Training Data
Training data is both the model's most valuable input and its most underprotected one. Three problem classes dominate. First, poisoning: an attacker who can influence a public dataset, a web crawl, or a fine-tuning corpus can plant backdoors or biases that survive into the deployed model — BadNets-style attacks on image classifiers, trigger-phrase attacks on LLMs, and reward-hacking on RLHF datasets. Second, memorization and leakage: models can regurgitate verbatim training data, exposing PII and copyrighted content; this has driven the active New York Times v. OpenAI litigation and is a recurring GDPR concern. Third, provenance: when training data origins are unclear, downstream users inherit legal and security risk they can't assess. EU AI Act Article 10 (Data Governance) and ISO 42001 Annex A treat training-data quality as a controlled asset. Defenses: data lineage tracking, deduplication, PII scrubbing before training, and adversarial training against known trigger families.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | GHSA-r54c-2xmf-2cf3 | ms-swift: RCE via pickle deserialization in adapter models | ms-swift | - |
| MEDIUM | CVE-2025-51481 | Dagster: path traversal exposes arbitrary file read via gRPC | 6.6 | |
| MEDIUM | CVE-2025-3044 | llama-index ArxivReader: MD5 collision corrupts training data | llama-index-readers-papers | 5.3 |
| HIGH | CVE-2025-30167 | jupyter_core: config hijack enables cross-user code exec | jupyter_core | 7.3 |
| HIGH | CVE-2025-47783 | Label Studio: XSS enables unauthorized actions via CSRF | label-studio | - |
| MEDIUM | CVE-2025-0508 | SageMaker SDK: MD5 collision silently replaces ML workflows | sagemaker | 5.9 |
| CRITICAL | CVE-2024-8019 | pytorch-lightning: file upload RCE (Windows) | pytorch-lightning | 9.1 |
| HIGH | CVE-2024-10572 | H2O-3: unauthenticated AST parser enables DoS + file write | h2o | 7.5 |
| MEDIUM | CVE-2025-1979 | Ray: Redis password exposed via plaintext logging | ray | 6.4 |
| HIGH | CVE-2025-25297 | Label Studio: SSRF via S3 endpoint exposes internal services | label-studio | 8.6 |
| MEDIUM | CVE-2025-25296 | Label Studio: reflected XSS via label_config param | label-studio | 6.1 |
| HIGH | CVE-2025-25295 | Label Studio SDK: path traversal leaks server filesystem | label-studio-sdk | - |
| HIGH | CVE-2024-49048 | TorchGeo: RCE via code injection in geospatial ML lib | torchgeo | 8.1 |
| CRITICAL | CVE-2023-6020 | Ray: unauthenticated LFI exposes entire filesystem | ray | 9.3 |
| CRITICAL | CVE-2023-6019 | Ray: unauthenticated RCE via dashboard command injection | ray | 9.8 |
| HIGH | CVE-2021-39160 | nbgitpuller: RCE via OS command injection in git URLs | 8.8 | |
| MEDIUM | CVE-2022-36551 | Label Studio: SSRF + file read, self-reg bypass | label-studio | 6.5 |
| HIGH | CVE-2025-15381 | MLflow: broken access control exposes experiment traces | mlflow | 8.1 |
| CRITICAL | CVE-2026-0545 | MLflow: auth bypass in job API enables unauthenticated RCE | mlflow | 9.1 |
| MEDIUM | CVE-2026-35492 | kedro-datasets: path traversal enables arbitrary file write | kedro-datasets | 6.5 |