Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2023-6019 | Ray: unauthenticated RCE via dashboard command injection | ray | 9.8 |
| MEDIUM | CVE-2024-52524 | Giskard: ReDoS in text perturbation causes DoS | giskard | - |
| MEDIUM | CVE-2024-2965 | langchain-community: DoS via recursive sitemap loop | langchain | 4.2 |
| MEDIUM | CVE-2024-7037 | open-webui: path traversal → arbitrary file write/RCE | open-webui | 6.5 |
| HIGH | CVE-2021-39160 | nbgitpuller: RCE via OS command injection in git URLs | 8.8 | |
| HIGH | CVE-2018-8768 | Jupyter Notebook: XSS via malicious .ipynb file | notebook | 7.8 |
| MEDIUM | CVE-2026-4963 | smolagents: code injection via incomplete sandbox fix | smolagents | 6.3 |
| HIGH | CVE-2026-27893 | vLLM: trust_remote_code bypass enables RCE | vllm | 8.8 |
| HIGH | CVE-2026-33744 | BentoML: command injection in bentofile.yaml containerize | bentoml | 7.8 |
| HIGH | CVE-2026-33696 | n8n: Prototype pollution enables RCE via workflow nodes | n8n | 8.8 |
| HIGH | CVE-2026-33724 | n8n: SSH MitM enables malicious workflow injection | n8n | 7.4 |
| CRITICAL | GHSA-5mg7-485q-xm76 | litellm: supply chain attack harvests AI API credentials | litellm | - |
| MEDIUM | GHSA-h8r8-wccr-v5f2 | DOMPurify: mXSS bypass achieves XSS via parse-context switch | - | |
| HIGH | CVE-2026-33989 | @mobilenext/mobile-mcp: path traversal via AI agent tool | @mobilenext/mobile-mcp | 8.1 |
| CRITICAL | CVE-2025-15036 | MLflow: path traversal enables sandbox escape, file overwrite | mlflow | 9.6 |
| CRITICAL | CVE-2025-15379 | MLflow: RCE via unsanitized model dependency specs | mlflow | 10.0 |
| CRITICAL | CVE-2026-2287 | CrewAI: Docker sandbox fallback enables RCE | 9.8 | |
| CRITICAL | GHSA-955r-262c-33jc | telnyx: PyPI supply chain attack steals cloud creds | - | |
| HIGH | GHSA-m3mh-3mpg-37hw | OpenClaw: .npmrc hijack enables RCE on plugin install | openclaw | 8.6 |
| CRITICAL | CVE-2026-0596 | MLflow: command injection via model_uri in mlserver mode | mlflow | 9.6 |