Training Data
Training data is both the model's most valuable input and its most underprotected one. Three problem classes dominate. First, poisoning: an attacker who can influence a public dataset, a web crawl, or a fine-tuning corpus can plant backdoors or biases that survive into the deployed model — BadNets-style attacks on image classifiers, trigger-phrase attacks on LLMs, and reward-hacking on RLHF datasets. Second, memorization and leakage: models can regurgitate verbatim training data, exposing PII and copyrighted content; this has driven the active New York Times v. OpenAI litigation and is a recurring GDPR concern. Third, provenance: when training data origins are unclear, downstream users inherit legal and security risk they can't assess. EU AI Act Article 10 (Data Governance) and ISO 42001 Annex A treat training-data quality as a controlled asset. Defenses: data lineage tracking, deduplication, PII scrubbing before training, and adversarial training against known trigger families.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-11816 | Keras: path traversal allows arbitrary file write | keras | 8.1 |
| CRITICAL | CVE-2026-48797 | backpropagate: auth bypass exposes LLM training plane | backpropagate | - |
| CRITICAL | CVE-2025-71321 | picklescan: blocklist bypass allows arbitrary file write/RCE | picklescan | 9.8 |
| HIGH | CVE-2025-71376 | picklescan: scanner bypass enables undetected RCE | picklescan | 8.1 |
| HIGH | CVE-2026-52812 | Gogs LFS: cross-tenant object disclosure via dedupe bypass | gogs.io/gogs | - |
| CRITICAL | CVE-2026-56445 | qrscp: DICOM path traversal enables arbitrary file write | 9.1 | |
| HIGH | CVE-2026-58116 | LLaMA-Factory: RCE via malicious model path | llama-factory | 8.8 |
| HIGH | CVE-2025-71350 | picklescan: scanner bypass enables pickle RCE | torch | 8.1 |
| UNKNOWN | CVE-2026-12480 | Keras: incomplete fix reopens HDF5 arbitrary file read | keras | - |
| HIGH | CVE-2026-57516 | Ray: RCE via pickle/torch deserialization in WebDataset | ray | 8.8 |
| UNKNOWN | CVE-2026-8387 | ClearML: path traversal in zip extraction enables RCE | allegroai/clearml | - |
| CRITICAL | CVE-2026-23537 | Feast: unauth file write to RCE via /save-document | rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9 | 9.1 |
| HIGH | CVE-2026-56209 | libaom: arbitrary address write in AV1 SVC codec | rhaiis/vllm-cpu-rhel9 | 7.1 |
| HIGH | CVE-2026-14535 | fickling: shared-state bug disables ML pickle allowlist check | fickling | 8.8 |
| MEDIUM | CVE-2026-55438 | Coder: CORS bypass via workspace subdomain proxy | github.com/coder/coder/v2 | 5.8 |
| HIGH | CVE-2026-55075 | Coder: OIDC auth bypass enables account takeover | github.com/coder/coder/v2 | 7.4 |
Page 10 of 10