Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2025-71341 | picklescan: scanner bypass enables undetected RCE via pickle | picklescan | 8.1 |
| HIGH | CVE-2025-71365 | picklescan: detection bypass enables RCE via numpy.f2py | picklescan | 8.1 |
| HIGH | CVE-2025-71370 | picklescan: scanner bypass enables arbitrary code execution | picklescan | 8.1 |
| HIGH | CVE-2025-71376 | picklescan: scanner bypass enables undetected RCE | picklescan | 8.1 |
| CRITICAL | CVE-2026-56315 | picklescan: stdlib bypass enables arbitrary RCE | picklescan | 9.8 |
| CRITICAL | CVE-2018-25117 | VestaCP: backdoored installer, not an AI/ML CVE | Control Panel (CP) | - |
| MEDIUM | CVE-2026-22180 | OpenClaw: path traversal enables arbitrary file writes | OpenClaw | 5.3 |
| MEDIUM | CVE-2026-22176 | OpenClaw: cmd injection in Windows task script generation | OpenClaw | 6.1 |
| MEDIUM | CVE-2026-22217 | OpenClaw: $SHELL env hijack enables arbitrary code execution | OpenClaw | 6.1 |
| MEDIUM | CVE-2026-27670 | OpenClaw: TOCTOU race enables arbitrary file write in agents | OpenClaw | 5.3 |
| MEDIUM | CVE-2026-31990 | OpenClaw: symlink traversal enables arbitrary file write | OpenClaw | 6.1 |
| MEDIUM | CVE-2026-31995 | OpenClaw: cmd injection via Windows shell fallback | OpenClaw | 5.3 |
| HIGH | CVE-2026-32000 | OpenClaw: cmd injection via Windows shell fallback | OpenClaw | 7.1 |
| MEDIUM | CVE-2026-31999 | OpenClaw: CWD injection enables integrity loss on Windows | OpenClaw | 6.3 |
| MEDIUM | CVE-2026-32004 | OpenClaw: auth bypass exposes protected channel API | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-32007 | OpenClaw: path traversal enables sandbox file escape | OpenClaw | 6.8 |
| HIGH | CVE-2026-32015 | OpenClaw: PATH hijack bypasses exec allowlist controls | OpenClaw | 7.8 |
| MEDIUM | CVE-2026-32009 | OpenClaw: binary hijacking via safeBins path bypass | OpenClaw | 5.7 |
| LOW | CVE-2026-32020 | OpenClaw: symlink traversal enables arbitrary file read | OpenClaw | 3.3 |
| MEDIUM | CVE-2026-32044 | OpenClaw: archive safety bypass causes DoS in skill install | OpenClaw | 5.5 |