Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2025-71343 | picklescan: scanner bypass lets malicious pickle files evade detection | picklescan | 8.1 |
| HIGH | CVE-2025-71345 | picklescan: scanner blocklist bypass hides pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71347 | picklescan: numpy.f2py bypass lets malicious pickle evade scan | picklescan | 8.1 |
| HIGH | CVE-2025-71353 | picklescan: detection bypass allows pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71356 | picklescan: torch.fx gadget bypasses malicious-pickle detection | picklescan | 8.1 |
| HIGH | CVE-2025-71359 | picklescan: scan bypass lets malicious models RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71360 | picklescan: scanner bypass enables pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71362 | picklescan: scanner bypass enables RCE via numpy eval | picklescan | 8.1 |
| HIGH | CVE-2025-71364 | picklescan: scanner blind spot enables pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71366 | picklescan: scan bypass lets malicious pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71367 | picklescan: attrgetter bypass evades malicious pickle scan | picklescan | 8.1 |
| HIGH | CVE-2025-71369 | picklescan misses malicious pickles via torch decoder | picklescan | 8.1 |
| HIGH | CVE-2025-71373 | picklescan: methodcaller bypass enables pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71375 | picklescan: detection bypass enables pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2026-14535 | fickling: shared-state bug disables ML pickle allowlist check | fickling | 8.8 |
| HIGH | CVE-2026-14534 | fickling: denylist gaps let malicious pickles execute | fickling | 8.8 |
| HIGH | CVE-2026-55431 | Coder: session token leak via workspace app URL | github.com/coder/coder/v2 | 7.7 |
| HIGH | CVE-2026-55427 | Coder: SSH config injection via config-ssh enables RCE | github.com/coder/coder/v2 | 8.3 |
| MEDIUM | CVE-2026-44512 | onnx: crafted model triggers SIGSEGV in version_converter | onnx | 5.5 |
| MEDIUM | CVE-2026-59261 | OpenClaw: dotenv override leaks provider credentials | openclaw | 6.5 |