AI Threat Alert
ATLAS Landscape
AML.T0011.001
Malicious Package
Adversaries may develop malicious software packages that when imported by a user have a deleterious effect. Malicious packages may behave as expected to the user. They may be introduced via [AI Supply Chain Compromise](/techniques/AML.T0010). They may not present as obviously malicious to the user and may appear to be useful for an AI-related task.
30 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2021-35958 | TensorFlow: path traversal in get_file allows file overwrite | tensorflow | 9.1 |
| HIGH | CVE-2026-42266 | JupyterLab: Extension allow-list bypass enables privesc | jupyterlab | 8.8 |
| HIGH | GHSA-m3mh-3mpg-37hw | OpenClaw: .npmrc hijack enables RCE on plugin install | openclaw | 8.6 |
| HIGH | CVE-2026-39307 | PraisonAI: Zip Slip enables arbitrary file write / RCE | PraisonAI | 8.1 |
| HIGH | CVE-2021-37681 | TensorFlow Lite: null ptr deref crashes SVDF inference | tensorflow | 7.8 |
| HIGH | CVE-2025-23298 | Merlin Transformers4Rec: code injection via Python dep | 7.8 | |
| HIGH | CVE-2021-4118 | pytorch-lightning: deserialization RCE via malicious checkpoint | pytorch_lightning | 7.8 |
| HIGH | CVE-2021-29612 | TensorFlow: heap overflow in linalg op, RCE risk | tensorflow | 7.8 |
| HIGH | CVE-2021-29577 | TensorFlow: heap overflow in AvgPool3DGrad op | tensorflow | 7.8 |
| HIGH | CVE-2026-40156 | PraisonAI: auto tools.py load enables local RCE | praisonai | 7.8 |
| HIGH | CVE-2026-21893 | n8n: Input Validation flaw enables exploitation | n8n | 7.2 |
| MEDIUM | CVE-2026-24123 | bentoml: Path Traversal enables file access | bentoml | 6.5 |
| MEDIUM | CVE-2026-40148 | PraisonAI: decompression bomb causes disk exhaustion | PraisonAI | 6.5 |
| MEDIUM | CVE-2026-1778 | sagemaker: security flaw enables exploitation | sagemaker | 5.9 |
| MEDIUM | CVE-2025-8917 | clearml: path traversal in safe_extract → RCE risk | clearml | 5.8 |
| MEDIUM | CVE-2021-41227 | TensorFlow: OOB read in ImmutableConst leaks memory | tensorflow | 5.5 |
| MEDIUM | CVE-2026-40159 | PraisonAI: MCP env inheritance exposes API keys | PraisonAI | 5.5 |
| MEDIUM | CVE-2026-21851 | monai: Path Traversal enables file access | monai | 5.3 |
| LOW | CVE-2024-4839 | lollms-webui: CSRF allows unauthorized AI service install | lollms-webui | 3.3 |
| MEDIUM | GHSA-3vvq-q2qc-7rmp | openclaw: no integrity check on ClawHub plugin installs | openclaw | — |
| UNKNOWN | CVE-2025-12638 | Keras: Path Traversal enables file access | — | |
| LOW | CVE-2025-59842 | JupyterLab: missing noopener enables reverse tabnabbing | — | |
| MEDIUM | CVE-2025-1716 | picklescan: scanner bypass enables supply chain RCE | picklescan | — |
| UNKNOWN | CVE-2026-2492 | TensorFlow: security flaw enables exploitation | — | |
| CRITICAL | GHSA-5mg7-485q-xm76 | litellm: supply chain attack harvests AI API credentials | litellm | — |
| CRITICAL | CVE-2026-44484 | pytorch-lightning: supply chain, credential harvesting | pytorch-lightning | — |
| CRITICAL | GHSA-955r-262c-33jc | telnyx: PyPI supply chain attack steals cloud creds | — | |
| HIGH | CVE-2026-27622 | — | ||
| HIGH | CVE-2026-35175 | Ajenti: missing authz lets any user install packages | — | |
| HIGH | CVE-2026-33228 | — |