Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-44513 | diffusers: trust_remote_code bypass enables silent RCE | diffusers | 8.8 |
| MEDIUM | CVE-2026-40610 | BentoML: symlink traversal exfiltrates host secrets at build | bentoml | 5.5 |
| CRITICAL | CVE-2026-42208 | LiteLLM: SQL injection exposes LLM API credentials | litellm | 9.8 |
| HIGH | CVE-2026-44552 | open-webui: Redis cache poisoning enables cross-instance tool hijack | open-webui | 8.7 |
| HIGH | CVE-2026-44843 | LangChain: deserialization poisons LLM chat history | langchain-core | 8.2 |
| HIGH | CVE-2026-44566 | Open WebUI: path traversal + file upload leads to RCE | open-webui | 7.3 |
| MEDIUM | CVE-2026-43570 | OpenClaw: symlink traversal exposes host filesystem | openclaw | 6.5 |
| HIGH | CVE-2026-44346 | BentoML: Dockerfile injection enables build-time RCE | bentoml | 8.8 |
| HIGH | CVE-2026-44345 | BentoML: unsanitized base_image allows Dockerfile RCE | bentoml | 8.8 |
| HIGH | CVE-2026-44340 | PraisonAI: tar symlink bypass allows arbitrary file write | PraisonAI | 7.5 |
| UNKNOWN | CVE-2026-31249 | CosyVoice: insecure deserialization RCE via .pt files | - | |
| UNKNOWN | CVE-2026-31250 | CosyVoice: RCE via unsafe torch.load() in model averaging | - | |
| UNKNOWN | CVE-2026-31251 | CosyVoice: RCE via unsafe torch.load() deserialization | - | |
| UNKNOWN | CVE-2026-31252 | CosyVoice: RCE via unsafe torch.load() deserialization | - | |
| HIGH | CVE-2026-31253 | flash-attention: RCE via unsafe checkpoint deserialization | flash_attn | 7.3 |
| CRITICAL | CVE-2026-31214 | torch-checkpoint: unsafe pickle deserialization RCE | 9.8 | |
| HIGH | CVE-2026-31221 | pytorch-lightning: RCE via insecure checkpoint deserialization | pytorch-lightning | 7.8 |
| UNKNOWN | CVE-2026-31218 | optimate: unsafe torch.load() enables RCE via model file | - | |
| UNKNOWN | CVE-2026-31219 | optimate: RCE via unsafe torch.load() deserialization | - | |
| HIGH | CVE-2026-31222 | snorkel: RCE via insecure model checkpoint loading | snorkel | 8.8 |