Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-22561 | Claude Setup: DLL search-order hijacking LPE | 7.8 | |
| HIGH | CVE-2026-27489 | ONNX: symlink path traversal allows arbitrary file read | onnx | 8.6 |
| HIGH | CVE-2026-34445 | ONNX: property overwrite via crafted model file | onnx | 8.6 |
| MEDIUM | CVE-2026-34446 | ONNX: hardlink path traversal leaks sensitive files | onnx | 4.7 |
| MEDIUM | CVE-2026-34447 | ONNX: symlink traversal reads host files via model loading | onnx | 5.5 |
| HIGH | GHSA-q56x-g2fj-4rj6 | onnx: TOCTOU symlink following enables arbitrary file write | onnx | 7.1 |
| HIGH | CVE-2026-34936 | PraisonAI: SSRF via api_base steals cloud IAM credentials | praisonai | 7.7 |
| CRITICAL | CVE-2026-34938 | praisonaiagents: sandbox bypass enables full host RCE | praisonaiagents | 10.0 |
| HIGH | CVE-2026-34760 | vLLM: audio downmix mismatch enables adversarial input | 7.1 | |
| MEDIUM | GHSA-9q7v-8mr7-g23p | OpenClaw: SSRF in marketplace fetch hits internal AI infra | openclaw | - |
| HIGH | CVE-2026-35175 | Ajenti: missing authz lets any user install packages | - | |
| HIGH | CVE-2026-35044 | BentoML: malicious bento archive RCE via Jinja2 SSTI | bentoml | 8.8 |
| HIGH | CVE-2026-35043 | BentoML: cmd injection RCE on cloud build infra | bentoml | 7.8 |
| MEDIUM | CVE-2026-35492 | kedro-datasets: path traversal enables arbitrary file write | kedro-datasets | 6.5 |
| HIGH | CVE-2026-35021 | Claude Code CLI: shell injection enables RCE | 7.8 | |
| HIGH | CVE-2026-35020 | Claude Code CLI: OS command injection via TERMINAL env | claude-code | 8.4 |
| CRITICAL | CVE-2026-35022 | Claude Code: OS command injection, credential theft | 9.8 | |
| HIGH | CVE-2026-39308 | PraisonAI: recipe registry path traversal file write | PraisonAI | 7.1 |
| HIGH | CVE-2026-39306 | PraisonAI: recipe path traversal allows arbitrary file write | PraisonAI | 7.3 |
| CRITICAL | CVE-2026-39305 | PraisonAI: path traversal enables arbitrary file write/RCE | PraisonAI | 9.0 |