages
Page 15 of 36
Current
Severity CVE CVSS
CRITICAL GHSA-vvpj-8cmc-gx39 10.0
CRITICAL GHSA-7wx9-6375-f5wh 9.8
MEDIUM CVE-2026-27794 6.6
MEDIUM GHSA-mhc9-48gj-9gp3 -
HIGH GHSA-mxhj-88fx-4pcv -
LOW GHSA-83pf-v6qq-pwmr -
HIGH CVE-2026-2472 8.1
CRITICAL CVE-2026-26030 10.0
HIGH GHSA-97f8-7cmv-76j2 -
HIGH CVE-2026-0897 7.6
HIGH CVE-2025-53000 -
HIGH CVE-2026-1777 7.2
MEDIUM CVE-2026-1778 5.9
MEDIUM GHSA-m7j5-r2p5-c39r -
HIGH GHSA-9m3x-qqw2-h32h -
MEDIUM CVE-2026-21851 5.3
HIGH CVE-2026-22033 -
HIGH CVE-2026-22612 -
HIGH CVE-2026-22609 -
HIGH CVE-2026-22608 -

Page 15 of 36