Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | GHSA-vcv2-r9jh-99m5 | agentic-flow: MCP tool args enable OS command injection RCE | 8.8 | |
| MEDIUM | CVE-2026-55832 | tract-onnx: path traversal exposes arbitrary local files | tract-onnx | 6.1 |
| HIGH | CVE-2026-54499 | Stanza: pickle fallback bypass enables model RCE | torch | 7.5 |
| HIGH | CVE-2026-53489 | containerd: symlink follow leaks host files via kubectl logs | github.com/containerd/containerd/v2 | - |
| HIGH | CVE-2026-53488 | containerd: label injection enables host RCE via CRI plugin | github.com/containerd/containerd/v2 | - |
| MEDIUM | CVE-2026-50195 | containerd: checkpoint import poisons node image cache | github.com/containerd/containerd/v2 | - |
| HIGH | GHSA-6vxv-wg6j-5qwp | Gogs: XSS via outdated Jupyter renderer, account takeover | gogs.io/gogs | - |
| MEDIUM | CVE-2026-56304 | picklescan: FileHandler bypass creates filesystem artifacts | picklescan | 6.5 |
| MEDIUM | CVE-2026-12798 | litellm: SSRF in MCP OpenAPI spec loader endpoint | litellm | 6.3 |
| HIGH | CVE-2025-71348 | picklescan: scanner bypass enables supply chain RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71378 | picklescan: detection bypass enables RCE via pickle files | picklescan | 8.1 |
| HIGH | CVE-2025-71357 | picklescan: detection bypass enables RCE via malicious models | picklescan | 8.1 |
| HIGH | CVE-2025-71351 | picklescan: scanner bypass enables RCE via pickle files | picklescan | - |
| UNKNOWN | CVE-2026-12479 | Keras: path traversal via layer names allows arbitrary file write | keras-team/keras | - |
| CRITICAL | CVE-2026-54352 | Budibase: zip symlink bypass exposes all server secrets | @budibase/server | 9.6 |
| HIGH | CVE-2026-52798 | Gogs: Stored XSS via .ipynb Markdown re-render bypass | gogs.io/gogs | 8.9 |
| HIGH | CVE-2026-54232 | vLLM: dependency confusion RCE backdoors container images | vllm | 8.8 |
| HIGH | CVE-2025-71339 | picklescan: scanner bypass enables arbitrary code execution | picklescan | 8.1 |
| HIGH | CVE-2025-71344 | picklescan: scanner bypass enables undetected pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71358 | picklescan: scanner bypass enables RCE via pickle | picklescan | 8.1 |