Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-58116 | LLaMA-Factory: RCE via malicious model path | llama-factory | 8.8 |
| HIGH | CVE-2025-71349 | picklescan: bypass allows undetected pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71350 | picklescan: scanner bypass enables pickle RCE | torch | 8.1 |
| HIGH | CVE-2025-71352 | picklescan: RCE bypass via trace.Trace.runctx | picklescan | 8.1 |
| UNKNOWN | CVE-2025-71355 | Picklescan: NumPy gadget bypass enables pickle RCE | picklescan | - |
| HIGH | CVE-2025-71363 | picklescan: scanner bypass enables pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71368 | picklescan: scan bypass lets malicious pickles hit RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71371 | picklescan: malicious pickle bypasses RCE scan | picklescan | 8.1 |
| HIGH | CVE-2025-71374 | picklescan: scanner bypass enables pickle RCE | picklescan | 8.1 |
| UNKNOWN | CVE-2026-12480 | Keras: incomplete fix reopens HDF5 arbitrary file read | keras | - |
| HIGH | CVE-2026-57516 | Ray: RCE via pickle/torch deserialization in WebDataset | ray | 8.8 |
| UNKNOWN | CVE-2026-8387 | ClearML: path traversal in zip extraction enables RCE | allegroai/clearml | - |
| HIGH | CVE-2026-4372 | transformers: config.json RCE bypasses trust_remote_code | transformers | 7.8 |
| MEDIUM | GHSA-cqwv-9qjx-vxw2 | OpenClaw: agent tool call bypasses skill approval gate | openclaw | 5.3 |
| HIGH | CVE-2026-56210 | libaom: AV1 SVC bounds-check miss leaks heap, crashes | rhaiis/vllm-cpu-rhel9 | 7.1 |
| HIGH | CVE-2026-56211 | libaom: AV1 SVC OOB write enables RCE | rhaiis/vllm-cpu-rhel9 | 7.1 |
| HIGH | CVE-2026-56209 | libaom: arbitrary address write in AV1 SVC codec | rhaiis/vllm-cpu-rhel9 | 7.1 |
| CRITICAL | CVE-2026-12481 | Keras: safe_mode=None bypass enables Lambda RCE | keras | 9.8 |
| HIGH | CVE-2025-71342 | picklescan: idlelib bypass hides pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71372 | Picklescan: RCE gadget bypasses pickle safety scanner | picklescan | 8.1 |