Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-47732 | twig/twig: sandbox bypass leaks render context | twig/twig | - |
| MEDIUM | CVE-2026-47155 | vLLM: revision pin bypass loads unreviewed artifacts | vllm | 6.5 |
| CRITICAL | CVE-2026-46703 | Boxlite: OCI symlink traversal enables host RCE | boxlite | 9.6 |
| HIGH | CVE-2026-11816 | Keras: path traversal allows arbitrary file write | keras | 8.1 |
| HIGH | CVE-2026-53813 | OpenClaw: path traversal enables RCE via memory-core artifacts | openclaw | 7.8 |
| HIGH | CVE-2026-53810 | OpenClaw: extension metadata bypass enables agent RCE | openclaw | 8.8 |
| MEDIUM | CVE-2026-53808 | OpenClaw: approval bypass enables unauthorized skill changes | OpenClaw | 6.5 |
| HIGH | CVE-2026-53819 | OpenClaw: RCE via workspace .env executable override | openclaw | 8.8 |
| MEDIUM | CVE-2024-11831 | serialize-javascript: XSS via regex in AI/ML dashboards | odh-kf-notebook-controller-rhel8 | 5.4 |
| HIGH | CVE-2026-4424 | libarchive: RAR heap OOB read leaks memory in vLLM stacks | rhaiis/vllm-cuda-rhel9 | 7.5 |
| HIGH | CVE-2026-4111 | libarchive: infinite loop DoS in RAR5 decompression | rhaiis/vllm-cuda-rhel9 | 7.5 |
| HIGH | CVE-2026-45833 | ChromaDB: RCE via trust_remote_code in collection update | chromadb | 8.8 |
| MEDIUM | CVE-2026-42867 | Langflow: path traversal enables arbitrary file write | langflow | 6.5 |
| HIGH | CVE-2026-41523 | vLLM: assert bypass → RCE via poisoned HuggingFace model | vllm | 7.5 |
| MEDIUM | CVE-2026-47748 | stable-diffusion.cpp: OOB read crash via crafted .ckpt file | 5.5 | |
| HIGH | CVE-2026-47749 | stable-diffusion.cpp: heap overflow in .ckpt model parser | 7.8 | |
| HIGH | CVE-2026-53842 | OpenClaw: env var injection enables arbitrary code exec | openclaw | 7.1 |
| HIGH | CVE-2026-53846 | OpenClaw: path traversal enables arbitrary package-manager exec | openclaw | 7.1 |
| HIGH | CVE-2026-53858 | OpenClaw: env var injection loads malicious runtime deps | openclaw | 7.1 |
| HIGH | CVE-2026-53865 | OpenClaw: path traversal enables arbitrary local code exec | openclaw | 7.1 |