AI Threat Alert
Models
Adversaries may acquire public models to use in their operations. Adversaries may seek models used by the victim organization or models that are representative of those used by the victim organization. Representative models may include model architectures, or pre-trained models which define the architecture as well as model parameters from training on a dataset. The adversary may search public sources for common model architecture configuration file formats such as YAML or Python configuration files, and common model storage file formats such as ONNX (.onnx), HDF5 (.h5), Pickle (.pkl), PyTorch (.pth), or TensorFlow (.pb, .tflite). Acquired models are useful in advancing the adversary's operations and are frequently used to tailor attacks to the victim model.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2025-32434 | PyTorch: RCE bypasses weights_only=True safe-load guard | pytorch | 9.8 |
| CRITICAL | CVE-2025-30404 | ExecuTorch: integer overflow RCE on model load | executorch | 9.8 |
| CRITICAL | CVE-2024-34359 | llama-cpp-python: SSTI in .gguf loader enables RCE | 9.6 | |
| CRITICAL | CVE-2026-28500 | onnx: Integrity Verification bypass enables tampering | onnx | 9.1 |
| HIGH | CVE-2025-24357 | vLLM: unsafe deserialization RCE via model loading | vllm | 8.8 |
| HIGH | CVE-2024-5187 | ONNX: path traversal in model download enables RCE | onnx | 8.8 |
| HIGH | CVE-2026-24747 | pytorch: Code Injection enables RCE | pytorch | 8.8 |
| HIGH | CVE-2025-66448 | vllm: Code Injection enables RCE | vllm | 8.8 |
| HIGH | CVE-2025-58756 | MONAI: unsafe deserialization in CheckpointLoader allows RCE | monai | 8.8 |
| HIGH | CVE-2025-58755 | MONAI: path traversal allows arbitrary file write | monai | 8.8 |
| HIGH | CVE-2025-54886 | skops: joblib fallback enables RCE via model load | skops | 8.4 |
| HIGH | CVE-2024-7776 | ONNX: path traversal in download_model enables RCE | onnx | 8.1 |
| HIGH | CVE-2026-1669 | keras: File Control enables path manipulation | keras | 7.5 |
| MEDIUM | CVE-2026-34447 | ONNX: symlink traversal reads host files via model loading | onnx | 5.5 |
| MEDIUM | CVE-2026-34446 | ONNX: hardlink path traversal leaks sensitive files | onnx | 4.7 |
| UNKNOWN | CVE-2025-14930 | transformers: Deserialization enables RCE | transformers | — |
| UNKNOWN | CVE-2024-4897 | lollms-webui: RCE via malicious GGUF model loading | — | |
| UNKNOWN | CVE-2025-14929 | transformers: Deserialization enables RCE | transformers | — |
| UNKNOWN | CVE-2025-14927 | transformers: Code Injection enables RCE | transformers | — |
| UNKNOWN | CVE-2025-14920 | transformers: Deserialization enables RCE | transformers | — |