Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-46695 | Boxlite: read-only bypass enables host code execution | boxlite-cli | 10.0 |
| HIGH | CVE-2026-24162 | NVIDIA Transformers4Rec: deserialization RCE | 7.8 | |
| CRITICAL | CVE-2026-7524 | Langflow: RCE via symlink traversal in archive extraction | langflow | 9.8 |
| CRITICAL | CVE-2026-31233 | guardrails-ai: RCE via malicious Hub package manifest | guardrails-ai | 9.8 |
| UNKNOWN | CVE-2026-4944 | vllm: trust_remote_code bypass enables RCE via HuggingFace | vllm | - |
| HIGH | CVE-2026-35674 | OpenClaw: scope bypass enables full agent admin takeover | openclaw | 8.8 |
| MEDIUM | CVE-2026-49384 | PyCharm: stored XSS via Jupyter Markdown cells | 6.1 | |
| HIGH | CVE-2026-47398 | PraisonAI: RCE via ungated exec_module in agent config | PraisonAI | 8.1 |
| HIGH | CVE-2026-38950 | AnomalyMatch: RCE via torch.load() unsafe deserialization | 7.8 | |
| CRITICAL | CVE-2026-9319 | IBM WebSphere: RCE via JAX-WS deserialization (CVSS 9.0) | 9.0 | |
| HIGH | CVE-2026-43624 | F5-TTS: path traversal enables arbitrary file write | 8.2 | |
| CRITICAL | CVE-2026-47117 | OpenMed: RCE via trust_remote_code model loading | openmed | 9.8 |
| CRITICAL | CVE-2026-5241 | transformers: trust_remote_code bypass enables RCE via model load | transformers | 9.6 |
| HIGH | CVE-2026-41234 | Froxlor: DNS zone injection via unsanitized TXT record | froxlor/froxlor | 7.6 |
| LOW | CVE-2026-10801 | ms-swift: weak hash enables image cache poisoning | ms-swift | 3.6 |
| MEDIUM | CVE-2026-10804 | Streamlit: weak hash enables cache integrity bypass | streamlit | 4.7 |
| LOW | CVE-2026-10803 | MLflow: weak dataset hash allows integrity bypass | mlflow | 3.6 |
| CRITICAL | CVE-2026-2586 | GlassFish: authenticated RCE via admin console | org.glassfish.jsftemplating:jsftemplating | 9.1 |
| LOW | CVE-2026-11329 | onnx-mlir: weak hash enables model cache poisoning | 3.6 | |
| HIGH | GHSA-wx3m-whqv-xv47 | skillctl: path traversal enables credential exfiltration | skillctl | - |