Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-32046 | OpenClaw: sandbox bypass enables host code execution | OpenClaw | 5.3 |
| MEDIUM | CVE-2026-32052 | OpenClaw: command injection via shell-wrapper argv bypass | OpenClaw | 6.4 |
| HIGH | CVE-2026-32056 | OpenClaw: RCE via shell env var injection in system.run | OpenClaw | 7.5 |
| HIGH | CVE-2026-32920 | OpenClaw: workspace plugin auto-load enables RCE | OpenClaw | 8.4 |
| HIGH | CVE-2026-32979 | OpenClaw: TOCTOU race enables local code execution | OpenClaw | 7.3 |
| HIGH | CVE-2026-32978 | OpenClaw: script approval bypass allows RCE | OpenClaw | 8.0 |
| MEDIUM | CVE-2026-33574 | OpenClaw: TOCTOU path traversal enables arbitrary file write | OpenClaw | 6.2 |
| HIGH | CVE-2026-34504 | OpenClaw: SSRF in fal provider exposes internal services | OpenClaw | 8.3 |
| HIGH | CVE-2026-35641 | OpenClaw: RCE via .npmrc override in plugin install | OpenClaw | 7.8 |
| MEDIUM | CVE-2026-35649 | OpenClaw: access control bypass via allowlist reconciliation | OpenClaw | 6.5 |
| HIGH | CVE-2026-55249 | @rtk-ai/rtk-rewrite: RCE via shell injection in exec tool | openclaw | 8.8 |
| HIGH | CVE-2026-7574 | Claude Desktop: VM integrity bypass enables RCE | Claude Desktop Cowork | 8.7 |
| HIGH | CVE-2025-71354 | picklescan: scanner bypass enables arbitrary code execution | picklescan | 8.1 |
| HIGH | CVE-2025-71361 | picklescan: scanner bypass allows RCE via pickle load | picklescan | 8.1 |
| CRITICAL | CVE-2026-12537 | Gemini CLI: OS command injection enables pre-sandbox RCE | run-gemini-cli GitHub Action | - |
| CRITICAL | CVE-2026-54158 | SiYuan: XSS→RCE via workspace sync in Electron app | github.com/siyuan-note/siyuan/kernel | 9.9 |
| HIGH | CVE-2025-71340 | picklescan: scanner bypass enables RCE via pickle supply chain | picklescan | 8.1 |
| CRITICAL | CVE-2025-71338 | Flowise: unauthenticated file write enables RCE | Flowise | 10.0 |
| CRITICAL | GHSA-98x5-vq43-vc5p | semantic-router: unpinned litellm dep pulls malware wheel | litellm | - |
| CRITICAL | CVE-2026-2651 | MLflow: auth bypass on artifact uploads enables RCE | mlflow/mlflow | 9.0 |