AI Threat Alert
ATLAS Landscape
AML.T0010.001
AI Software
Adversaries may target software packages that are commonly used in AI-enabled systems or are part of the AI DevOps lifecycle. This can include deep learning frameworks used to build AI models (e.g. PyTorch, TensorFlow, Jax), generative AI integration frameworks (e.g. LangChain, LangFlow), inference engines, and AI DevOps tools. They may also target the dependency chains of any of these software packages [\[1\]][1]. Additionally, adversaries may target specific components used by AI software such as configuration files [\[2\]][2] or example usage of AI packages, which may be distributed in Jupyter notebooks [\[3\]][3]. Adversaries may compromise legitimate packages [\[4\]][4] or publish malicious software to a namesquatted location [\[1\]][1]. They may target package names that are hallucinated by large language models [\[5\]][5] (see: Publish Hallucinated Entities). They may also perform a [AI Supply Chain Rug Pull](/techniques/AML.T0109) in which they first publish a legitimate package and then publish a malicious version once they reach a critical mass of users. [1]: https://pytorch.org/blog/compromised-nightly-dependency/ "Compromised PyTorch-nightly dependency chain between December 25th and December 30th, 2022." [2]: https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agents "New Vulnerability in GitHub Copilot and Cursor: How Hackers Can Weaponize Code Agents" [3]: https://medium.com/mlearning-ai/careful-who-you-colab-with-fa8001f933e7 "Careful Who You Colab With: abusing google colaboratory" [4]: https://aws.amazon.com/security/security-bulletins/AWS-2025-015/ "Security Update for Amazon Q Developer Extension for Visual Studio Code (Version #1.84)" [5]: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/slopsquatting-when-ai-agents-hallucinate-malicious-packages "Slopsquatting: When AI Agents Hallucinate Malicious Packages"
752 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2025-5120 | smolagents: sandbox escape enables unauthenticated RCE | smolagents | 10.0 |
| CRITICAL | CVE-2026-34938 | praisonaiagents: sandbox bypass enables full host RCE | praisonaiagents | 10.0 |
| CRITICAL | CVE-2024-12909 | llama-index finchat: SQL injection enables RCE | llama-index-packs-finchat | 10.0 |
| CRITICAL | CVE-2024-2912 | BentoML: RCE via insecure deserialization (CVSS 10) | 10.0 | |
| CRITICAL | GHSA-vvpj-8cmc-gx39 | picklescan: security flaw enables exploitation | picklescan | 10.0 |
| CRITICAL | CVE-2026-33660 | TensorFlow: type confusion NPD in tensor conversion | n8n | 10.0 |
| CRITICAL | CVE-2026-26030 | semantic-kernel: Code Injection enables RCE | semantic-kernel | 10.0 |
| CRITICAL | CVE-2025-15379 | MLflow: RCE via unsanitized model dependency specs | mlflow | 10.0 |
| CRITICAL | CVE-2020-15196 | TensorFlow: heap OOB read in sparse/ragged count ops | tensorflow | 9.9 |
| CRITICAL | CVE-2025-54381 | BentoML: unauthenticated SSRF via file upload URLs | bentoml | 9.9 |
| CRITICAL | CVE-2026-33309 | langflow: Path Traversal enables file access | langflow | 9.9 |
| CRITICAL | CVE-2023-6014 | MLflow: auth bypass allows arbitrary account creation | mlflow | 9.8 |
| CRITICAL | CVE-2025-54951 | ExecuTorch: heap buffer overflow RCE in model loading | executorch | 9.8 |
| CRITICAL | CVE-2024-5452 | pytorch-lightning: RCE via deepdiff Delta deserialization | pytorch_lightning | 9.8 |
| CRITICAL | CVE-2024-52803 | LlamaFactory: RCE via OS command injection in training | llamafactory | 9.8 |
| CRITICAL | CVE-2026-25960 | vllm: SSRF allows internal network access | vllm | 9.8 |
| CRITICAL | CVE-2022-23587 | TensorFlow: integer overflow in Grappler enables RCE | tensorflow | 9.8 |
| CRITICAL | CVE-2022-0845 | pytorch-lightning: code injection enables full RCE | pytorch_lightning | 9.8 |
| CRITICAL | CVE-2025-54949 | ExecuTorch: heap buffer overflow RCE via model loading | executorch | 9.8 |
| CRITICAL | CVE-2025-47277 | vLLM: RCE via exposed TCPStore in distributed inference | vllm | 9.8 |
| CRITICAL | CVE-2025-6853 | Langchain-Chatchat: path traversal in KB upload | langchain-chatchat | 9.8 |
| CRITICAL | CVE-2025-53002 | LLaMA-Factory: RCE via unsafe checkpoint deserialization | llamafactory | 9.8 |
| CRITICAL | CVE-2025-11200 | mlflow: security flaw enables exploitation | mlflow | 9.8 |
| CRITICAL | CVE-2025-11201 | mlflow: Path Traversal enables file access | mlflow | 9.8 |
| CRITICAL | CVE-2024-3660 | Keras: RCE via malicious model deserialization | keras | 9.8 |
| CRITICAL | CVE-2023-6018 | MLflow: unauth file overwrite enables model poisoning | mlflow | 9.8 |
| CRITICAL | CVE-2024-46946 | LangChain-Experimental: RCE via eval in math chain | langchain-experimental | 9.8 |
| CRITICAL | CVE-2025-1793 | llama_index: SQL injection in vector store integrations | llama-index | 9.8 |
| CRITICAL | CVE-2023-32785 | LangChain: prompt injection → SQL RCE (CVSS 9.8) | langchain | 9.8 |
| CRITICAL | CVE-2025-12060 | keras: Path Traversal enables file access | keras | 9.8 |
| CRITICAL | CVE-2024-48063 | PyTorch: RCE via RemoteModule deserialization | pytorch | 9.8 |
| CRITICAL | CVE-2023-44467 | LangChain: RCE bypass via __import__ in PAL chain | langchain_experimental | 9.8 |
| CRITICAL | CVE-2019-16778 | TensorFlow: heap overflow in UnsortedSegmentSum op | tensorflow | 9.8 |
| CRITICAL | CVE-2023-43654 | TorchServe: SSRF + RCE via unrestricted model URL loading | torchserve | 9.8 |
| CRITICAL | CVE-2024-8309 | LangChain GraphCypher: prompt injection enables DB wipe | langchain | 9.8 |
| CRITICAL | GHSA-g38g-8gr9-h9xp | picklescan: Allowlist Bypass evades input filtering | picklescan | 9.8 |
| CRITICAL | CVE-2025-32444 | vLLM: RCE via pickle deserialization on ZeroMQ | vllm | 9.8 |
| CRITICAL | CVE-2020-15205 | TensorFlow: heap overflow in StringNGrams, ASLR bypass | tensorflow | 9.8 |
| CRITICAL | CVE-2022-35939 | TensorFlow: ScatterNd OOB write enables RCE/crash | tensorflow | 9.8 |
| CRITICAL | CVE-2020-15208 | TFLite: OOB read/write via tensor dimension mismatch | tensorflow | 9.8 |
| CRITICAL | CVE-2025-3248 | Langflow: Unauth RCE via code injection endpoint | langflow | 9.8 |
| CRITICAL | CVE-2023-25664 | TensorFlow: heap overflow in AvgPoolGrad, RCE risk | tensorflow | 9.8 |
| CRITICAL | CVE-2023-1177 | MLflow: path traversal allows arbitrary file read/write | mlflow | 9.8 |
| CRITICAL | CVE-2025-32375 | BentoML: RCE via insecure deserialization in runner | bentoml | 9.8 |
| CRITICAL | CVE-2024-48061 | Langflow: RCE via unsandboxed code component execution | langflow | 9.8 |
| CRITICAL | CVE-2024-39236 | Gradio: code injection via component metadata (CVSS 9.8) | gradio | 9.8 |
| CRITICAL | CVE-2025-30404 | ExecuTorch: integer overflow RCE on model load | executorch | 9.8 |
| CRITICAL | CVE-2024-37014 | Langflow: unauthenticated RCE via custom component API | langflow | 9.8 |
| CRITICAL | CVE-2025-54950 | ExecuTorch: OOB read in model loader enables RCE | executorch | 9.8 |
| CRITICAL | CVE-2024-27444 | LangChain Experimental: RCE via Python sandbox escape | langchain-experimental | 9.8 |
| CRITICAL | CVE-2024-2057 | LangChain TFIDFRetriever: SSRF/RCE via load_local | langchain | 9.8 |
| CRITICAL | CVE-2023-2780 | MLflow: path traversal allows arbitrary file read/write | mlflow | 9.8 |
| CRITICAL | CVE-2025-27520 | BentoML: unauthenticated RCE via insecure deserialization | bentoml | 9.8 |
| CRITICAL | CVE-2025-13374 | Kalrav: Arbitrary File Upload enables RCE | 9.8 | |
| CRITICAL | CVE-2023-25668 | TensorFlow: unauthenticated RCE via heap buffer overflow | tensorflow | 9.8 |
| CRITICAL | CVE-2025-25362 | spacy-llm: SSTI allows unauthenticated RCE (CVSS 9.8) | spacy-llm | 9.8 |
| CRITICAL | CVE-2023-39631 | LangChain: RCE via numexpr evaluate injection | langchain | 9.8 |
| CRITICAL | CVE-2026-2635 | mlflow: security flaw enables exploitation | mlflow | 9.8 |
| CRITICAL | GHSA-7wx9-6375-f5wh | picklescan: Allowlist Bypass evades input filtering | picklescan | 9.8 |
| CRITICAL | CVE-2022-41900 | TensorFlow: heap OOB RCE in FractionalMaxPool op | tensorflow | 9.8 |
| CRITICAL | CVE-2023-36281 | LangChain: RCE via malicious JSON prompt template | langchain | 9.8 |
| CRITICAL | CVE-2022-45907 | PyTorch: RCE via unsafe eval in JIT annotations | pytorch | 9.8 |
| CRITICAL | CVE-2024-35198 | TorchServe: URL bypass enables arbitrary model loading | torchserve | 9.8 |
| CRITICAL | CVE-2023-38896 | LangChain: RCE via unsandboxed LLM code execution | langchain | 9.8 |
| CRITICAL | CVE-2024-11041 | vllm: RCE via unsafe pickle deserialization in MessageQueue | vllm | 9.8 |
| CRITICAL | CVE-2023-38860 | LangChain: RCE via unsanitized prompt parameter | langchain | 9.8 |
| CRITICAL | CVE-2026-22778 | vllm: security flaw enables exploitation | vllm | 9.8 |
| CRITICAL | CVE-2023-36095 | LangChain PALChain: RCE via unsanitized exec() calls | langchain | 9.8 |
| CRITICAL | CVE-2024-49326 | Affiliator WP Plugin: Unauthenticated Web Shell Upload | affiliator | 9.8 |
| CRITICAL | CVE-2025-32434 | PyTorch: RCE bypasses weights_only=True safe-load guard | pytorch | 9.8 |
| CRITICAL | CVE-2024-9053 | vllm: RCE via unsafe pickle deserialization in RPC server | vllm | 9.8 |
| CRITICAL | CVE-2024-9070 | BentoML: unauthenticated RCE via runner deserialization | bentoml | 9.8 |
| CRITICAL | CVE-2023-36188 | LangChain: RCE via PALChain unsanitized Python exec | langchain | 9.8 |
| CRITICAL | CVE-2024-11958 | llama-index DuckDB retriever: SQLi enables RCE | llama-index-retrievers-duckdb-retriever | 9.8 |
| CRITICAL | CVE-2025-30405 | ExecuTorch: integer overflow in model load → RCE | executorch | 9.8 |
| CRITICAL | CVE-2023-36258 | LangChain: unauthenticated RCE via code injection | langchain | 9.8 |
| CRITICAL | CVE-2025-49655 | keras: Deserialization enables RCE | keras | 9.8 |
| CRITICAL | GHSA-ggpf-24jw-3fcw | vLLM: RCE via malicious model, PyTorch < 2.6 bypass | vllm | 9.8 |
| CRITICAL | CVE-2023-34541 | LangChain: RCE via unsafe load_prompt deserialization | langchain | 9.8 |
| CRITICAL | CVE-2023-34540 | LangChain: RCE via JiraAPIWrapper crafted input | langchain | 9.8 |
| CRITICAL | CVE-2025-9556 | langchaingo: Jinja2 SSTI allows host filesystem read | 9.8 | |
| CRITICAL | CVE-2025-15036 | MLflow: path traversal enables sandbox escape, file overwrite | mlflow | 9.6 |
| CRITICAL | CVE-2026-0596 | MLflow: command injection via model_uri in mlserver mode | 9.6 | |
| CRITICAL | CVE-2024-27132 | MLflow: XSS in recipes enables client-side RCE | mlflow | 9.6 |
| CRITICAL | CVE-2024-3573 | MLflow: LFI via URI parsing allows arbitrary file read | mlflow | 9.3 |
| CRITICAL | CVE-2025-68665 | langchain.js: Deserialization enables RCE | langchain.js | 9.1 |
| CRITICAL | CVE-2024-4253 | Gradio: CI/CD command injection enables secrets exfiltration | gradio | 9.1 |
| CRITICAL | CVE-2026-33475 | langflow: security flaw enables exploitation | langflow | 9.1 |
| CRITICAL | CVE-2024-8019 | pytorch-lightning: file upload RCE (Windows) | pytorch-lightning | 9.1 |
| CRITICAL | CVE-2026-44007 | vm2: sandbox escape via nesting:true enables RCE | vm2 | 9.1 |
| CRITICAL | CVE-2022-41910 | TensorFlow Grappler: OOB read crashes or leaks memory | tensorflow | 9.1 |
| CRITICAL | CVE-2026-28500 | onnx: Integrity Verification bypass enables tampering | onnx | 9.1 |
| CRITICAL | CVE-2022-41902 | TensorFlow Grappler: OOB read/crash via crafted model | tensorflow | 9.1 |
| CRITICAL | CVE-2022-41880 | TensorFlow: heap OOB read in candidate sampler op | tensorflow | 9.1 |
| CRITICAL | CVE-2022-35938 | TensorFlow: OOB read in GatherNd causes crash/data leak | tensorflow | 9.1 |
| CRITICAL | CVE-2022-35937 | TensorFlow: GatherNd OOB read crashes inference servers | tensorflow | 9.1 |
| CRITICAL | CVE-2025-62608 | mlx: security flaw enables exploitation | mlx | 9.1 |
| CRITICAL | CVE-2021-35958 | TensorFlow: path traversal in get_file allows file overwrite | tensorflow | 9.1 |
| CRITICAL | CVE-2025-15031 | mlflow: Path Traversal enables file access | mlflow | 9.1 |
| CRITICAL | CVE-2025-33244 | NVIDIA: Deserialization enables RCE | 9.0 | |
| CRITICAL | CVE-2020-15202 | TensorFlow: Shard API int truncation enables memory corruption | tensorflow | 9.0 |
| CRITICAL | CVE-2025-29783 | vLLM: RCE via unsafe deserialization in Mooncake KV | vllm | 9.0 |
| CRITICAL | CVE-2020-15207 | TFLite: OOB write via unchecked negative axis index | tensorflow | 9.0 |
| HIGH | CVE-2025-9141 | vLLM: RCE via eval() in Qwen3 Coder tool parser | vllm | 8.8 |
| HIGH | CVE-2023-46229 | LangChain: SSRF in URL loader exposes internal network | langchain | 8.8 |
| HIGH | CVE-2024-45848 | MindsDB: RCE via eval() injection in ChromaDB INSERT | 8.8 | |
| HIGH | CVE-2024-11394 | Transformers: RCE via Trax model deserialization | transformers | 8.8 |
| HIGH | CVE-2024-3571 | LangChain: path traversal allows arbitrary file R/W | langchain | 8.8 |
| HIGH | GHSA-hgrh-qx5j-jfwx | picklescan: Protection Bypass circumvents security controls | picklescan | 8.8 |
| HIGH | CVE-2024-11393 | Transformers: RCE via MaskFormer model deserialization | transformers | 8.8 |
| HIGH | CVE-2022-21727 | TensorFlow: Dequantize integer overflow, RCE risk | tensorflow | 8.8 |
| HIGH | CVE-2022-24770 | Gradio: CSV formula injection via flagging enables RCE | gradio | 8.8 |
| HIGH | CVE-2024-11392 | HuggingFace Transformers: RCE via config deserialization | transformers | 8.8 |
| HIGH | CVE-2024-37032 | Ollama: path traversal enables RCE via model blob API | ollama | 8.8 |
| HIGH | CVE-2024-37052 | MLflow: RCE via malicious scikit-learn model upload | mlflow | 8.8 |
| HIGH | CVE-2026-35044 | BentoML: malicious bento archive RCE via Jinja2 SSTI | bentoml | 8.8 |
| HIGH | CVE-2024-37054 | MLflow: deserialization RCE via malicious PyFunc model | mlflow | 8.8 |
| HIGH | CVE-2022-23574 | TensorFlow: heap OOB read/write enables network RCE | tensorflow | 8.8 |
| HIGH | CVE-2024-37060 | MLflow: RCE via deserialization in crafted Recipes | mlflow | 8.8 |
| HIGH | CVE-2022-23573 | TensorFlow: uninitialized memory in AssignOp | tensorflow | 8.8 |
| HIGH | CVE-2022-23566 | TensorFlow: heap OOB write in Grappler, RCE risk | tensorflow | 8.8 |
| HIGH | CVE-2022-23562 | TensorFlow: Range integer overflow, RCE/DoS risk | tensorflow | 8.8 |
| HIGH | CVE-2022-21726 | TensorFlow: heap OOB read in Dequantize op allows RCE | tensorflow | 8.8 |
| HIGH | CVE-2022-23561 | TensorFlow Lite: OOB write, arbitrary write primitive | tensorflow | 8.8 |
| HIGH | CVE-2025-33213 | NVIDIA: Deserialization enables RCE | 8.8 | |
| HIGH | CVE-2022-23560 | TFLite: OOB read/write in sparse tensor → RCE | tensorflow | 8.8 |
| HIGH | CVE-2022-23559 | TFLite: integer overflow in embedding lookup → heap OOB RW | tensorflow | 8.8 |
| HIGH | CVE-2024-37061 | MLflow: RCE via malicious MLproject file execution | mlflow | 8.8 |
| HIGH | CVE-2025-66448 | vllm: Code Injection enables RCE | vllm | 8.8 |
| HIGH | CVE-2024-0520 | MLflow: path traversal enables RCE via dataset loading | mlflow | 8.8 |
| HIGH | CVE-2026-44513 | diffusers: trust_remote_code bypass enables silent RCE | diffusers | 8.8 |
| HIGH | CVE-2022-23558 | TFLite: integer overflow in model loading, RCE risk | tensorflow | 8.8 |
| HIGH | CVE-2026-42266 | JupyterLab: Extension allow-list bypass enables privesc | jupyterlab | 8.8 |
| HIGH | CVE-2024-5187 | ONNX: path traversal in model download enables RCE | onnx | 8.8 |
| HIGH | CVE-2026-1462 | Keras: safe_mode bypass allows RCE via model deserialization | keras | 8.8 |
| HIGH | CVE-2022-21740 | TensorFlow: heap overflow in sparse ops, RCE risk | tensorflow | 8.8 |
| HIGH | CVE-2023-6709 | MLflow: SSTI enables RCE in ML experiment tracking | mlflow | 8.8 |
| HIGH | CVE-2025-58755 | MONAI: path traversal allows arbitrary file write | monai | 8.8 |
| HIGH | CVE-2025-62726 | n8n: security flaw enables exploitation | n8n | 8.8 |
| HIGH | CVE-2026-3357 | Langflow: deserialization RCE via FAISS component default | langflow | 8.8 |
| HIGH | CVE-2021-37678 | TensorFlow/Keras: RCE via YAML model deserialization | tensorflow | 8.8 |
| HIGH | CVE-2026-24747 | pytorch: Code Injection enables RCE | pytorch | 8.8 |
| HIGH | CVE-2024-6825 | LiteLLM: RCE via post_call_rules callback injection | litellm | 8.8 |
| HIGH | CVE-2025-62164 | vllm: Input Validation flaw enables exploitation | vllm | 8.8 |
| HIGH | CVE-2023-6730 | HuggingFace Transformers: RCE via unsafe deserialization | transformers | 8.8 |
| HIGH | CVE-2021-39160 | nbgitpuller: RCE via OS command injection in git URLs | 8.8 | |
| HIGH | CVE-2020-15195 | TensorFlow: heap overflow in sparse gradient op | tensorflow | 8.8 |
| HIGH | CVE-2018-8825 | TensorFlow 1.7: Buffer overflow enables arbitrary code exec | tensorflow | 8.8 |
| HIGH | CVE-2021-41134 | nbdime: stored XSS in Jupyter notebook diff viewer | 8.7 | |
| HIGH | CVE-2026-34954 | praisonaiagents: SSRF leaks cloud IAM credentials | praisonaiagents | 8.6 |
| HIGH | CVE-2026-34445 | ONNX: property overwrite via crafted model file | onnx | 8.6 |
| HIGH | GHSA-m3mh-3mpg-37hw | OpenClaw: .npmrc hijack enables RCE on plugin install | openclaw | 8.6 |
| HIGH | CVE-2020-15212 | TensorFlow Lite: heap OOB write via segment sum op | tensorflow | 8.6 |
| HIGH | CVE-2026-25580 | pydantic-ai: SSRF allows internal network access | pydantic-ai-slim | 8.6 |
| HIGH | CVE-2026-28416 | gradio: SSRF allows internal network access | gradio | 8.6 |
| HIGH | CVE-2024-21513 | langchain-experimental: RCE via eval() in VectorSQL chain | langchain-experimental | 8.5 |
| HIGH | CVE-2026-40113 | PraisonAI: arg injection injects env vars into Cloud Run | praisonai | 8.4 |
| HIGH | CVE-2025-54886 | skops: joblib fallback enables RCE via model load | skops | 8.4 |
| HIGH | CVE-2026-32763 | 8.2 | ||
| HIGH | CVE-2026-44843 | LangChain: deserialization poisons LLM chat history | langchain-core | 8.2 |
| HIGH | CVE-2024-1540 | Gradio: CI/CD command injection enables secrets exfil | gradio | 8.2 |
| HIGH | CVE-2024-10648 | Gradio: path traversal enables arbitrary file deletion DoS | gradio | 8.2 |
| HIGH | CVE-2025-68664 | langchain-core: Deserialization enables RCE | langchain_core | 8.2 |
| HIGH | CVE-2024-1560 | MLflow: path traversal allows arbitrary directory deletion | mlflow | 8.1 |
| HIGH | CVE-2024-28088 | LangChain: path traversal enables RCE and API key theft | langchain | 8.1 |
| HIGH | CVE-2022-21728 | TensorFlow: heap OOB read in ReverseSequence op | tensorflow | 8.1 |
| HIGH | CVE-2024-49048 | TorchGeo: RCE via code injection in geospatial ML lib | 8.1 | |
| HIGH | CVE-2024-43598 | LightGBM: heap buffer overflow enables network RCE | lightgbm | 8.1 |
| HIGH | CVE-2022-23592 | TensorFlow: heap OOB read in type inference engine | tensorflow | 8.1 |
| HIGH | CVE-2026-39307 | PraisonAI: Zip Slip enables arbitrary file write / RCE | PraisonAI | 8.1 |
| HIGH | CVE-2020-15214 | TensorFlow Lite: OOB write in segment sum, memory corruption risk | tensorflow | 8.1 |
| HIGH | CVE-2023-6831 | MLflow: path traversal allows arbitrary file write | mlflow | 8.1 |
| HIGH | CVE-2025-30402 | ExecuTorch: heap overflow in method load, RCE risk | executorch | 8.1 |
| HIGH | CVE-2022-21730 | TensorFlow: OOB read leaks heap memory, enables DoS | tensorflow | 8.1 |
| HIGH | CVE-2026-2033 | mlflow: Path Traversal enables file access | mlflow | 8.1 |
| HIGH | CVE-2024-7776 | ONNX: path traversal in download_model enables RCE | onnx | 8.1 |
| HIGH | CVE-2026-33989 | @mobilenext/mobile-mcp: path traversal via AI agent tool | 8.1 | |
| HIGH | CVE-2026-33236 | nltk: Path Traversal enables file access | 8.1 | |
| HIGH | CVE-2022-41894 | TensorFlow Lite: buffer overflow in CONV_3D_TRANSPOSE op | tensorflow | 8.1 |
| HIGH | CVE-2025-8747 | Keras: safe mode bypass enables RCE via model load | keras | 7.8 |
| HIGH | CVE-2021-37648 | TensorFlow SaveV2: null ptr deref, local crash/RCE | tensorflow | 7.8 |
| HIGH | CVE-2021-37662 | TensorFlow: null deref in BoostedTrees training ops | tensorflow | 7.8 |
| HIGH | CVE-2021-37659 | TensorFlow: heap OOB in cwise ops enables local RCE | tensorflow | 7.8 |
| HIGH | CVE-2021-37658 | TensorFlow: null ptr deref in MatrixSetDiagV ops | tensorflow | 7.8 |
| HIGH | CVE-2021-37657 | TensorFlow: null ptr deref in MatrixDiagV ops | tensorflow | 7.8 |
| HIGH | CVE-2021-37656 | TensorFlow: null ptr deref in RaggedTensorToSparse op | tensorflow | 7.8 |
| HIGH | CVE-2021-37651 | TensorFlow: heap OOB r/w in FractionalAvgPoolGrad op | tensorflow | 7.8 |
| HIGH | CVE-2021-37650 | TensorFlow: heap overflow in DatasetToTFRecord ops | tensorflow | 7.8 |
| HIGH | CVE-2021-37639 | TensorFlow: heap OOB read via tensor restore API | tensorflow | 7.8 |
| HIGH | CVE-2021-37638 | TensorFlow: null ptr deref in RaggedTensorToTensor op | tensorflow | 7.8 |
| HIGH | CVE-2021-29616 | TensorFlow: null ptr deref in graph optimizer | tensorflow | 7.8 |
| HIGH | CVE-2021-29614 | TensorFlow: OOB write in decode_raw crashes interpreter | tensorflow | 7.8 |
| HIGH | CVE-2021-29612 | TensorFlow: heap overflow in linalg op, RCE risk | tensorflow | 7.8 |
| HIGH | CVE-2021-29610 | TensorFlow: heap R/W via quantization axis underflow | tensorflow | 7.8 |
| HIGH | CVE-2021-29609 | TensorFlow: SparseAdd heap OOB write and null deref | tensorflow | 7.8 |
| HIGH | CVE-2026-35043 | BentoML: cmd injection RCE on cloud build infra | bentoml | 7.8 |
| HIGH | CVE-2021-29608 | TensorFlow: heap OOB in RaggedTensorToTensor op | tensorflow | 7.8 |
| HIGH | CVE-2021-29607 | TensorFlow: heap OOB write in SparseAdd op | tensorflow | 7.8 |
| HIGH | CVE-2021-29606 | TensorFlow Lite: OOB read via crafted TFLite model | tensorflow | 7.8 |
| HIGH | CVE-2021-29603 | TensorFlow TFLite: heap OOB write via malformed model | tensorflow | 7.8 |
| HIGH | CVE-2021-29600 | TensorFlow TFLite: div-by-zero via crafted OneHot model | tensorflow | 7.8 |
| HIGH | CVE-2021-29599 | TFLite Split: malicious model triggers div-by-zero (DoS/RCE) | tensorflow | 7.8 |
| HIGH | CVE-2025-46567 | LLaMA-Factory: RCE via torch.load() unsafe deserialization | llamafactory | 7.8 |
| HIGH | CVE-2021-29598 | TensorFlow TFLite: SVDF div-by-zero enables RCE | tensorflow | 7.8 |
| HIGH | CVE-2022-29216 | TensorFlow CLI: eval() injection enables reverse shell | tensorflow | 7.8 |
| HIGH | CVE-2021-29596 | TensorFlow TFLite: div-by-zero in EmbeddingLookup op | tensorflow | 7.8 |
| HIGH | CVE-2021-29595 | TensorFlow TFLite: crash/RCE via malicious model file | tensorflow | 7.8 |
| HIGH | CVE-2021-29594 | TFLite: divide-by-zero in conv allows code execution | tensorflow | 7.8 |
| HIGH | CVE-2021-29593 | TensorFlow TFLite: div-by-zero via crafted model file | tensorflow | 7.8 |
| HIGH | CVE-2021-29592 | TensorFlow Lite: null-ptr deref in Reshape via 1D tensor | tensorflow | 7.8 |
| HIGH | CVE-2026-33744 | BentoML: command injection in bentofile.yaml containerize | bentoml | 7.8 |
| HIGH | CVE-2021-29574 | TensorFlow: null ptr deref in MaxPool3DGradGrad ops | tensorflow | 7.8 |
| HIGH | CVE-2021-29583 | TensorFlow: heap overflow in FusedBatchNorm risks RCE | tensorflow | 7.8 |
| HIGH | CVE-2021-29512 | TensorFlow: heap buffer overflow in RaggedBincount op | tensorflow | 7.8 |
| HIGH | CVE-2021-29571 | TensorFlow: heap OOB write via crafted bounding box op | tensorflow | 7.8 |
| HIGH | CVE-2021-29566 | TensorFlow: heap OOB write in Dilation2D training op | tensorflow | 7.8 |
| HIGH | CVE-2021-29520 | TensorFlow: heap buffer overflow in Conv3DBackprop ops | tensorflow | 7.8 |
| HIGH | CVE-2024-14021 | llamaindex: Deserialization enables RCE | llamaindex | 7.8 |
| HIGH | CVE-2021-29591 | TFLite: crafted model causes infinite loop / stack overflow | tensorflow | 7.8 |
| HIGH | CVE-2021-37681 | TensorFlow Lite: null ptr deref crashes SVDF inference | tensorflow | 7.8 |
| HIGH | CVE-2021-29518 | TensorFlow: null ptr deref in session ops, local RCE | tensorflow | 7.8 |
| HIGH | CVE-2023-25801 | TensorFlow: double-free in pooling ops enables RCE | tensorflow | 7.8 |
| HIGH | CVE-2021-29515 | TensorFlow: NULL ptr deref in MatrixDiag ops (crash/RCE) | tensorflow | 7.8 |
| HIGH | CVE-2021-29588 | TensorFlow Lite: DoS/RCE via crafted model stride=0 | tensorflow | 7.8 |
| HIGH | CVE-2026-27905 | bentoml: security flaw enables exploitation | bentoml | 7.8 |
| HIGH | CVE-2025-33233 | NVIDIA: Code Injection enables RCE | 7.8 | |
| HIGH | CVE-2021-29587 | TensorFlow TFLite: divide-by-zero via crafted model file | tensorflow | 7.8 |
| HIGH | CVE-2021-29586 | TFLite: div-by-zero in pooling crashes inference engine | tensorflow | 7.8 |
| HIGH | CVE-2021-29585 | TensorFlow TFLite: divide-by-zero crashes ML inference | tensorflow | 7.8 |
| HIGH | CVE-2021-29579 | TensorFlow: heap buffer overflow in MaxPoolGrad kernel | tensorflow | 7.8 |
| HIGH | CVE-2021-29578 | TensorFlow: heap buffer overflow in FractionalAvgPoolGrad | tensorflow | 7.8 |
| HIGH | CVE-2021-29577 | TensorFlow: heap overflow in AvgPool3DGrad op | tensorflow | 7.8 |
| HIGH | CVE-2021-29576 | TensorFlow: heap buffer overflow in MaxPool3DGradGrad op | tensorflow | 7.8 |
| HIGH | CVE-2021-29568 | TensorFlow: null deref in ParameterizedTruncatedNormal op | tensorflow | 7.8 |
| HIGH | CVE-2021-29558 | TensorFlow: heap buffer overflow in SparseSplit op | tensorflow | 7.8 |
| HIGH | CVE-2023-4033 | MLflow: OS command injection enables local code execution | mlflow | 7.8 |
| HIGH | CVE-2021-29546 | TensorFlow: div-by-zero in QuantizedBiasAdd, C/I/A high | tensorflow | 7.8 |
| HIGH | CVE-2023-27506 | Intel TF Opt: buffer overflow enables local priv-esc | optimization_for_tensorflow | 7.8 |
| HIGH | CVE-2021-29540 | TensorFlow: heap buffer overflow in Conv2D gradient op | tensorflow | 7.8 |
| HIGH | CVE-2021-29537 | TensorFlow: heap overflow in QuantizedResizeBilinear op | tensorflow | 7.8 |
| HIGH | CVE-2021-29536 | TensorFlow: heap overflow in QuantizedReshape op | tensorflow | 7.8 |
| HIGH | CVE-2021-29535 | TensorFlow: heap overflow in QuantizedMul op | tensorflow | 7.8 |
| HIGH | CVE-2021-29530 | TensorFlow: null ptr deref in sparse Cholesky ops | tensorflow | 7.8 |
| HIGH | CVE-2021-29529 | TensorFlow: heap buffer overflow in quantized image resize | tensorflow | 7.8 |
| HIGH | CVE-2021-29525 | TensorFlow: div-by-zero DoS in Conv2DBackpropInput | tensorflow | 7.8 |
| HIGH | CVE-2021-29514 | TensorFlow: heap buffer overflow in RaggedBincount op | tensorflow | 7.8 |
| HIGH | CVE-2020-26267 | TensorFlow: OOB read in DataFormatVecPermute op | tensorflow | 7.8 |
| HIGH | CVE-2026-44244 | GitPython: git config injection enables hook RCE | GitPython | 7.8 |
| HIGH | CVE-2018-8768 | Jupyter Notebook: XSS via malicious .ipynb file | notebook | 7.8 |
| HIGH | CVE-2026-34937 | PraisonAI: OS command injection via run_python() shell escape | praisonaiagents | 7.8 |
| HIGH | CVE-2024-31583 | PyTorch: use-after-free in JIT mobile interpreter, RCE | pytorch | 7.8 |
| HIGH | CVE-2024-34072 | SageMaker SDK: pickle deserialization enables RCE | 7.8 | |
| HIGH | CVE-2024-38459 | LangChain: Python REPL code execution without opt-in | langchain-experimental | 7.8 |
| HIGH | CVE-2023-7018 | Transformers: unsafe deserialization enables RCE on load | transformers | 7.8 |
| HIGH | CVE-2024-5998 | LangChain: RCE via FAISS pickle deserialization | langchain | 7.8 |
| HIGH | CVE-2021-29589 | TFLite GatherNd: divide-by-zero crashes inference runtime | tensorflow | 7.8 |
| HIGH | CVE-2025-1753 | llama-index-cli: OS command injection enables RCE | llama-index | 7.8 |
| HIGH | CVE-2021-37663 | TensorFlow: QuantizeV2 heap OOB/null-deref in quantization | tensorflow | 7.8 |
| HIGH | CVE-2021-37665 | TensorFlow MKL: null-ptr/heap-OOB in requantization ops | tensorflow | 7.8 |
| HIGH | CVE-2025-10155 | picklescan: file extension bypass allows model RCE | picklescan | 7.8 |
| HIGH | CVE-2021-37679 | TensorFlow: heap over-read leaks memory via RaggedTensor | tensorflow | 7.8 |
| HIGH | CVE-2021-37676 | TensorFlow: null ptr deref in SparseFillEmptyRows op | tensorflow | 7.8 |
| HIGH | CVE-2021-41201 | TensorFlow: uninitialized var in Einsum allows local RCE | tensorflow | 7.8 |
| HIGH | CVE-2021-41203 | TensorFlow: malformed checkpoint triggers overflow/crash | tensorflow | 7.8 |
| HIGH | CVE-2021-41214 | TensorFlow: null deref in ragged ops, local RCE | tensorflow | 7.8 |
| HIGH | CVE-2021-41219 | TensorFlow: heap OOB in sparse matrix multiply | tensorflow | 7.8 |
| HIGH | CVE-2021-41206 | TensorFlow: missing shape validation allows heap R/W | tensorflow | 7.8 |
| HIGH | CVE-2021-41208 | TensorFlow: heap R/W + DoS in boosted trees APIs | tensorflow | 7.8 |
| HIGH | CVE-2021-41216 | TensorFlow: heap overflow in Transpose via negative perm | tensorflow | 7.8 |
| HIGH | CVE-2021-41220 | TensorFlow: use-after-free in async collective ops | tensorflow | 7.8 |
| HIGH | CVE-2021-41221 | TensorFlow: CuDNN heap overflow, local code execution | tensorflow | 7.8 |
| HIGH | CVE-2021-41225 | TensorFlow Grappler: uninitialized var, local priv-esc | tensorflow | 7.8 |
| HIGH | CVE-2021-41228 | TensorFlow: eval() in saved_model_cli allows RCE | tensorflow | 7.8 |
| HIGH | CVE-2021-37671 | TensorFlow: null-ptr deref in Map ops, local C/I/A:High | tensorflow | 7.8 |
| HIGH | CVE-2021-4118 | pytorch-lightning: deserialization RCE via malicious checkpoint | pytorch_lightning | 7.8 |
| HIGH | CVE-2021-37667 | TensorFlow: UnicodeEncode null deref, local code exec | tensorflow | 7.8 |
| HIGH | CVE-2021-37666 | TensorFlow: null-ptr deref in RaggedTensorToVariant op | tensorflow | 7.8 |
| HIGH | CVE-2021-37652 | TensorFlow: double-free in BoostedTrees, code exec | tensorflow | 7.8 |
| HIGH | CVE-2025-23298 | Merlin Transformers4Rec: code injection via Python dep | 7.8 | |
| HIGH | CVE-2024-45436 | Ollama: ZIP path traversal exposes host filesystem | ollama | 7.5 |
| HIGH | CVE-2025-14287 | mlflow: Code Injection enables RCE | mlflow | 7.5 |
| HIGH | CVE-2026-28414 | gradio: security flaw enables exploitation | gradio | 7.5 |
| HIGH | CVE-2025-62609 | mlx: security flaw enables exploitation | mlx | 7.5 |
| HIGH | CVE-2026-1669 | keras: File Control enables path manipulation | keras | 7.5 |
| HIGH | CVE-2026-26209 | 7.5 | ||
| HIGH | CVE-2026-32597 | 7.5 | ||
| HIGH | CVE-2025-68616 | 7.5 | ||
| HIGH | CVE-2026-23490 | 7.5 | ||
| HIGH | CVE-2024-58340 | langchain: security flaw enables exploitation | langchain | 7.5 |
| HIGH | CVE-2026-0621 | mcp_typescript_sdk: security flaw enables exploitation | 7.5 | |
| HIGH | CVE-2025-6985 | langchain-text-splitters: XXE enables arbitrary file read | langchain-text-splitters | 7.5 |
| HIGH | CVE-2025-55560 | PyTorch: DoS via sparse/dense tensor Inductor compile | pytorch | 7.5 |
| HIGH | CVE-2025-55558 | PyTorch: Inductor compiler buffer overflow causes DoS | pytorch | 7.5 |
| HIGH | CVE-2025-55557 | PyTorch: DoS via cummin+Inductor NameError in 2.7.0 | pytorch | 7.5 |
| HIGH | CVE-2025-55553 | PyTorch 2.7.0: DoS via proxy_tensor.py syntax error | pytorch | 7.5 |
| HIGH | CVE-2025-55552 | PyTorch: integer overflow in rot90+randn_like causes DoS | pytorch | 7.5 |
| HIGH | CVE-2025-55551 | PyTorch: DoS in linalg.lu via malformed slice op | pytorch | 7.5 |
| HIGH | CVE-2025-6921 | Transformers: ReDoS in optimizer halts training pipelines | transformers | 7.5 |
| HIGH | CVE-2025-6638 | HuggingFace Transformers: ReDoS in MarianTokenizer | transformers | 7.5 |
| HIGH | CVE-2025-6984 | EverNoteLoader: XXE exposes host files in LangChain | langchain-community | 7.5 |
| HIGH | CVE-2025-57809 | xgrammar: uncontrolled recursion in grammar parsing causes DoS | xgrammar | 7.5 |
| HIGH | CVE-2025-6209 | llama_index: path traversal allows arbitrary file read | llama-index-core | 7.5 |
| HIGH | CVE-2025-3046 | LlamaIndex Obsidian: symlink traversal exposes host files | llama-index-readers-obsidian | 7.5 |
| HIGH | CVE-2025-3225 | llama-index Papers Loader: XML expansion DoS | llama-index-readers-papers | 7.5 |
| HIGH | CVE-2025-3262 | Transformers: ReDoS in chat.py causes CPU exhaustion | transformers | 7.5 |
| HIGH | CVE-2025-2099 | transformers: ReDoS in testing_utils causes DoS | transformers | 7.5 |
| HIGH | CVE-2024-12704 | llama-index: DoS via infinite loop in LangChain LLM | llamaindex | 7.5 |
| HIGH | CVE-2025-2148 | PyTorch: memory corruption in JIT profiler callback handler | pytorch | 7.5 |
| HIGH | CVE-2024-47868 | Gradio: path traversal leaks arbitrary server files | gradio | 7.5 |
| HIGH | CVE-2024-47867 | Gradio: no integrity check on FRP binary, supply chain RCE | gradio | 7.5 |
| HIGH | CVE-2024-2928 | MLflow: URI fragment LFI exposes arbitrary files | mlflow | 7.5 |
| HIGH | CVE-2024-1728 | Gradio: path traversal leaks arbitrary files, potential RCE | gradio | 7.5 |
| HIGH | CVE-2023-51449 | Gradio: path traversal grants arbitrary file read | gradio | 7.5 |
| HIGH | CVE-2023-6015 | MLflow: unauthenticated arbitrary file write via PUT | mlflow | 7.5 |
| HIGH | CVE-2023-36189 | LangChain SQLDatabaseChain: SQL injection, DB exfil | langchain | 7.5 |
| HIGH | CVE-2023-30172 | MLflow: path traversal exposes arbitrary server files | mlflow | 7.5 |
| HIGH | CVE-2023-27579 | TensorFlow Lite: FPE in tflite model crashes inference runtime | tensorflow | 7.5 |
| HIGH | CVE-2023-25674 | TensorFlow: null pointer DoS in RandomShuffle (XLA) | tensorflow | 7.5 |
| HIGH | CVE-2023-25673 | TensorFlow: FPE in TensorListSplit (XLA) remote DoS | tensorflow | 7.5 |
| HIGH | CVE-2023-25672 | TensorFlow: NPE in LookupTableImportV2 causes DoS | tensorflow | 7.5 |
| HIGH | CVE-2023-25671 | TensorFlow: OOB write DoS via integer type mismatch | tensorflow | 7.5 |
| HIGH | CVE-2023-25670 | TensorFlow: null ptr DoS in quantized MKL MatMul | tensorflow | 7.5 |
| HIGH | CVE-2023-25667 | TensorFlow: integer overflow DoS in video frame decoding | tensorflow | 7.5 |
| HIGH | CVE-2023-25665 | TensorFlow: null ptr deref DoS via sparse tensors | tensorflow | 7.5 |
| HIGH | CVE-2023-25663 | TensorFlow: null ptr deref crashes inference serving | tensorflow | 7.5 |
| HIGH | CVE-2023-25662 | TensorFlow: integer overflow in EditDistance causes DoS | tensorflow | 7.5 |
| HIGH | CVE-2023-25660 | TensorFlow: null ptr deref in Print op allows remote DoS | tensorflow | 7.5 |
| HIGH | CVE-2023-25659 | TensorFlow: OOB read in DynamicStitch enables DoS | tensorflow | 7.5 |
| HIGH | CVE-2023-25658 | TensorFlow: OOB read in GRUBlockCellGrad causes DoS | tensorflow | 7.5 |
| HIGH | CVE-2022-41911 | TensorFlow: type confusion DoS via bool cast in tensors | tensorflow | 7.5 |
| HIGH | CVE-2022-41907 | TensorFlow: integer overflow in ResizeNearestNeighborGrad → DoS | tensorflow | 7.5 |
| HIGH | CVE-2022-41895 | TensorFlow: heap OOB in MirrorPadGrad causes DoS | tensorflow | 7.5 |
| HIGH | CVE-2022-41891 | TensorFlow: segfault DoS in TensorListConcat op | tensorflow | 7.5 |
| HIGH | CVE-2022-41885 | TensorFlow: FusedResizeAndPadConv2D overflow causes DoS | tensorflow | 7.5 |
| HIGH | CVE-2022-36027 | TensorFlow: DoS crash in transposed conv quantization | tensorflow | 7.5 |
| HIGH | CVE-2022-36015 | TensorFlow: integer overflow in RangeSize causes DoS | tensorflow | 7.5 |
| HIGH | CVE-2022-36013 | TensorFlow MLIR: null ptr deref crashes model serving | tensorflow | 7.5 |
| HIGH | CVE-2022-36012 | TensorFlow: DoS via empty MLIR function attributes | tensorflow | 7.5 |
| HIGH | CVE-2022-36011 | TensorFlow: null deref DoS in MLIR function conversion | tensorflow | 7.5 |
| HIGH | CVE-2022-36000 | TensorFlow: null deref crashes MLIR graph conversion | tensorflow | 7.5 |
| HIGH | CVE-2022-35995 | TensorFlow: DoS via AudioSummaryV2 CHECK failure | tensorflow | 7.5 |
| HIGH | CVE-2022-35990 | TensorFlow: DoS via quantization gradient rank check | tensorflow | 7.5 |
| HIGH | CVE-2022-35984 | TensorFlow: int64 type mismatch triggers remote DoS | tensorflow | 7.5 |
| HIGH | CVE-2022-35982 | TensorFlow: DoS via invalid SparseBincount input | tensorflow | 7.5 |
| HIGH | CVE-2022-35974 | TensorFlow: DoS via nonscalar quantization op input | tensorflow | 7.5 |
| HIGH | CVE-2022-35970 | TensorFlow: DoS via malformed QuantizedInstanceNorm tensors | tensorflow | 7.5 |
| HIGH | CVE-2022-35968 | TensorFlow: DoS via AvgPoolGrad shape validation failure | tensorflow | 7.5 |
| HIGH | CVE-2022-35967 | TensorFlow: DoS via QuantizedAdd tensor rank flaw | tensorflow | 7.5 |
| HIGH | CVE-2022-35966 | TensorFlow: DoS via QuantizedAvgPool input validation | tensorflow | 7.5 |
| HIGH | CVE-2022-35964 | TensorFlow: remote DoS via BlockLSTMGradV2 validation | tensorflow | 7.5 |
| HIGH | CVE-2022-35960 | TensorFlow: DoS via malformed TensorListReserve input | tensorflow | 7.5 |
| HIGH | CVE-2022-35959 | TensorFlow: DoS via AvgPool3DGradOp input overflow | tensorflow | 7.5 |
| HIGH | CVE-2022-35940 | TensorFlow: integer overflow in RaggedRangeOp crashes service | tensorflow | 7.5 |
| HIGH | CVE-2022-0736 | MLflow: insecure temp file handling causes DoS | mlflow | 7.5 |
| HIGH | CVE-2022-23593 | TensorFlow MLIR-TFRT: DoS via scalar shape segfault | tensorflow | 7.5 |
| HIGH | CVE-2022-23590 | TensorFlow: DoS via malicious SavedModel GraphDef | tensorflow | 7.5 |
| HIGH | CVE-2026-34070 | langchain-core: path traversal exposes host secrets via prompt config | langchain-core | 7.5 |
| HIGH | CVE-2020-15266 | TensorFlow: NaN-triggered DoS in crop_and_resize op | tensorflow | 7.5 |
| HIGH | CVE-2020-26269 | TensorFlow: OOB read in glob path matching causes DoS | tensorflow | 7.5 |
| HIGH | CVE-2020-28975 | scikit-learn: DoS via crafted SVM model deserialization | scikit-learn | 7.5 |
| HIGH | CVE-2020-15265 | TensorFlow: OOB read DoS via invalid quantize axis | tensorflow | 7.5 |
| HIGH | CVE-2020-15206 | TensorFlow: SavedModel protobuf DoS in inference serving | tensorflow | 7.5 |
| HIGH | CVE-2020-15203 | TensorFlow: format string DoS in strings.as_string | tensorflow | 7.5 |
| HIGH | CVE-2020-5215 | TensorFlow: type confusion DoS crashes eager mode inference | tensorflow | 7.5 |
| HIGH | CVE-2026-44209 | banks: SSTI enables RCE via unsandboxed Jinja2 templates | banks | 7.5 |
| HIGH | CVE-2026-41680 | marked: infinite recursion DoS crashes Node.js via OOM | marked | 7.5 |
| HIGH | CVE-2025-30370 | jupyterlab-git: command injection via malicious repo name | 7.4 | |
| HIGH | CVE-2026-32887 | 7.4 | ||
| HIGH | CVE-2026-33724 | n8n: SSH MitM enables malicious workflow injection | n8n | 7.4 |
| HIGH | CVE-2025-64104 | langgraph-checkpoint-sqlite: SQL Injection exposes database | langgraph-checkpoint-sqlite | 7.3 |
| HIGH | CVE-2026-39306 | PraisonAI: recipe path traversal allows arbitrary file write | PraisonAI | 7.3 |
| HIGH | CVE-2025-9905 | Keras: safe_mode bypass enables RCE via .h5 model files | keras | 7.3 |
| HIGH | CVE-2021-37655 | TensorFlow: OOB heap read in ResourceScatterUpdate | tensorflow | 7.3 |
| HIGH | CVE-2025-30167 | jupyter_core: config hijack enables cross-user code exec | 7.3 | |
| HIGH | CVE-2025-67644 | langgraph-checkpoint-sqlite: SQL Injection exposes database | langgraph-checkpoint-sqlite | 7.3 |
| HIGH | CVE-2025-12973 | AI component: Arbitrary File Upload enables RCE | 7.2 | |
| HIGH | CVE-2026-1777 | sagemaker: security flaw enables exploitation | sagemaker | 7.2 |
| HIGH | CVE-2021-41223 | TensorFlow: FusedBatchNorm heap OOB allows data leak/crash | tensorflow | 7.1 |
| HIGH | CVE-2020-15193 | TensorFlow: uninitialized memory corruption via dlpack | tensorflow | 7.1 |
| HIGH | CVE-2021-41212 | TensorFlow: heap OOB read in ragged.cross shape inference | tensorflow | 7.1 |
| HIGH | CVE-2021-41211 | TensorFlow: heap OOB read in QuantizeV2 shape inference | tensorflow | 7.1 |
| HIGH | CVE-2021-41205 | TensorFlow: heap OOB read in quantize ops, DoS+leak | tensorflow | 7.1 |
| HIGH | CVE-2021-29570 | TensorFlow: OOB read in MaxPoolGradWithArgmax op | tensorflow | 7.1 |
| HIGH | CVE-2021-41210 | TensorFlow: heap OOB read in SparseCountSparseOutput | tensorflow | 7.1 |
| HIGH | CVE-2021-37682 | TFLite: uninitialized quant params corrupt inference | tensorflow | 7.1 |
| HIGH | CVE-2021-29582 | TensorFlow: OOB heap read via Dequantize shape mismatch | tensorflow | 7.1 |
| HIGH | CVE-2021-37664 | TensorFlow: heap OOB read in BoostedTrees ops | tensorflow | 7.1 |
| HIGH | CVE-2026-39308 | PraisonAI: recipe registry path traversal file write | PraisonAI | 7.1 |
| HIGH | CVE-2021-37654 | TensorFlow: OOB read/crash via ResourceGather batch_dims | tensorflow | 7.1 |
| HIGH | CVE-2025-7707 | llama-index: world-writable NLTK dir allows local tampering | llama-index | 7.1 |
| HIGH | CVE-2021-37641 | TensorFlow: RaggedGather OOB read - heap leak + DoS | tensorflow | 7.1 |
| HIGH | CVE-2021-37635 | TensorFlow: heap OOB read in sparse reduction ops | tensorflow | 7.1 |
| HIGH | CVE-2024-21799 | Intel Extension for Transformers: path traversal privesc | 7.1 | |
| HIGH | CVE-2021-37643 | TensorFlow: null deref in MatrixDiagPartOp, DoS risk | tensorflow | 7.1 |
| HIGH | CVE-2021-29553 | TensorFlow: heap OOB read via malicious axis in quant op | tensorflow | 7.1 |
| HIGH | CVE-2021-29532 | TensorFlow: heap OOB read via RaggedCross op | tensorflow | 7.1 |
| HIGH | CVE-2025-68478 | langflow: File Control enables path manipulation | langflow | 7.1 |
| HIGH | CVE-2021-29613 | TensorFlow: CTCLoss heap OOB read, info leak + crash | tensorflow | 7.1 |
| HIGH | CVE-2021-29590 | TensorFlow TFLite: OOB read via empty tensor in Min/Max ops | tensorflow | 7.1 |
| HIGH | CVE-2022-29208 | TensorFlow: OOB write in EditDistance enables local DoS | tensorflow | 7.1 |
| HIGH | GHSA-q56x-g2fj-4rj6 | onnx: TOCTOU symlink following enables arbitrary file write | onnx | 7.1 |
| HIGH | CVE-2021-29559 | TensorFlow: heap OOB read in UnicodeEncode leaks memory | tensorflow | 7.1 |
| HIGH | CVE-2021-29560 | TensorFlow: heap OOB in RaggedTensorToTensor op | tensorflow | 7.1 |
| HIGH | CVE-2021-29569 | TensorFlow: OOB heap read in MaxPoolGradWithArgmax op | tensorflow | 7.1 |
| HIGH | CVE-2021-41226 | TensorFlow: heap OOB in SparseBinCount, crash/disclosure | tensorflow | 7.1 |
| HIGH | CVE-2021-41224 | TensorFlow: heap OOB read in SparseFillEmptyRows op | tensorflow | 7.1 |
| HIGH | CVE-2024-27134 | MLflow: local privilege escalation via spark_udf ToCToU | mlflow | 7.0 |
| HIGH | CVE-2025-10279 | mlflow: security flaw enables exploitation | mlflow | 7.0 |
| MEDIUM | CVE-2026-28277 | langgraph: Deserialization enables RCE | langgraph | 6.8 |
| MEDIUM | GHSA-pgx6-7jcq-2qff | 6.8 | ||
| MEDIUM | CVE-2023-30767 | Intel TF Opt: buffer overflow enables local privesc | optimization_for_tensorflow | 6.7 |
| MEDIUM | CVE-2026-27794 | langgraph-checkpoint: Deserialization enables RCE | langgraph-checkpoint | 6.6 |
| MEDIUM | CVE-2021-37690 | TensorFlow: use-after-free crashes training processes | tensorflow | 6.6 |
| MEDIUM | CVE-2022-23570 | TensorFlow: null-deref DoS via malformed protobuf tensor | tensorflow | 6.5 |
| MEDIUM | CVE-2025-5472 | llama-index: JSONReader DoS via recursive JSON parsing | llama-index-core | 6.5 |
| MEDIUM | CVE-2025-6211 | llama-index: DocugamiReader MD5 hash collision drops chunks | llama-index-readers-docugami | 6.5 |
| MEDIUM | CVE-2022-23577 | TensorFlow: null pointer deref crashes model loader | tensorflow | 6.5 |
| MEDIUM | CVE-2026-40148 | PraisonAI: decompression bomb causes disk exhaustion | PraisonAI | 6.5 |
| MEDIUM | GHSA-fv5p-p927-qmxr | langchain-text-splitters: SSRF bypass exposes cloud metadata | langchain-text-splitters | 6.5 |
| MEDIUM | CVE-2025-1944 | picklescan: ZIP spoof lets malicious PyTorch models bypass scan | picklescan | 6.5 |
| MEDIUM | CVE-2025-55556 | TensorFlow: non-deterministic compilation breaks Embedding | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23572 | TensorFlow: DoS via shape inference assertion failure | tensorflow | 6.5 |
| MEDIUM | CVE-2026-39378 | nbconvert: path traversal exfiltrates files via HTML export | nbconvert | 6.5 |
| MEDIUM | GHSA-hf3c-wxg2-49q9 | vLLM: DoS via unbounded XGrammar schema cache | vllm | 6.5 |
| MEDIUM | CVE-2018-21233 | TensorFlow: integer overflow leaks process memory via BMP | tensorflow | 6.5 |
| MEDIUM | CVE-2026-32889 | 6.5 | ||
| MEDIUM | CVE-2024-7037 | open-webui: path traversal → arbitrary file write/RCE | open-webui | 6.5 |
| MEDIUM | CVE-2026-1839 | HuggingFace Transformers: RCE via malicious checkpoint load | transformers | 6.5 |
| MEDIUM | CVE-2022-21739 | TensorFlow: QuantizedMaxPool null ptr deref causes DoS | tensorflow | 6.5 |
| MEDIUM | CVE-2022-21734 | TensorFlow: DoS via MapStage non-scalar key crash | tensorflow | 6.5 |
| MEDIUM | CVE-2022-21729 | TensorFlow: UnravelIndex integer overflow → DoS | tensorflow | 6.5 |
| MEDIUM | CVE-2022-21725 | TensorFlow: DoS via div-by-zero in conv cost estimator | tensorflow | 6.5 |
| MEDIUM | CVE-2022-21736 | TensorFlow: NULL deref DoS via SparseTensorSliceDataset | tensorflow | 6.5 |
| MEDIUM | CVE-2026-24123 | bentoml: Path Traversal enables file access | bentoml | 6.5 |
| MEDIUM | CVE-2025-13359 | taxopress: SQL Injection exposes database | 6.5 | |
| MEDIUM | GHSA-vrqm-gvq7-rrwh | 6.5 | ||
| MEDIUM | CVE-2024-55459 | Keras: path traversal enables arbitrary file write | keras | 6.5 |
| MEDIUM | CVE-2022-23595 | TensorFlow XLA: null pointer dereference causes DoS | tensorflow | 6.5 |
| MEDIUM | CVE-2024-7034 | open-webui: path traversal allows arbitrary file write/RCE | open-webui | 6.5 |
| MEDIUM | CVE-2020-15210 | TensorFlow Lite: memory corruption via aliased tensors | tensorflow | 6.5 |
| MEDIUM | CVE-2025-1194 | transformers: ReDoS in GPT-NeoX Japanese tokenizer | transformers | 6.5 |
| MEDIUM | CVE-2022-23589 | TensorFlow Grappler: DoS via malicious SavedModel | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23588 | TensorFlow: DoS via crafted SavedModel crashes Grappler | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23584 | TensorFlow: use-after-free in PNG decode causes DoS | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23581 | TensorFlow: DoS via Grappler optimizer CHECK failure | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23579 | TensorFlow: DoS via Grappler optimizer CHECK failure | tensorflow | 6.5 |
| MEDIUM | CVE-2026-39377 | nbconvert: path traversal enables arbitrary file write | nbconvert | 6.5 |
| MEDIUM | CVE-2026-35492 | kedro-datasets: path traversal enables arbitrary file write | kedro-datasets | 6.5 |
| MEDIUM | CVE-2024-53526 | Composio: command injection in AI agent tool calls | 6.4 | |
| MEDIUM | CVE-2025-68146 | 6.3 | ||
| MEDIUM | CVE-2026-4963 | smolagents: code injection via incomplete sandbox fix | smolagents | 6.3 |
| MEDIUM | CVE-2022-23563 | TensorFlow: TOC/TOU race allows temp file hijacking | tensorflow | 6.3 |
| MEDIUM | CVE-2024-31462 | stable-diffusion-webui: path traversal file write | 6.3 | |
| MEDIUM | CVE-2024-6577 | TorchServe: unverified S3 bucket exposes benchmark data | 6.3 | |
| MEDIUM | CVE-2026-7700 | Langflow: eval() code injection → remote code execution | langflow | 6.3 |
| MEDIUM | CVE-2025-6210 | llama-index Obsidian reader: hardlink path traversal leaks files | llama-index-readers-obsidian | 6.2 |
| MEDIUM | GHSA-qq9g-96v4-m3cj | 6.1 | ||
| MEDIUM | GHSA-564p-rx2q-4c8v | BentoML: open redirect exposes ML teams to phishing | bentoml | 6.1 |
| MEDIUM | CVE-2026-44897 | mistune: XSS via unescaped heading id= attribute | mistune | 6.1 |
| MEDIUM | CVE-2020-15200 | TensorFlow: heap overflow in RaggedCountSparseOutput DoS | tensorflow | 5.9 |
| MEDIUM | CVE-2024-12910 | llama-index: DoS via infinite recursion in web reader | llama-index | 5.9 |
| MEDIUM | CVE-2026-1778 | sagemaker: security flaw enables exploitation | sagemaker | 5.9 |
| MEDIUM | CVE-2025-0508 | SageMaker SDK: MD5 collision silently replaces ML workflows | sagemaker | 5.9 |
| MEDIUM | CVE-2026-34760 | vLLM: audio downmix mismatch enables adversarial input | 5.9 | |
| MEDIUM | CVE-2024-1455 | LangChain: Billion Laughs XML expansion causes DoS | langchain | 5.9 |
| MEDIUM | CVE-2020-15199 | TensorFlow: DoS via malformed ragged tensor input | tensorflow | 5.9 |
| MEDIUM | CVE-2026-27167 | gradio: Weak Credentials allow account compromise | gradio | 5.9 |
| MEDIUM | CVE-2025-52967 | MLflow: unauthenticated SSRF in gateway proxy | mlflow | 5.8 |
| MEDIUM | CVE-2025-8917 | clearml: path traversal in safe_extract → RCE risk | clearml | 5.8 |
| MEDIUM | CVE-2026-7020 | Ollama: path traversal in tensor model transfer handler | ollama | 5.6 |
| MEDIUM | CVE-2026-40190 | langsmith: prototype pollution enables auth bypass, RCE | langsmith | 5.6 |
| MEDIUM | CVE-2026-7669 | SGLang: deserialization in tokenizer loader enables RCE | sglang | 5.6 |
| MEDIUM | CVE-2026-7141 | vllm: uninitialized KV cache memory leaks inference data | vllm | 5.6 |
| MEDIUM | CVE-2021-29581 | TensorFlow: DoS via null buffer in CTCBeamSearchDecoder | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29554 | TensorFlow: divide-by-zero DoS in DenseCountSparseOutput | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29516 | TensorFlow: null ptr deref crashes RaggedTensor ops | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29572 | TensorFlow: null ptr deref crashes SdcaOptimizer op | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29517 | TensorFlow: Conv3D div-by-zero crashes ML processes | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29541 | TensorFlow: null ptr deref DoS in StringNGrams op | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29551 | TensorFlow: OOB read DoS in MatrixTriangularSolve kernel | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29562 | TensorFlow: assertion failure DoS in IRFFT op | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29550 | TensorFlow: FractionalAvgPool DoS via divide-by-zero | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29521 | TensorFlow: DoS crash via negative sparse tensor shape | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29519 | TensorFlow SparseCross: type confusion DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29528 | TensorFlow: DoS via division-by-zero in QuantizedMul | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29548 | TensorFlow: DoS via division by zero in QuantizedBatchNorm | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29549 | TensorFlow: divide-by-zero DoS in quantized batch norm op | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29565 | TensorFlow: null ptr dereference crashes sparse ops | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29556 | TensorFlow: DoS via divide-by-zero in Reverse op | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29555 | TensorFlow: FusedBatchNorm divide-by-zero crashes ML jobs | tensorflow | 5.5 |
| MEDIUM | CVE-2026-40610 | BentoML: symlink traversal exfiltrates host secrets at build | bentoml | 5.5 |
| MEDIUM | CVE-2025-3121 | PyTorch: memory corruption in JIT flatbuffer loader | pytorch | 5.5 |
| MEDIUM | CVE-2025-2953 | PyTorch: DoS via mkldnn_max_pool2d resource leak | pytorch | 5.5 |
| MEDIUM | CVE-2025-1474 | MLflow: passwordless accounts enable persistent backdoor | mlflow | 5.5 |
| MEDIUM | CVE-2025-12343 | ffmpeg: security flaw enables exploitation | 5.5 | |
| MEDIUM | CVE-2022-29213 | TensorFlow: input validation DoS in FFT signal ops | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29212 | TensorFlow Lite: quantization assert crash (DoS) | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29210 | TensorFlow: heap OOB in TensorKey causes DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29209 | TensorFlow: CHECK macro type confusion causes DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29206 | TensorFlow: SparseTensorDenseAdd null ptr deref DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29205 | TensorFlow: NULL deref DoS via compat.v1 ops | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29204 | TensorFlow: DoS via UnsortedSegmentJoin input validation | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29202 | TensorFlow: DoS via ragged tensor memory exhaustion | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29201 | TensorFlow: QuantizedConv2D null deref crashes model server | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29207 | TensorFlow: null-ptr deref in eager mode causes DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29200 | TensorFlow: LSTMBlockCell DoS via invalid tensor rank | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29199 | TensorFlow: CHECK-fail DoS in LoadAndRemapMatrix op | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29197 | TensorFlow: DoS via UnsortedSegmentJoin input validation | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29193 | TensorFlow: DoS via TensorSummaryV2 input validation failure | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29192 | TensorFlow: DoS via QuantizeAndDequantize input validation | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29191 | TensorFlow: DoS via GetSessionTensor input validation | tensorflow | 5.5 |
| MEDIUM | CVE-2022-23594 | TensorFlow MLIR: heap OOB via malicious SavedModel file | tensorflow | 5.5 |
| MEDIUM | CVE-2024-31584 | PyTorch: OOB read in mobile model loader leaks memory | pytorch | 5.5 |
| MEDIUM | CVE-2026-34447 | ONNX: symlink traversal reads host files via model loading | onnx | 5.5 |
| MEDIUM | CVE-2021-41227 | TensorFlow: OOB read in ImmutableConst leaks memory | tensorflow | 5.5 |
| MEDIUM | CVE-2021-41222 | TensorFlow: SplitV negative arg segfault crashes process | tensorflow | 5.5 |
| MEDIUM | CVE-2021-41218 | TensorFlow: AllToAll DoS via divide-by-zero crash | tensorflow | 5.5 |
| MEDIUM | CVE-2021-41209 | TensorFlow: DoS via division-by-zero in conv ops | tensorflow | 5.5 |
| MEDIUM | CVE-2021-41207 | TensorFlow: ParallelConcat div-by-zero crashes ML process | tensorflow | 5.5 |
| MEDIUM | CVE-2021-41202 | TensorFlow tf.range: integer overflow in kernel causes DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2021-41217 | TensorFlow: null pointer crash in control flow graph | tensorflow | 5.5 |
| MEDIUM | CVE-2021-41215 | TensorFlow: DeserializeSparse null deref causes DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2021-41204 | TensorFlow: DoS via Grappler constant folding segfault | tensorflow | 5.5 |
| MEDIUM | CVE-2021-41200 | TensorFlow: DoS crash in tf.summary file writer | tensorflow | 5.5 |
| MEDIUM | CVE-2021-41196 | TensorFlow: integer underflow crashes Keras pooling layers | tensorflow | 5.5 |
| MEDIUM | CVE-2021-41195 | TensorFlow: integer overflow in segment ops causes DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37692 | TensorFlow: string tensor GC segfault causes process DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37691 | TensorFlow TFLite: DoS via crafted model in LSH kernel | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37687 | TFLite: heap OOB read via negative indices in GatherNd | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37685 | TensorFlow Lite: OOB read leaks heap memory in expand_dims | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37684 | TensorFlow TFLite: DoS via division by zero in pooling | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37677 | TensorFlow: DoS via invalid Dequantize axis argument | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37674 | TensorFlow: DoS via MaxPoolGrad invalid tensor input | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37673 | TensorFlow: MapStage CHECK-fail causes process DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37672 | TensorFlow: heap OOB read in SdcaOptimizerV2 | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37670 | TensorFlow: heap OOB read in sorting ops | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37689 | TensorFlow Lite: MLIR null ptr deref crashes inference | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37688 | TensorFlow Lite: DoS via crafted TFLite model file | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37686 | TFLite: infinite loop DoS via crafted strided slice model | tensorflow | 5.5 |
| MEDIUM | CVE-2026-40159 | PraisonAI: MCP env inheritance exposes API keys | PraisonAI | 5.5 |
| MEDIUM | CVE-2021-37680 | TFLite: division by zero crashes fully connected layers | tensorflow | 5.5 |
| MEDIUM | CVE-2025-3730 | PyTorch: DoS via ctc_loss resource mishandling | pytorch | 5.5 |
| MEDIUM | CVE-2021-37661 | TensorFlow: integer sign conversion DoS in boosted trees | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29522 | TensorFlow: Conv3DBackprop div-by-zero crashes training | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29523 | TensorFlow: DoS via integer overflow in sparse ops | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29524 | TensorFlow: div-by-zero DoS in Conv2D backprop op | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37646 | TensorFlow: StringNGrams integer overflow triggers DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37645 | TensorFlow: integer overflow in quantize grad causes DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37644 | TensorFlow: DoS via negative TensorListReserve input | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37649 | TensorFlow: null ptr deref crashes inference via bad tensor | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37647 | TensorFlow: null deref in SparseTensor ops causes DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29527 | TensorFlow: divide-by-zero DoS in QuantizedConv2D | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37637 | TensorFlow: null ptr dereference in CompressElement (DoS) | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37660 | TensorFlow: DoS via divide-by-zero in inplace ops | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37653 | TensorFlow: DoS via divide-by-zero in ResourceGather op | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37642 | TensorFlow: ResourceScatterDiv div-by-zero enables DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37640 | TensorFlow: SparseReshape div-by-zero crashes ML pipelines | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37636 | TensorFlow: div-by-zero DoS in SparseDenseCwiseDiv op | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29619 | TensorFlow: DoS via invalid SparseCount op args | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29618 | TensorFlow: DoS crash via tf.transpose complex+conjugate | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29617 | TensorFlow: DoS via CHECK-fail in strings.substr | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29534 | TensorFlow: DoS via CHECK-fail in SparseConcat op | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29538 | TensorFlow: div-by-zero DoS in Conv2DBackpropFilter | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29539 | TensorFlow: type confusion in ImmutableConst causes DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29605 | TFLite: integer overflow DoS via crafted model file | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29604 | TFLite: DoS via division by zero in hashtable lookup | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29544 | TensorFlow: DoS via missing tensor rank validation | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29545 | TensorFlow: heap OOB write in sparse tensor DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29547 | TensorFlow: OOB read DoS via empty tensor in QuantizedBatchNorm | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29557 | TensorFlow: FPE in SparseMatMul causes process DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29561 | TensorFlow: DoS via malformed LoadAndRemapMatrix input | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29563 | TensorFlow: DoS via RFFT empty matrix assertion crash | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29573 | TensorFlow: div-by-zero in MaxPoolGrad op causes DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29542 | TensorFlow: StringNGrams heap overflow crashes ML process | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29552 | TensorFlow: DoS via empty num_segments tensor assertion | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29575 | TensorFlow: stack overflow DoS in ReverseSequence op | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29584 | TensorFlow: integer overflow DoS in SparseSplit op | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29580 | TensorFlow: DoS via empty tensor in FractionalMaxPoolGrad | tensorflow | 5.5 |
| MEDIUM | CVE-2020-15198 | TensorFlow: heap OOB in SparseCountSparseOutput ops | tensorflow | 5.4 |
| MEDIUM | CVE-2026-27578 | n8n: XSS enables session hijacking | n8n | 5.4 |
| MEDIUM | CVE-2024-3099 | MLflow: URL encoding bypass enables model poisoning | mlflow | 5.4 |
| MEDIUM | CVE-2025-46148 | PyTorch: PairwiseDistance silent miscalculation, integrity risk | pytorch | 5.3 |
| MEDIUM | CVE-2025-2998 | PyTorch: memory corruption in RNN pad_packed_sequence | pytorch | 5.3 |
| MEDIUM | GHSA-926x-3r5x-gfhw | LangChain: f-string template injection exposes object internals | langchain-core | 5.3 |
| MEDIUM | CVE-2025-2999 | PyTorch: memory corruption in RNN sequence unpacking | pytorch | 5.3 |
| MEDIUM | CVE-2025-3000 | PyTorch: memory corruption in torch.jit.script compiler | pytorch | 5.3 |
| MEDIUM | CVE-2025-3263 | Transformers: ReDoS in config loader causes serving DoS | transformers | 5.3 |
| MEDIUM | CVE-2025-3001 | PyTorch: lstm_cell memory corruption, local code exec | pytorch | 5.3 |
| MEDIUM | CVE-2025-3264 | Transformers: ReDoS in dynamic module loader causes DoS | transformers | 5.3 |
| MEDIUM | CVE-2026-6608 | FastChat: control flow flaw corrupts arena comparison | fschat | 5.3 |
| MEDIUM | CVE-2025-3044 | llama-index ArxivReader: MD5 collision corrupts training data | llama-index-readers-papers | 5.3 |
| MEDIUM | CVE-2025-3933 | Transformers: ReDoS in DonutProcessor causes DoS | transformers | 5.3 |
| MEDIUM | CVE-2025-5197 | Transformers: ReDoS in TF-to-PyTorch weight converter | transformers | 5.3 |
| MEDIUM | CVE-2025-6051 | Transformers: ReDoS in EnglishNormalizer exhausts CPU | transformers | 5.3 |
| MEDIUM | CVE-2025-46149 | PyTorch: reachable assertion in nn.Fold with inductor | pytorch | 5.3 |
| MEDIUM | CVE-2025-46150 | PyTorch: torch.compile silent output inconsistency | pytorch | 5.3 |
| MEDIUM | CVE-2025-46152 | PyTorch: OOB write causes incorrect bitwise shift results | pytorch | 5.3 |
| MEDIUM | CVE-2025-46153 | PyTorch: Dropout inconsistency enables membership inference | pytorch | 5.3 |
| MEDIUM | CVE-2025-55554 | PyTorch: integer overflow in nan_to_num causes DoS | pytorch | 5.3 |
| MEDIUM | CVE-2026-21851 | monai: Path Traversal enables file access | monai | 5.3 |
| MEDIUM | CVE-2025-6208 | llama-index-core: DoS causes service disruption | llama-index-core | 5.3 |
| MEDIUM | CVE-2020-26266 | TensorFlow: uninitialized memory read via crafted SavedModel | tensorflow | 5.3 |
| MEDIUM | CVE-2020-15204 | TensorFlow: null ptr deref DoS in eager mode ops | tensorflow | 5.3 |
| MEDIUM | CVE-2020-15191 | TensorFlow: null ptr deref in dlpack causes remote DoS | tensorflow | 5.3 |
| MEDIUM | CVE-2020-15190 | TensorFlow: null ptr deref DoS via Switch op eager runtime | tensorflow | 5.3 |
| MEDIUM | CVE-2026-4538 | AI component: Input Validation flaw enables exploitation | 5.3 | |
| MEDIUM | CVE-2024-10940 | langchain-core: file read via prompt template inputs | langchain-core | 5.3 |
| MEDIUM | CVE-2025-3108 | llama-index: RCE via unsafe pickle deserialization | llama-index-core | 5.0 |
| MEDIUM | CVE-2020-15211 | TensorFlow Lite: heap OOB RW via flatbuffer tensor index | tensorflow | 4.8 |
| MEDIUM | CVE-2023-41626 | Gradio: arbitrary file upload via /upload endpoint | gradio | 4.8 |
| MEDIUM | CVE-2020-15201 | TensorFlow: heap overflow in ragged tensor ops | tensorflow | 4.8 |
| MEDIUM | CVE-2026-34446 | ONNX: hardlink path traversal leaks sensitive files | onnx | 4.7 |
| MEDIUM | CVE-2026-28415 | gradio: Info Disclosure leaks sensitive data | gradio | 4.7 |
| MEDIUM | CVE-2024-5206 | scikit-learn: TfidfVectorizer leaks training data tokens | scikit-learn | 4.7 |
| MEDIUM | CVE-2023-2800 | Transformers: temp file race condition allows local DoS | transformers | 4.7 |
| MEDIUM | CVE-2020-26268 | TensorFlow: ImmutableConst segfault crashes Python interpreter | tensorflow | 4.4 |
| MEDIUM | GHSA-xgx4-2wgv-4jhm | 4.4 | ||
| MEDIUM | CVE-2024-2965 | langchain-community: DoS via recursive sitemap loop | langchain | 4.2 |
| MEDIUM | CVE-2026-27795 | LangChain: SSRF allows internal network access | 4.1 | |
| MEDIUM | CVE-2026-26019 | langchain_community: SSRF allows internal network access | langchain_community | 4.1 |
| MEDIUM | CVE-2024-31580 | PyTorch: heap buffer overflow causes local DoS | pytorch | 4.0 |
| MEDIUM | CVE-2020-15213 | TensorFlow Lite: OOM DoS via crafted segment sum model | tensorflow | 4.0 |
| LOW | CVE-2026-26013 | langchain-core: SSRF allows internal network access | langchain_core | 3.7 |
| LOW | CVE-2026-32722 | 3.6 | ||
| LOW | CVE-2025-3777 | Transformers: URL validation bypass exposes image pipeline | transformers | 3.5 |
| LOW | CVE-2025-4287 | PyTorch NCCL: local DoS in distributed training reduce op | 3.3 | |
| LOW | CVE-2025-63396 | pytorch: security flaw enables exploitation | pytorch | 3.3 |
| LOW | CVE-2024-4839 | lollms-webui: CSRF allows unauthorized AI service install | lollms-webui | 3.3 |
| LOW | CVE-2025-3136 | PyTorch: memory corruption in CUDA caching allocator | pytorch | 3.3 |
| LOW | GHSA-r7w7-9xr2-qq2r | langchain-openai: SSRF DNS rebinding, blind network probe | langchain-openai | 3.1 |
| LOW | CVE-2026-7846 | Langchain-Chatchat: TOCTOU race allows silent file overwrite | langchain-chatchat | 2.6 |
| LOW | CVE-2026-7845 | Langchain-Chatchat: weak image hash allows integrity bypass | langchain-chatchat | 2.6 |
| LOW | CVE-2025-2149 | PyTorch: improper init in quantized sigmoid skews model output | pytorch | 2.5 |
| HIGH | GHSA-vqmv-47xg-9wpr | picklescan: Deserialization enables RCE | picklescan | — |
| HIGH | GHSA-84r2-jw7c-4r5q | picklescan: Allowlist Bypass evades input filtering | picklescan | — |
| HIGH | GHSA-4675-36f9-wf6r | picklescan: Allowlist Bypass evades input filtering | picklescan | — |
| HIGH | GHSA-m273-6v24-x4m4 | picklescan: Deserialization enables RCE | picklescan | — |
| UNKNOWN | CVE-2025-14927 | transformers: Code Injection enables RCE | transformers | — |
| CRITICAL | CVE-2025-65015 | — | ||
| UNKNOWN | CVE-2025-14926 | transformers: Code Injection enables RCE | transformers | — |
| HIGH | CVE-2025-53000 | nbconvert: security flaw enables exploitation | — | |
| HIGH | GHSA-mxhj-88fx-4pcv | fickling: security flaw enables exploitation | fickling | — |
| MEDIUM | GHSA-mhc9-48gj-9gp3 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| UNKNOWN | CVE-2025-14930 | transformers: Deserialization enables RCE | transformers | — |
| HIGH | GHSA-wccx-j62j-r448 | fickling: Protection Bypass circumvents security controls | fickling | — |
| MEDIUM | CVE-2025-12058 | Keras: safe_mode bypass enables file read and SSRF | keras | — |
| CRITICAL | GHSA-m9mp-6x32-5rhg | scio/PyTorch: torch.load weights_only bypass RCE | — | |
| LOW | CVE-2025-59842 | JupyterLab: missing noopener enables reverse tabnabbing | — | |
| HIGH | GHSA-5r2p-pjr8-7fh7 | sagemaker: Allowlist Bypass evades input filtering | sagemaker | — |
| UNKNOWN | CVE-2026-42248 | Ollama: silent auto-update bypasses signature check on Windows | ollama | — |
| HIGH | GHSA-97f8-7cmv-76j2 | picklescan: Allowlist Bypass evades input filtering | picklescan | — |
| HIGH | CVE-2025-65106 | langchain-core: security flaw enables exploitation | langchain-core | — |
| MEDIUM | GHSA-q77w-mwjj-7mqx | picklescan: scanner bypass enables model RCE | picklescan | — |
| MEDIUM | GHSA-49gj-c84q-6qm9 | picklescan: scanner bypass enables RCE via ML model files | picklescan | — |
| LOW | GHSA-83pf-v6qq-pwmr | fickling: Allowlist Bypass evades input filtering | fickling | — |
| MEDIUM | GHSA-9w88-8rmg-7g2p | picklescan: scan bypass allows silent RCE via ML models | picklescan | — |
| HIGH | CVE-2026-2472 | google-cloud-aiplatform: XSS enables session hijacking | — | |
| MEDIUM | GHSA-fqq6-7vqf-w3fg | picklescan: detection bypass allows undetected RCE in ML models | picklescan | — |
| MEDIUM | GHSA-r48f-3986-4f9c | fickling: Allowlist Bypass evades input filtering | fickling | — |
| MEDIUM | GHSA-hxvm-xjvf-93f3 | openclaw: env namespace injection steers agent runtime | openclaw | — |
| HIGH | CVE-2026-27622 | — | ||
| MEDIUM | GHSA-3vvq-q2qc-7rmp | openclaw: no integrity check on ClawHub plugin installs | openclaw | — |
| HIGH | CVE-2026-41486 | Ray: Parquet RCE via Arrow extension deserialization | ray | — |
| MEDIUM | GHSA-5cxw-w2xg-2m8h | fickling: Allowlist Bypass evades input filtering | fickling | — |
| MEDIUM | GHSA-3gf5-cxq9-w223 | picklescan: scanner bypass enables pickle RCE in ML models | picklescan | — |
| MEDIUM | GHSA-m869-42cg-3xwr | picklescan: scanner bypass enables RCE via ML models | picklescan | — |
| MEDIUM | GHSA-p9w7-82w4-7q8m | picklescan: detection bypass allows pickle RCE in ML pipelines | picklescan | — |
| HIGH | CVE-2026-25048 | xgrammar: security flaw enables exploitation | xgrammar | — |
| MEDIUM | GHSA-4whj-rm5r-c2v8 | picklescan: scanner bypass enables PyTorch gadget RCE | picklescan | — |
| MEDIUM | GHSA-9xph-j2h6-g47v | picklescan: scanner bypass enables RCE via model files | picklescan | — |
| MEDIUM | GHSA-v7x6-rv5q-mhwc | picklescan: bypass allows silent RCE in ML pipelines | picklescan | — |
| MEDIUM | CVE-2026-39398 | openclaw-claude-bridge: sandbox bypass exposes CLI tools | claude-code | — |
| MEDIUM | GHSA-8r4j-24qv-fmq9 | picklescan: RCE bypass enables ML supply chain attack | picklescan | — |
| MEDIUM | GHSA-cj3c-v495-4xqh | picklescan: security bypass enables RCE in ML pipelines | picklescan | — |
| UNKNOWN | CVE-2018-7575 | TensorFlow: buffer overflow, potential RCE in 1.7.x | tensorflow | — |
| UNKNOWN | CVE-2018-7577 | TensorFlow: Snappy memcpy overlap crash/mem disclosure | tensorflow | — |
| UNKNOWN | CVE-2018-10055 | TensorFlow XLA: heap overflow via crafted config file | tensorflow | — |
| MEDIUM | GHSA-3vg9-h568-4w9m | picklescan: RCE bypass via idlelib SetText evasion | picklescan | — |
| UNKNOWN | CVE-2018-7576 | TensorFlow: NPD in 1.6.x crashes ML runtime | tensorflow | — |
| HIGH | CVE-2026-33155 | deepdiff: DoS causes service disruption | — | |
| MEDIUM | GHSA-f54q-57x4-jg88 | picklescan: scanner bypass enables RCE in ML models | picklescan | — |
| CRITICAL | GHSA-955r-262c-33jc | telnyx: PyPI supply chain attack steals cloud creds | — | |
| HIGH | CVE-2026-33228 | — | ||
| MEDIUM | GHSA-x696-vm39-cp64 | picklescan: scan bypass allows RCE in ML pipelines | picklescan | — |
| MEDIUM | GHSA-g344-hcph-8vgg | picklescan: scanner bypass enables RCE in ML pipelines | picklescan | — |
| MEDIUM | GHSA-5qwp-399c-mjwf | picklescan: bypass enables undetected RCE in ML models | picklescan | — |
| MEDIUM | GHSA-vv6j-3g6g-2pvj | picklescan: PyTorch gadget bypasses scanner, enables RCE | picklescan | — |
| MEDIUM | GHSA-h3qp-7fh3-f8h4 | picklescan: detection bypass via PyTorch proxy RCE | picklescan | — |
| UNKNOWN | CVE-2026-27489 | ONNX: symlink path traversal allows arbitrary file read | onnx | — |
| MEDIUM | GHSA-f745-w6jp-hpxx | picklescan: RCE bypass via torch.utils.collect_env | picklescan | — |
| UNKNOWN | CVE-2024-4181 | llama_index: RCE via eval() in RunGptLLM connector | llamaindex | — |
| UNKNOWN | CVE-2024-3924 | text-generation-inference: workflow injection RCE | — | |
| MEDIUM | GHSA-f4x7-rfwp-v3xw | picklescan: scanner bypass enables RCE via PyTorch function | picklescan | — |
| MEDIUM | CVE-2026-34452 | Anthropic SDK: TOCTOU symlink escape in async memory tool | anthropic | — |
| UNKNOWN | CVE-2024-4254 | Gradio: secrets exfiltration via unsafe fork PR workflow | gradio | — |
| MEDIUM | GHSA-86cj-95qr-2p4f | picklescan: detection bypass enables PyTorch model RCE | picklescan | — |
| HIGH | GHSA-9gvj-pp9x-gcfr | picklescan: detection bypass allows malicious pickle exec | picklescan | — |
| MEDIUM | CVE-2025-54952 | ExecuTorch: integer overflow enables RCE via model loading | executorch | — |
| MEDIUM | CVE-2026-34450 | anthropic-sdk: insecure file perms expose agent memory | anthropic | — |
| UNKNOWN | CVE-2024-4897 | lollms-webui: RCE via malicious GGUF model loading | — | |
| HIGH | CVE-2025-54413 | skops: RCE via MethodNode unsafe deserialization | skops | — |
| HIGH | CVE-2025-54412 | skops: OperatorFuncNode type confusion → RCE | skops | — |
| MEDIUM | CVE-2024-52524 | Giskard: ReDoS in text perturbation causes DoS | — | |
| UNKNOWN | CVE-2026-22561 | Claude Setup: DLL search-order hijacking LPE | — | |
| HIGH | CVE-2025-25295 | Label Studio SDK: path traversal leaks server filesystem | label-studio-sdk | — |
| MEDIUM | CVE-2025-1716 | picklescan: scanner bypass enables supply chain RCE | picklescan | — |
| UNKNOWN | CVE-2026-2492 | TensorFlow: security flaw enables exploitation | — | |
| HIGH | CVE-2026-33079 | mistune: ReDoS exposes Jupyter/AI services to DoS | mistune | — |
| HIGH | CVE-2026-42557 | JupyterLab: one-click RCE via notebook HTML cell output | notebook | — |
| LOW | CVE-2026-33624 | — | ||
| HIGH | CVE-2025-67748 | fickling: Code Injection enables RCE | fickling | — |
| CRITICAL | CVE-2026-44484 | pytorch-lightning: supply chain, credential harvesting | pytorch-lightning | — |
| HIGH | CVE-2025-67747 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | CVE-2025-46417 | picklescan: scanner bypass enables DNS data exfiltration | picklescan | — |
| HIGH | CVE-2026-35175 | Ajenti: missing authz lets any user install packages | — | |
| MEDIUM | GHSA-9q7v-8mr7-g23p | OpenClaw: SSRF in marketplace fetch hits internal AI infra | openclaw | — |
| UNKNOWN | CVE-2025-12638 | Keras: Path Traversal enables file access | — | |
| MEDIUM | CVE-2026-34451 | anthropic-ai/sdk: memory tool path traversal escape | @anthropic-ai/sdk | — |
| CRITICAL | CVE-2026-40157 | PraisonAI: path traversal allows arbitrary file write via recipe unpack | PraisonAI | — |
| UNKNOWN | CVE-2026-0769 | langflow: Code Injection enables RCE | langflow | — |
| HIGH | CVE-2026-22607 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| MEDIUM | CVE-2025-68131 | — | ||
| HIGH | CVE-2026-0897 | keras: Resource Exhaustion enables DoS | keras | — |
| HIGH | GHSA-46h3-79wf-xr6c | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | CVE-2025-64439 | langgraph-checkpoint: Deserialization enables RCE | langgraph-checkpoint | — |
| HIGH | CVE-2026-22609 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | CVE-2026-22612 | fickling: Deserialization enables RCE | fickling | — |
| UNKNOWN | CVE-2026-0771 | langflow: Code Injection enables RCE | langflow | — |
| UNKNOWN | CVE-2026-42249 | Ollama: path traversal + unsigned update = silent RCE | ollama | — |
| MEDIUM | CVE-2026-23528 | — | ||
| UNKNOWN | CVE-2026-0768 | langflow: Code Injection enables RCE | langflow | — |
| HIGH | CVE-2026-0770 | langflow: security flaw enables exploitation | langflow | — |
| UNKNOWN | CVE-2025-66479 | Anthropic: Protection Bypass circumvents security controls | — | |
| HIGH | CVE-2026-22608 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | CVE-2026-22606 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| MEDIUM | GHSA-fj43-3qmq-673f | picklescan: numpy bypass enables RCE in ML model pipelines | picklescan | — |
| HIGH | GHSA-9m3x-qqw2-h32h | picklescan: Deserialization enables RCE | picklescan | — |
| MEDIUM | GHSA-m7j5-r2p5-c39r | picklescan: Deserialization enables RCE | picklescan | — |
| UNKNOWN | CVE-2026-0772 | langflow: Deserialization enables RCE | langflow | — |
| HIGH | GHSA-9726-w42j-3qjr | picklescan: Path Traversal enables file access | picklescan | — |
| HIGH | GHSA-955r-x9j8-7rhh | picklescan: Code Injection enables RCE | picklescan | — |
| MEDIUM | GHSA-6556-fwc2-fg2p | picklescan: Code Injection enables RCE | picklescan | — |
| UNKNOWN | CVE-2026-42231 | n8n: prototype pollution → RCE via Git node SSH | n8n | — |
| MEDIUM | GHSA-h8r8-wccr-v5f2 | DOMPurify: mXSS bypass achieves XSS via parse-context switch | — | |
| CRITICAL | GHSA-5mg7-485q-xm76 | litellm: supply chain attack harvests AI API credentials | litellm | — |
| HIGH | GHSA-rrxm-2pvv-m66x | picklescan: Code Injection enables RCE | picklescan | — |
| MEDIUM | GHSA-cffc-mxrf-mhh4 | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | GHSA-3329-ghmp-jmv5 | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | GHSA-x843-g5mx-g377 | picklescan: Code Injection enables RCE | picklescan | — |
| UNKNOWN | CVE-2025-14929 | transformers: Deserialization enables RCE | transformers | — |
| CRITICAL | CVE-2026-25481 | langroid: Code Injection enables RCE | — | |
| HIGH | GHSA-r8g5-cgf2-4m4m | picklescan: Deserialization enables RCE | picklescan | — |