Training Data
Training data is both the model's most valuable input and its most underprotected one. Three problem classes dominate. First, poisoning: an attacker who can influence a public dataset, a web crawl, or a fine-tuning corpus can plant backdoors or biases that survive into the deployed model — BadNets-style attacks on image classifiers, trigger-phrase attacks on LLMs, and reward-hacking on RLHF datasets. Second, memorization and leakage: models can regurgitate verbatim training data, exposing PII and copyrighted content; this has driven the active New York Times v. OpenAI litigation and is a recurring GDPR concern. Third, provenance: when training data origins are unclear, downstream users inherit legal and security risk they can't assess. EU AI Act Article 10 (Data Governance) and ISO 42001 Annex A treat training-data quality as a controlled asset. Defenses: data lineage tracking, deduplication, PII scrubbing before training, and adversarial training against known trigger families.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-1839 | HuggingFace Transformers: RCE via malicious checkpoint load | transformers | 6.5 |
| HIGH | GHSA-89gg-p5r5-q6r4 | MONAI: pickle deserialization RCE in Auto3DSeg | monai | 7.7 |
| HIGH | CVE-2026-6859 | InstructLab: RCE via hardcoded trust_remote_code flag | instructlab | 8.8 |
| HIGH | CVE-2026-41486 | Ray: Parquet RCE via Arrow extension deserialization | ray | - |
| HIGH | CVE-2026-40171 | Jupyter Notebook: stored XSS enables full account takeover | @jupyterlab/help-extension | - |
| UNKNOWN | CVE-2026-31249 | CosyVoice: insecure deserialization RCE via .pt files | - | |
| UNKNOWN | CVE-2026-31250 | CosyVoice: RCE via unsafe torch.load() in model averaging | - | |
| HIGH | CVE-2026-31253 | flash-attention: RCE via unsafe checkpoint deserialization | flash_attn | 7.3 |
| HIGH | CVE-2026-2614 | MLflow: path traversal allows unauthenticated file read | mlflow | 7.5 |
| CRITICAL | CVE-2026-31214 | torch-checkpoint: unsafe pickle deserialization RCE | 9.8 | |
| UNKNOWN | CVE-2026-31218 | optimate: unsafe torch.load() enables RCE via model file | - | |
| UNKNOWN | CVE-2026-31219 | optimate: RCE via unsafe torch.load() deserialization | - | |
| HIGH | CVE-2026-31222 | snorkel: RCE via insecure model checkpoint loading | snorkel | 8.8 |
| HIGH | GHSA-7j65-65cr-6644 | Flowise: mass assignment breaks cross-workspace isolation | flowise | - |
| HIGH | CVE-2026-2652 | MLflow: auth bypass exposes Job API and trace injection | mlflow | 8.6 |
| HIGH | CVE-2026-8756 | Bert-VITS2: path traversal exposes ML training filesystem | 7.3 | |
| HIGH | CVE-2026-43624 | F5-TTS: path traversal enables arbitrary file write | 8.2 | |
| HIGH | CVE-2026-5422 | jupyter-server: path traversal exposes sibling dir files | jupyter | 8.1 |
| LOW | CVE-2026-10801 | ms-swift: weak hash enables image cache poisoning | ms-swift | 3.6 |
| LOW | CVE-2026-10803 | MLflow: weak dataset hash allows integrity bypass | mlflow | 3.6 |