Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-48775 | LangGraph SQLite: deserialization RCE at checkpoint load | langgraph | 6.8 |
| HIGH | CVE-2026-47750 | stable-diffusion.cpp: heap overflow via crafted .ckpt model | 7.8 | |
| HIGH | CVE-2026-47747 | stable-diffusion.cpp: .ckpt heap overflow enables RCE | 7.8 | |
| UNKNOWN | CVE-2026-53923 | vLLM: integer truncation leaks GPU memory cross-tenant | vllm | - |
| UNKNOWN | CVE-2026-53875 | picklescan: scanner bypass enables PyTorch RCE | picklescan | - |
| CRITICAL | CVE-2025-71321 | picklescan: blocklist bypass allows arbitrary file write/RCE | picklescan | 9.8 |
| CRITICAL | CVE-2025-71320 | picklescan: deny-list bypass enables arbitrary RCE | picklescan | 9.8 |
| CRITICAL | CVE-2025-71323 | picklescan: ctypes bypass enables full RCE via pickle files | picklescan | 9.8 |
| CRITICAL | CVE-2025-71325 | picklescan: scanner bypass enables RCE via model files | picklescan | 9.8 |
| HIGH | CVE-2025-71322 | PickleScan: pty.spawn bypass enables RCE in model scans | PickleScan | 8.8 |
| CRITICAL | CVE-2026-3490 | picklescan: blocklist bypass enables full RCE | picklescan | 10.0 |
| HIGH | CVE-2026-53872 | picklescan: arbitrary file read bypasses RCE blocklist | picklescan | 7.5 |
| CRITICAL | CVE-2026-53874 | picklescan: scanner bypass enables pickle RCE | picklescan | 9.8 |
| CRITICAL | CVE-2026-53873 | picklescan: blocklist bypass allows arbitrary code exec | picklescan | 9.8 |
| CRITICAL | CVE-2026-35308 | Oracle Coherence: unauthenticated RCE via third-party jars | coherence | 10.0 |
| CRITICAL | GHSA-cwj8-7gp2-ggcw | praisonai-platform: hardcoded JWT secret enables full auth bypass | praisonai-platform | 9.8 |
| HIGH | GHSA-f44v-7qgw-9gh9 | PraisonAI: path traversal enables arbitrary write/delete | praisonai | 8.1 |
| CRITICAL | GHSA-vmmj-pfw7-fjwp | praisonai: sandbox escape gives RCE via codeMode tool | praisonai | 9.9 |
| MEDIUM | CVE-2026-12706 | FFmpeg RASC: UAF in decoder crashes AI inference containers | rhoai/odh-vllm-gaudi-rhel9 | 6.5 |
| MEDIUM | GHSA-vmhf-c436-hxj4 | JupyterLab: XSS via malicious PyPI extension URL | jupyterlab | - |