AI Threat Alert
ATLAS Landscape
AML.T0011.000
Unsafe AI Artifacts
Adversaries may develop unsafe AI artifacts that when executed have a deleterious effect. The adversary can use this technique to establish persistent access to systems. These models may be introduced via a [AI Supply Chain Compromise](/techniques/AML.T0010). Serialization of models is a popular technique for model storage, transfer, and loading. However, this format without proper checking presents an opportunity for code execution.
285 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2025-15379 | MLflow: RCE via unsanitized model dependency specs | mlflow | 10.0 |
| CRITICAL | GHSA-vvpj-8cmc-gx39 | picklescan: security flaw enables exploitation | picklescan | 10.0 |
| CRITICAL | CVE-2022-45907 | PyTorch: RCE via unsafe eval in JIT annotations | pytorch | 9.8 |
| CRITICAL | CVE-2023-43654 | TorchServe: SSRF + RCE via unrestricted model URL loading | torchserve | 9.8 |
| CRITICAL | CVE-2023-5245 | MLeap: zip slip in model loading enables RCE | 9.8 | |
| CRITICAL | CVE-2026-39890 | PraisonAI: YAML deserialization enables unauthenticated RCE | praisonai | 9.8 |
| CRITICAL | CVE-2024-2057 | LangChain TFIDFRetriever: SSRF/RCE via load_local | langchain | 9.8 |
| CRITICAL | CVE-2025-1550 | Keras: safe_mode bypass enables RCE via model loading | keras | 9.8 |
| CRITICAL | CVE-2024-12029 | InvokeAI: RCE via unsafe torch.load deserialization | 9.8 | |
| CRITICAL | CVE-2025-32434 | PyTorch: RCE bypasses weights_only=True safe-load guard | pytorch | 9.8 |
| CRITICAL | CVE-2025-30405 | ExecuTorch: integer overflow in model load → RCE | executorch | 9.8 |
| CRITICAL | CVE-2025-49655 | keras: Deserialization enables RCE | keras | 9.8 |
| CRITICAL | GHSA-ggpf-24jw-3fcw | vLLM: RCE via malicious model, PyTorch < 2.6 bypass | vllm | 9.8 |
| CRITICAL | CVE-2025-30404 | ExecuTorch: integer overflow RCE on model load | executorch | 9.8 |
| CRITICAL | CVE-2026-22807 | vllm: Code Injection enables RCE | vllm | 9.8 |
| CRITICAL | GHSA-vc46-vw85-3wvm | PraisonAI: RCE via malicious workflow YAML execution | PraisonAI | 9.8 |
| CRITICAL | GHSA-g38g-8gr9-h9xp | picklescan: Allowlist Bypass evades input filtering | picklescan | 9.8 |
| CRITICAL | CVE-2025-1945 | picklescan: ZIP flag bypass enables RCE in PyTorch models | picklescan | 9.8 |
| CRITICAL | CVE-2024-3660 | Keras: RCE via malicious model deserialization | keras | 9.8 |
| CRITICAL | CVE-2025-54951 | ExecuTorch: heap buffer overflow RCE in model loading | executorch | 9.8 |
| CRITICAL | CVE-2025-54949 | ExecuTorch: heap buffer overflow RCE via model loading | executorch | 9.8 |
| CRITICAL | CVE-2020-13092 | scikit-learn: RCE via malicious joblib model deserialization | scikit-learn | 9.8 |
| CRITICAL | GHSA-7wx9-6375-f5wh | picklescan: Allowlist Bypass evades input filtering | picklescan | 9.8 |
| CRITICAL | CVE-2025-53002 | LLaMA-Factory: RCE via unsafe checkpoint deserialization | llamafactory | 9.8 |
| CRITICAL | CVE-2025-54950 | ExecuTorch: OOB read in model loader enables RCE | executorch | 9.8 |
| CRITICAL | CVE-2024-27132 | MLflow: XSS in recipes enables client-side RCE | mlflow | 9.6 |
| CRITICAL | CVE-2025-15036 | MLflow: path traversal enables sandbox escape, file overwrite | mlflow | 9.6 |
| CRITICAL | CVE-2024-34359 | llama-cpp-python: SSTI in .gguf loader enables RCE | 9.6 | |
| CRITICAL | CVE-2024-3568 | HuggingFace Transformers: RCE via pickle deserialization | transformers | 9.6 |
| CRITICAL | CVE-2022-35937 | TensorFlow: GatherNd OOB read crashes inference servers | tensorflow | 9.1 |
| CRITICAL | CVE-2025-62608 | mlx: security flaw enables exploitation | mlx | 9.1 |
| CRITICAL | CVE-2025-15031 | mlflow: Path Traversal enables file access | mlflow | 9.1 |
| CRITICAL | CVE-2026-7482 | Ollama: heap OOB read leaks API keys and chat data | ollama | 9.1 |
| CRITICAL | CVE-2026-28500 | onnx: Integrity Verification bypass enables tampering | onnx | 9.1 |
| HIGH | CVE-2024-11392 | HuggingFace Transformers: RCE via config deserialization | transformers | 8.8 |
| HIGH | CVE-2026-6859 | InstructLab: RCE via hardcoded trust_remote_code flag | 8.8 | |
| HIGH | GHSA-j7w6-vpvq-j3gm | diffusers: silent RCE via None.py trust_remote_code bypass | diffusers | 8.8 |
| HIGH | CVE-2026-44513 | diffusers: trust_remote_code bypass enables silent RCE | diffusers | 8.8 |
| HIGH | CVE-2026-1462 | Keras: safe_mode bypass allows RCE via model deserialization | keras | 8.8 |
| HIGH | CVE-2026-33310 | 8.8 | ||
| HIGH | CVE-2026-35044 | BentoML: malicious bento archive RCE via Jinja2 SSTI | bentoml | 8.8 |
| HIGH | CVE-2018-8825 | TensorFlow 1.7: Buffer overflow enables arbitrary code exec | tensorflow | 8.8 |
| HIGH | CVE-2026-24747 | pytorch: Code Injection enables RCE | pytorch | 8.8 |
| HIGH | CVE-2026-27893 | vLLM: trust_remote_code bypass enables RCE | vllm | 8.8 |
| HIGH | CVE-2021-37678 | TensorFlow/Keras: RCE via YAML model deserialization | tensorflow | 8.8 |
| HIGH | CVE-2022-23558 | TFLite: integer overflow in model loading, RCE risk | tensorflow | 8.8 |
| HIGH | CVE-2022-23559 | TFLite: integer overflow in embedding lookup → heap OOB RW | tensorflow | 8.8 |
| HIGH | CVE-2022-23560 | TFLite: OOB read/write in sparse tensor → RCE | tensorflow | 8.8 |
| HIGH | CVE-2022-23561 | TensorFlow Lite: OOB write, arbitrary write primitive | tensorflow | 8.8 |
| HIGH | CVE-2023-6730 | HuggingFace Transformers: RCE via unsafe deserialization | transformers | 8.8 |
| HIGH | GHSA-hgrh-qx5j-jfwx | picklescan: Protection Bypass circumvents security controls | picklescan | 8.8 |
| HIGH | CVE-2024-37052 | MLflow: RCE via malicious scikit-learn model upload | mlflow | 8.8 |
| HIGH | CVE-2025-67729 | lmdeploy: Deserialization enables RCE | 8.8 | |
| HIGH | CVE-2024-37053 | MLflow: RCE via malicious scikit-learn model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37054 | MLflow: deserialization RCE via malicious PyFunc model | mlflow | 8.8 |
| HIGH | CVE-2024-37055 | MLflow: RCE via pmdarima model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37056 | MLflow: RCE via LightGBM model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37057 | MLflow: RCE via malicious TensorFlow model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37058 | MLflow: RCE via malicious LangChain model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37059 | MLflow: RCE via malicious PyTorch model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37060 | MLflow: RCE via deserialization in crafted Recipes | mlflow | 8.8 |
| HIGH | CVE-2024-37061 | MLflow: RCE via malicious MLproject file execution | mlflow | 8.8 |
| HIGH | CVE-2024-5187 | ONNX: path traversal in model download enables RCE | onnx | 8.8 |
| HIGH | CVE-2025-33213 | NVIDIA: Deserialization enables RCE | 8.8 | |
| HIGH | CVE-2024-11393 | Transformers: RCE via MaskFormer model deserialization | transformers | 8.8 |
| HIGH | CVE-2025-66448 | vllm: Code Injection enables RCE | vllm | 8.8 |
| HIGH | CVE-2024-11394 | Transformers: RCE via Trax model deserialization | transformers | 8.8 |
| HIGH | CVE-2025-24357 | vLLM: unsafe deserialization RCE via model loading | vllm | 8.8 |
| HIGH | CVE-2025-58757 | MONAI: unsafe pickle deserialization RCE in data pipeline | monai | 8.8 |
| HIGH | CVE-2025-58756 | MONAI: unsafe deserialization in CheckpointLoader allows RCE | monai | 8.8 |
| HIGH | CVE-2025-58755 | MONAI: path traversal allows arbitrary file write | monai | 8.8 |
| HIGH | CVE-2020-15212 | TensorFlow Lite: heap OOB write via segment sum op | tensorflow | 8.6 |
| HIGH | CVE-2026-28416 | gradio: SSRF allows internal network access | gradio | 8.6 |
| HIGH | CVE-2026-34445 | ONNX: property overwrite via crafted model file | onnx | 8.6 |
| HIGH | CVE-2025-54886 | skops: joblib fallback enables RCE via model load | skops | 8.4 |
| HIGH | CVE-2025-10157 | PickleScan: subclass bypass enables malicious model RCE | picklescan | 8.3 |
| HIGH | CVE-2024-39720 | Ollama: OOB read in GGUF parser enables remote DoS | ollama | 8.2 |
| HIGH | CVE-2020-15214 | TensorFlow Lite: OOB write in segment sum, memory corruption risk | tensorflow | 8.1 |
| HIGH | CVE-2022-41894 | TensorFlow Lite: buffer overflow in CONV_3D_TRANSPOSE op | tensorflow | 8.1 |
| HIGH | CVE-2025-30402 | ExecuTorch: heap overflow in method load, RCE risk | executorch | 8.1 |
| HIGH | CVE-2024-7776 | ONNX: path traversal in download_model enables RCE | onnx | 8.1 |
| HIGH | CVE-2021-37666 | TensorFlow: null-ptr deref in RaggedTensorToVariant op | tensorflow | 7.8 |
| HIGH | CVE-2026-27905 | bentoml: security flaw enables exploitation | bentoml | 7.8 |
| HIGH | CVE-2024-14021 | llamaindex: Deserialization enables RCE | llamaindex | 7.8 |
| HIGH | CVE-2025-10155 | picklescan: file extension bypass allows model RCE | picklescan | 7.8 |
| HIGH | CVE-2025-8747 | Keras: safe mode bypass enables RCE via model load | keras | 7.8 |
| HIGH | CVE-2025-46567 | LLaMA-Factory: RCE via torch.load() unsafe deserialization | llamafactory | 7.8 |
| HIGH | CVE-2025-5173 | label-studio-ml: PyTorch .pt deserialization RCE in YOLO loader | label-studio-ml | 7.8 |
| HIGH | CVE-2024-5998 | LangChain: RCE via FAISS pickle deserialization | langchain | 7.8 |
| HIGH | CVE-2024-34072 | SageMaker SDK: pickle deserialization enables RCE | 7.8 | |
| HIGH | CVE-2024-31583 | PyTorch: use-after-free in JIT mobile interpreter, RCE | pytorch | 7.8 |
| HIGH | CVE-2023-7018 | Transformers: unsafe deserialization enables RCE on load | transformers | 7.8 |
| HIGH | CVE-2021-4118 | pytorch-lightning: deserialization RCE via malicious checkpoint | pytorch_lightning | 7.8 |
| HIGH | CVE-2021-43811 | Sockeye: unsafe YAML load RCE via model config file | 7.8 | |
| HIGH | CVE-2021-41225 | TensorFlow Grappler: uninitialized var, local priv-esc | tensorflow | 7.8 |
| HIGH | CVE-2021-41216 | TensorFlow: heap overflow in Transpose via negative perm | tensorflow | 7.8 |
| HIGH | CVE-2021-41203 | TensorFlow: malformed checkpoint triggers overflow/crash | tensorflow | 7.8 |
| HIGH | CVE-2021-37665 | TensorFlow MKL: null-ptr/heap-OOB in requantization ops | tensorflow | 7.8 |
| HIGH | CVE-2021-37651 | TensorFlow: heap OOB r/w in FractionalAvgPoolGrad op | tensorflow | 7.8 |
| HIGH | CVE-2021-29606 | TensorFlow Lite: OOB read via crafted TFLite model | tensorflow | 7.8 |
| HIGH | CVE-2021-29603 | TensorFlow TFLite: heap OOB write via malformed model | tensorflow | 7.8 |
| HIGH | CVE-2021-29600 | TensorFlow TFLite: div-by-zero via crafted OneHot model | tensorflow | 7.8 |
| HIGH | CVE-2021-29599 | TFLite Split: malicious model triggers div-by-zero (DoS/RCE) | tensorflow | 7.8 |
| HIGH | CVE-2021-29598 | TensorFlow TFLite: SVDF div-by-zero enables RCE | tensorflow | 7.8 |
| HIGH | CVE-2021-29597 | TensorFlow TFLite: div-by-zero crash via crafted model | tensorflow | 7.8 |
| HIGH | CVE-2021-29596 | TensorFlow TFLite: div-by-zero in EmbeddingLookup op | tensorflow | 7.8 |
| HIGH | CVE-2021-29595 | TensorFlow TFLite: crash/RCE via malicious model file | tensorflow | 7.8 |
| HIGH | CVE-2021-29594 | TFLite: divide-by-zero in conv allows code execution | tensorflow | 7.8 |
| HIGH | CVE-2021-29593 | TensorFlow TFLite: div-by-zero via crafted model file | tensorflow | 7.8 |
| HIGH | CVE-2021-29592 | TensorFlow Lite: null-ptr deref in Reshape via 1D tensor | tensorflow | 7.8 |
| HIGH | CVE-2021-29571 | TensorFlow: heap OOB write via crafted bounding box op | tensorflow | 7.8 |
| HIGH | CVE-2021-29591 | TFLite: crafted model causes infinite loop / stack overflow | tensorflow | 7.8 |
| HIGH | CVE-2021-29589 | TFLite GatherNd: divide-by-zero crashes inference runtime | tensorflow | 7.8 |
| HIGH | CVE-2021-29588 | TensorFlow Lite: DoS/RCE via crafted model stride=0 | tensorflow | 7.8 |
| HIGH | CVE-2021-29587 | TensorFlow TFLite: divide-by-zero via crafted model file | tensorflow | 7.8 |
| HIGH | CVE-2021-29586 | TFLite: div-by-zero in pooling crashes inference engine | tensorflow | 7.8 |
| HIGH | CVE-2021-29585 | TensorFlow TFLite: divide-by-zero crashes ML inference | tensorflow | 7.8 |
| HIGH | CVE-2021-29546 | TensorFlow: div-by-zero in QuantizedBiasAdd, C/I/A high | tensorflow | 7.8 |
| HIGH | CVE-2021-29535 | TensorFlow: heap overflow in QuantizedMul op | tensorflow | 7.8 |
| HIGH | CVE-2018-8768 | Jupyter Notebook: XSS via malicious .ipynb file | notebook | 7.8 |
| HIGH | GHSA-89gg-p5r5-q6r4 | MONAI: pickle deserialization RCE in Auto3DSeg | monai | 7.7 |
| HIGH | CVE-2024-45436 | Ollama: ZIP path traversal exposes host filesystem | ollama | 7.5 |
| HIGH | CVE-2022-36011 | TensorFlow: null deref DoS in MLIR function conversion | tensorflow | 7.5 |
| HIGH | CVE-2023-27579 | TensorFlow Lite: FPE in tflite model crashes inference runtime | tensorflow | 7.5 |
| HIGH | CVE-2020-28975 | scikit-learn: DoS via crafted SVM model deserialization | scikit-learn | 7.5 |
| HIGH | CVE-2020-15206 | TensorFlow: SavedModel protobuf DoS in inference serving | tensorflow | 7.5 |
| HIGH | CVE-2025-62609 | mlx: security flaw enables exploitation | mlx | 7.5 |
| HIGH | CVE-2025-66960 | ollama: Input Validation flaw enables exploitation | ollama | 7.5 |
| HIGH | CVE-2025-0317 | Ollama: DoS via malicious GGUF model file upload | ollama | 7.5 |
| HIGH | CVE-2025-0315 | Ollama: GGUF model upload causes memory exhaustion DoS | ollama | 7.5 |
| HIGH | CVE-2025-0312 | Ollama: null pointer DoS via malicious GGUF model upload | ollama | 7.5 |
| HIGH | CVE-2025-10156 | Picklescan: CRC bypass hides malicious pickle in ZIP | picklescan | 7.5 |
| HIGH | CVE-2024-12055 | Ollama: DoS via malicious gguf model file upload | ollama | 7.5 |
| HIGH | CVE-2024-8063 | ollama: divide-by-zero DoS via crafted GGUF model import | ollama | 7.5 |
| HIGH | CVE-2025-2148 | PyTorch: memory corruption in JIT profiler callback handler | pytorch | 7.5 |
| HIGH | CVE-2022-23590 | TensorFlow: DoS via malicious SavedModel GraphDef | tensorflow | 7.5 |
| HIGH | CVE-2022-23591 | TensorFlow: SavedModel stack overflow via recursive GraphDef | tensorflow | 7.5 |
| HIGH | CVE-2025-55560 | PyTorch: DoS via sparse/dense tensor Inductor compile | pytorch | 7.5 |
| HIGH | CVE-2026-1669 | keras: File Control enables path manipulation | keras | 7.5 |
| HIGH | CVE-2026-44549 | open-webui: XSS via XLSX preview enables session hijack | open-webui | 7.3 |
| HIGH | CVE-2025-9905 | Keras: safe_mode bypass enables RCE via .h5 model files | keras | 7.3 |
| HIGH | CVE-2026-39306 | PraisonAI: recipe path traversal allows arbitrary file write | PraisonAI | 7.3 |
| HIGH | CVE-2025-9906 | Keras: safe_mode bypass enables RCE via model load | keras | 7.3 |
| HIGH | CVE-2026-44566 | Open WebUI: path traversal + file upload leads to RCE | open-webui | 7.3 |
| HIGH | CVE-2026-1777 | sagemaker: security flaw enables exploitation | sagemaker | 7.2 |
| HIGH | CVE-2021-29601 | TensorFlow Lite: integer overflow in model concatenation | tensorflow | 7.1 |
| HIGH | CVE-2021-29590 | TensorFlow TFLite: OOB read via empty tensor in Min/Max ops | tensorflow | 7.1 |
| HIGH | CVE-2021-37635 | TensorFlow: heap OOB read in sparse reduction ops | tensorflow | 7.1 |
| HIGH | CVE-2021-37682 | TFLite: uninitialized quant params corrupt inference | tensorflow | 7.1 |
| HIGH | GHSA-q56x-g2fj-4rj6 | onnx: TOCTOU symlink following enables arbitrary file write | onnx | 7.1 |
| MEDIUM | CVE-2022-23586 | TensorFlow: SavedModel DoS crashes Python interpreter | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23589 | TensorFlow Grappler: DoS via malicious SavedModel | tensorflow | 6.5 |
| MEDIUM | CVE-2026-39377 | nbconvert: path traversal enables arbitrary file write | nbconvert | 6.5 |
| MEDIUM | CVE-2022-21741 | TensorFlow Lite: DoS via crafted depthwise conv model | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23557 | TensorFlow TFLite: DoS via divide-by-zero in BiasAndClamp | tensorflow | 6.5 |
| MEDIUM | CVE-2020-15210 | TensorFlow Lite: memory corruption via aliased tensors | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23565 | TensorFlow: DoS via malicious SavedModel AttrDef duplication | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23579 | TensorFlow: DoS via Grappler optimizer CHECK failure | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23581 | TensorFlow: DoS via Grappler optimizer CHECK failure | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23582 | TensorFlow: SavedModel CHECK-fail causes DoS | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23583 | TensorFlow: SavedModel type confusion triggers DoS crash | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23588 | TensorFlow: DoS via crafted SavedModel crashes Grappler | tensorflow | 6.5 |
| MEDIUM | CVE-2026-39378 | nbconvert: path traversal exfiltrates files via HTML export | nbconvert | 6.5 |
| MEDIUM | CVE-2026-1839 | HuggingFace Transformers: RCE via malicious checkpoint load | transformers | 6.5 |
| MEDIUM | CVE-2025-1944 | picklescan: ZIP spoof lets malicious PyTorch models bypass scan | picklescan | 6.5 |
| MEDIUM | CVE-2020-15209 | TensorFlow Lite: null ptr deref crashes model inference | tensorflow | 5.9 |
| MEDIUM | CVE-2021-29602 | TensorFlow TFLite: DepthwiseConv division-by-zero DoS | tensorflow | 5.5 |
| MEDIUM | CVE-2025-3121 | PyTorch: memory corruption in JIT flatbuffer loader | pytorch | 5.5 |
| MEDIUM | CVE-2025-2953 | PyTorch: DoS via mkldnn_max_pool2d resource leak | pytorch | 5.5 |
| MEDIUM | CVE-2024-31584 | PyTorch: OOB read in mobile model loader leaks memory | pytorch | 5.5 |
| MEDIUM | CVE-2022-29212 | TensorFlow Lite: quantization assert crash (DoS) | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29197 | TensorFlow: DoS via UnsortedSegmentJoin input validation | tensorflow | 5.5 |
| MEDIUM | CVE-2022-23594 | TensorFlow MLIR: heap OOB via malicious SavedModel file | tensorflow | 5.5 |
| MEDIUM | CVE-2021-41213 | TensorFlow: tf.function deadlock enables DoS via model load | tensorflow | 5.5 |
| MEDIUM | CVE-2021-41217 | TensorFlow: null pointer crash in control flow graph | tensorflow | 5.5 |
| MEDIUM | CVE-2026-34447 | ONNX: symlink traversal reads host files via model loading | onnx | 5.5 |
| MEDIUM | CVE-2021-37691 | TensorFlow TFLite: DoS via crafted model in LSH kernel | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37687 | TFLite: heap OOB read via negative indices in GatherNd | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37685 | TensorFlow Lite: OOB read leaks heap memory in expand_dims | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37689 | TensorFlow Lite: MLIR null ptr deref crashes inference | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37688 | TensorFlow Lite: DoS via crafted TFLite model file | tensorflow | 5.5 |
| MEDIUM | CVE-2021-37686 | TFLite: infinite loop DoS via crafted strided slice model | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29615 | TensorFlow: uncontrolled recursion DoS in ParseAttrValue | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29605 | TFLite: integer overflow DoS via crafted model file | tensorflow | 5.5 |
| MEDIUM | CVE-2021-29604 | TFLite: DoS via division by zero in hashtable lookup | tensorflow | 5.5 |
| MEDIUM | CVE-2025-12343 | ffmpeg: security flaw enables exploitation | 5.5 | |
| MEDIUM | CVE-2023-48299 | TorchServe: ZipSlip arbitrary file write via model upload | torchserve | 5.3 |
| MEDIUM | CVE-2020-26266 | TensorFlow: uninitialized memory read via crafted SavedModel | tensorflow | 5.3 |
| MEDIUM | CVE-2025-3264 | Transformers: ReDoS in dynamic module loader causes DoS | transformers | 5.3 |
| MEDIUM | CVE-2026-4538 | AI component: Input Validation flaw enables exploitation | 5.3 | |
| MEDIUM | CVE-2025-3108 | llama-index: RCE via unsafe pickle deserialization | llama-index-core | 5.0 |
| MEDIUM | CVE-2023-41626 | Gradio: arbitrary file upload via /upload endpoint | gradio | 4.8 |
| MEDIUM | CVE-2020-15211 | TensorFlow Lite: heap OOB RW via flatbuffer tensor index | tensorflow | 4.8 |
| MEDIUM | CVE-2026-34446 | ONNX: hardlink path traversal leaks sensitive files | onnx | 4.7 |
| MEDIUM | CVE-2020-15213 | TensorFlow Lite: OOM DoS via crafted segment sum model | tensorflow | 4.0 |
| LOW | CVE-2020-26271 | TensorFlow: OOB read on saved model load leaks heap addresses | tensorflow | 3.3 |
| HIGH | GHSA-84r2-jw7c-4r5q | picklescan: Allowlist Bypass evades input filtering | picklescan | — |
| HIGH | GHSA-4675-36f9-wf6r | picklescan: Allowlist Bypass evades input filtering | picklescan | — |
| HIGH | GHSA-5hwf-rc88-82xm | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | GHSA-m273-6v24-x4m4 | picklescan: Deserialization enables RCE | picklescan | — |
| HIGH | GHSA-97f8-7cmv-76j2 | picklescan: Allowlist Bypass evades input filtering | picklescan | — |
| UNKNOWN | CVE-2025-14928 | transformers: Code Injection enables RCE | transformers | — |
| MEDIUM | GHSA-p9w7-82w4-7q8m | picklescan: detection bypass allows pickle RCE in ML pipelines | picklescan | — |
| MEDIUM | CVE-2025-54952 | ExecuTorch: integer overflow enables RCE via model loading | executorch | — |
| MEDIUM | GHSA-m869-42cg-3xwr | picklescan: scanner bypass enables RCE via ML models | picklescan | — |
| MEDIUM | GHSA-j343-8v2j-ff7w | picklescan: scanner bypass allows pickle-based RCE | picklescan | — |
| MEDIUM | GHSA-r54c-2xmf-2cf3 | ms-swift: RCE via pickle deserialization in adapter models | — | |
| HIGH | CVE-2025-54413 | skops: RCE via MethodNode unsafe deserialization | skops | — |
| UNKNOWN | CVE-2025-14927 | transformers: Code Injection enables RCE | transformers | — |
| HIGH | GHSA-9m3x-qqw2-h32h | picklescan: Deserialization enables RCE | picklescan | — |
| HIGH | CVE-2025-54412 | skops: OperatorFuncNode type confusion → RCE | skops | — |
| MEDIUM | GHSA-3gf5-cxq9-w223 | picklescan: scanner bypass enables pickle RCE in ML models | picklescan | — |
| LOW | GHSA-83pf-v6qq-pwmr | fickling: Allowlist Bypass evades input filtering | fickling | — |
| UNKNOWN | CVE-2025-14926 | transformers: Code Injection enables RCE | transformers | — |
| UNKNOWN | CVE-2026-27489 | ONNX: symlink path traversal allows arbitrary file read | onnx | — |
| MEDIUM | GHSA-fj43-3qmq-673f | picklescan: numpy bypass enables RCE in ML model pipelines | picklescan | — |
| MEDIUM | GHSA-fqq6-7vqf-w3fg | picklescan: detection bypass allows undetected RCE in ML models | picklescan | — |
| MEDIUM | GHSA-r48f-3986-4f9c | fickling: Allowlist Bypass evades input filtering | fickling | — |
| MEDIUM | GHSA-9w88-8rmg-7g2p | picklescan: scan bypass allows silent RCE via ML models | picklescan | — |
| UNKNOWN | CVE-2025-14924 | transformers: Deserialization enables RCE | transformers | — |
| UNKNOWN | CVE-2024-4897 | lollms-webui: RCE via malicious GGUF model loading | — | |
| MEDIUM | GHSA-mhc9-48gj-9gp3 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| MEDIUM | CVE-2026-33865 | MLflow: stored XSS via MLmodel YAML artifact upload | mlflow | — |
| MEDIUM | GHSA-42mx-vp8m-j7qh | openclaw: sandbox escape via mirror mode hook execution | openclaw | — |
| UNKNOWN | CVE-2025-14921 | transformers: Deserialization enables RCE | transformers | — |
| MEDIUM | GHSA-5cxw-w2xg-2m8h | fickling: Allowlist Bypass evades input filtering | fickling | — |
| UNKNOWN | CVE-2025-14920 | transformers: Deserialization enables RCE | transformers | — |
| CRITICAL | CVE-2026-40157 | PraisonAI: path traversal allows arbitrary file write via recipe unpack | PraisonAI | — |
| MEDIUM | GHSA-49gj-c84q-6qm9 | picklescan: scanner bypass enables RCE via ML model files | picklescan | — |
| MEDIUM | GHSA-m7j5-r2p5-c39r | picklescan: Deserialization enables RCE | picklescan | — |
| MEDIUM | CVE-2025-12058 | Keras: safe_mode bypass enables file read and SSRF | keras | — |
| CRITICAL | GHSA-m9mp-6x32-5rhg | scio/PyTorch: torch.load weights_only bypass RCE | — | |
| MEDIUM | CVE-2025-1889 | picklescan: extension bypass enables RCE on model load | picklescan | — |
| MEDIUM | CVE-2025-1716 | picklescan: scanner bypass enables supply chain RCE | picklescan | — |
| MEDIUM | GHSA-q77w-mwjj-7mqx | picklescan: scanner bypass enables model RCE | picklescan | — |
| UNKNOWN | CVE-2025-12638 | Keras: Path Traversal enables file access | — | |
| HIGH | CVE-2026-42557 | JupyterLab: one-click RCE via notebook HTML cell output | notebook | — |
| HIGH | CVE-2025-67747 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | CVE-2026-41486 | Ray: Parquet RCE via Arrow extension deserialization | ray | — |
| HIGH | CVE-2025-67748 | fickling: Code Injection enables RCE | fickling | — |
| HIGH | CVE-2025-46417 | picklescan: scanner bypass enables DNS data exfiltration | picklescan | — |
| MEDIUM | GHSA-v7x6-rv5q-mhwc | picklescan: bypass allows silent RCE in ML pipelines | picklescan | — |
| HIGH | GHSA-mxhj-88fx-4pcv | fickling: security flaw enables exploitation | fickling | — |
| MEDIUM | GHSA-8r4j-24qv-fmq9 | picklescan: RCE bypass enables ML supply chain attack | picklescan | — |
| MEDIUM | GHSA-cj3c-v495-4xqh | picklescan: security bypass enables RCE in ML pipelines | picklescan | — |
| MEDIUM | GHSA-7cq8-mj8x-j263 | picklescan: detection bypass allows malicious pickle RCE | picklescan | — |
| MEDIUM | GHSA-6w4w-5w54-rjvr | picklescan: detection bypass allows RCE via ML model files | picklescan | — |
| MEDIUM | GHSA-3vg9-h568-4w9m | picklescan: RCE bypass via idlelib SetText evasion | picklescan | — |
| MEDIUM | GHSA-f54q-57x4-jg88 | picklescan: scanner bypass enables RCE in ML models | picklescan | — |
| MEDIUM | GHSA-6vqj-c2q5-j97w | picklescan: scanner bypass enables RCE via ML models | picklescan | — |
| MEDIUM | GHSA-x696-vm39-cp64 | picklescan: scan bypass allows RCE in ML pipelines | picklescan | — |
| MEDIUM | GHSA-g344-hcph-8vgg | picklescan: scanner bypass enables RCE in ML pipelines | picklescan | — |
| MEDIUM | GHSA-5qwp-399c-mjwf | picklescan: bypass enables undetected RCE in ML models | picklescan | — |
| MEDIUM | GHSA-vv6j-3g6g-2pvj | picklescan: PyTorch gadget bypasses scanner, enables RCE | picklescan | — |
| MEDIUM | GHSA-vr7h-p6mm-wpmh | picklescan: PyTorch gadget bypasses pickle RCE detection | picklescan | — |
| MEDIUM | GHSA-h3qp-7fh3-f8h4 | picklescan: detection bypass via PyTorch proxy RCE | picklescan | — |
| MEDIUM | GHSA-f745-w6jp-hpxx | picklescan: RCE bypass via torch.utils.collect_env | picklescan | — |
| MEDIUM | GHSA-f4x7-rfwp-v3xw | picklescan: scanner bypass enables RCE via PyTorch function | picklescan | — |
| MEDIUM | GHSA-86cj-95qr-2p4f | picklescan: detection bypass enables PyTorch model RCE | picklescan | — |
| MEDIUM | GHSA-4r9r-ch6f-vxmx | picklescan: PyTorch bypass allows undetected RCE | picklescan | — |
| HIGH | GHSA-9gvj-pp9x-gcfr | picklescan: detection bypass allows malicious pickle exec | picklescan | — |
| HIGH | GHSA-9726-w42j-3qjr | picklescan: Path Traversal enables file access | picklescan | — |
| HIGH | CVE-2026-22606 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | GHSA-955r-x9j8-7rhh | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | CVE-2026-22608 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | CVE-2026-22609 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| UNKNOWN | CVE-2018-7575 | TensorFlow: buffer overflow, potential RCE in 1.7.x | tensorflow | — |
| HIGH | CVE-2026-22612 | fickling: Deserialization enables RCE | fickling | — |
| MEDIUM | GHSA-9xph-j2h6-g47v | picklescan: scanner bypass enables RCE via model files | picklescan | — |
| MEDIUM | GHSA-4whj-rm5r-c2v8 | picklescan: scanner bypass enables PyTorch gadget RCE | picklescan | — |
| MEDIUM | GHSA-xp4f-hrf8-rxw7 | picklescan: scanner bypass leads to undetected RCE | picklescan | — |
| MEDIUM | GHSA-6556-fwc2-fg2p | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | GHSA-rrxm-2pvv-m66x | picklescan: Code Injection enables RCE | picklescan | — |
| MEDIUM | GHSA-cffc-mxrf-mhh4 | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | GHSA-wccx-j62j-r448 | fickling: Protection Bypass circumvents security controls | fickling | — |
| HIGH | GHSA-3329-ghmp-jmv5 | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | GHSA-x843-g5mx-g377 | picklescan: Code Injection enables RCE | picklescan | — |
| UNKNOWN | CVE-2024-4181 | llama_index: RCE via eval() in RunGptLLM connector | llamaindex | — |
| HIGH | GHSA-vqmv-47xg-9wpr | picklescan: Deserialization enables RCE | picklescan | — |
| UNKNOWN | CVE-2025-14930 | transformers: Deserialization enables RCE | transformers | — |
| UNKNOWN | CVE-2025-14929 | transformers: Deserialization enables RCE | transformers | — |
| HIGH | GHSA-46h3-79wf-xr6c | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | CVE-2026-22607 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | CVE-2026-0897 | keras: Resource Exhaustion enables DoS | keras | — |
| HIGH | GHSA-r8g5-cgf2-4m4m | picklescan: Deserialization enables RCE | picklescan | — |