AI Threat Alert
ATLAS Landscape
AML.T0018.002
Embed Malware
Adversaries may embed malicious code into AI Model files. AI models may be packaged as a combination of instructions and weights. Some formats such as pickle files are unsafe to deserialize because they can contain unsafe calls such as exec. Models with embedded malware may still operate as expected. It may allow them to achieve Execution, Command & Control, or Exfiltrate Data.
161 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | GHSA-vvpj-8cmc-gx39 | picklescan: security flaw enables exploitation | picklescan | 10.0 |
| CRITICAL | CVE-2024-3660 | Keras: RCE via malicious model deserialization | keras | 9.8 |
| CRITICAL | CVE-2020-13092 | scikit-learn: RCE via malicious joblib model deserialization | scikit-learn | 9.8 |
| CRITICAL | CVE-2023-5245 | MLeap: zip slip in model loading enables RCE | 9.8 | |
| CRITICAL | CVE-2023-43654 | TorchServe: SSRF + RCE via unrestricted model URL loading | torchserve | 9.8 |
| CRITICAL | CVE-2025-54949 | ExecuTorch: heap buffer overflow RCE via model loading | executorch | 9.8 |
| CRITICAL | CVE-2025-30404 | ExecuTorch: integer overflow RCE on model load | executorch | 9.8 |
| CRITICAL | CVE-2025-54950 | ExecuTorch: OOB read in model loader enables RCE | executorch | 9.8 |
| CRITICAL | CVE-2025-54951 | ExecuTorch: heap buffer overflow RCE in model loading | executorch | 9.8 |
| CRITICAL | GHSA-g38g-8gr9-h9xp | picklescan: Allowlist Bypass evades input filtering | picklescan | 9.8 |
| CRITICAL | GHSA-7wx9-6375-f5wh | picklescan: Allowlist Bypass evades input filtering | picklescan | 9.8 |
| CRITICAL | CVE-2025-53002 | LLaMA-Factory: RCE via unsafe checkpoint deserialization | llamafactory | 9.8 |
| CRITICAL | CVE-2025-32434 | PyTorch: RCE bypasses weights_only=True safe-load guard | pytorch | 9.8 |
| CRITICAL | CVE-2024-12029 | InvokeAI: RCE via unsafe torch.load deserialization | 9.8 | |
| CRITICAL | GHSA-ggpf-24jw-3fcw | vLLM: RCE via malicious model, PyTorch < 2.6 bypass | vllm | 9.8 |
| CRITICAL | CVE-2025-1550 | Keras: safe_mode bypass enables RCE via model loading | keras | 9.8 |
| CRITICAL | CVE-2025-1945 | picklescan: ZIP flag bypass enables RCE in PyTorch models | picklescan | 9.8 |
| CRITICAL | CVE-2025-49655 | keras: Deserialization enables RCE | keras | 9.8 |
| CRITICAL | CVE-2024-35198 | TorchServe: URL bypass enables arbitrary model loading | torchserve | 9.8 |
| CRITICAL | CVE-2026-22807 | vllm: Code Injection enables RCE | vllm | 9.8 |
| CRITICAL | CVE-2024-34359 | llama-cpp-python: SSTI in .gguf loader enables RCE | 9.6 | |
| CRITICAL | CVE-2024-3568 | HuggingFace Transformers: RCE via pickle deserialization | transformers | 9.6 |
| CRITICAL | CVE-2026-28500 | onnx: Integrity Verification bypass enables tampering | onnx | 9.1 |
| CRITICAL | CVE-2025-15031 | mlflow: Path Traversal enables file access | mlflow | 9.1 |
| CRITICAL | CVE-2025-33244 | NVIDIA: Deserialization enables RCE | 9.0 | |
| HIGH | CVE-2024-37055 | MLflow: RCE via pmdarima model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37054 | MLflow: deserialization RCE via malicious PyFunc model | mlflow | 8.8 |
| HIGH | CVE-2026-1462 | Keras: safe_mode bypass allows RCE via model deserialization | keras | 8.8 |
| HIGH | CVE-2024-37053 | MLflow: RCE via malicious scikit-learn model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37052 | MLflow: RCE via malicious scikit-learn model upload | mlflow | 8.8 |
| HIGH | CVE-2025-24357 | vLLM: unsafe deserialization RCE via model loading | vllm | 8.8 |
| HIGH | CVE-2018-8825 | TensorFlow 1.7: Buffer overflow enables arbitrary code exec | tensorflow | 8.8 |
| HIGH | CVE-2024-11394 | Transformers: RCE via Trax model deserialization | transformers | 8.8 |
| HIGH | CVE-2023-6730 | HuggingFace Transformers: RCE via unsafe deserialization | transformers | 8.8 |
| HIGH | CVE-2024-11393 | Transformers: RCE via MaskFormer model deserialization | transformers | 8.8 |
| HIGH | CVE-2024-11392 | HuggingFace Transformers: RCE via config deserialization | transformers | 8.8 |
| HIGH | CVE-2024-37059 | MLflow: RCE via malicious PyTorch model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37058 | MLflow: RCE via malicious LangChain model deserialization | mlflow | 8.8 |
| HIGH | CVE-2025-67729 | lmdeploy: Deserialization enables RCE | 8.8 | |
| HIGH | CVE-2024-37057 | MLflow: RCE via malicious TensorFlow model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37056 | MLflow: RCE via LightGBM model deserialization | mlflow | 8.8 |
| HIGH | CVE-2025-33213 | NVIDIA: Deserialization enables RCE | 8.8 | |
| HIGH | CVE-2026-6859 | InstructLab: RCE via hardcoded trust_remote_code flag | 8.8 | |
| HIGH | CVE-2024-37060 | MLflow: RCE via deserialization in crafted Recipes | mlflow | 8.8 |
| HIGH | CVE-2026-24747 | pytorch: Code Injection enables RCE | pytorch | 8.8 |
| HIGH | GHSA-hgrh-qx5j-jfwx | picklescan: Protection Bypass circumvents security controls | picklescan | 8.8 |
| HIGH | CVE-2022-23560 | TFLite: OOB read/write in sparse tensor → RCE | tensorflow | 8.8 |
| HIGH | CVE-2026-27893 | vLLM: trust_remote_code bypass enables RCE | vllm | 8.8 |
| HIGH | CVE-2025-58756 | MONAI: unsafe deserialization in CheckpointLoader allows RCE | monai | 8.8 |
| HIGH | CVE-2021-37678 | TensorFlow/Keras: RCE via YAML model deserialization | tensorflow | 8.8 |
| HIGH | CVE-2026-34445 | ONNX: property overwrite via crafted model file | onnx | 8.6 |
| HIGH | CVE-2025-54886 | skops: joblib fallback enables RCE via model load | skops | 8.4 |
| HIGH | CVE-2025-10157 | PickleScan: subclass bypass enables malicious model RCE | picklescan | 8.3 |
| HIGH | CVE-2025-68664 | langchain-core: Deserialization enables RCE | langchain_core | 8.2 |
| HIGH | CVE-2026-2033 | mlflow: Path Traversal enables file access | mlflow | 8.1 |
| HIGH | CVE-2021-4118 | pytorch-lightning: deserialization RCE via malicious checkpoint | pytorch_lightning | 7.8 |
| HIGH | CVE-2025-10155 | picklescan: file extension bypass allows model RCE | picklescan | 7.8 |
| HIGH | CVE-2025-8747 | Keras: safe mode bypass enables RCE via model load | keras | 7.8 |
| HIGH | CVE-2025-46567 | LLaMA-Factory: RCE via torch.load() unsafe deserialization | llamafactory | 7.8 |
| HIGH | CVE-2025-5173 | label-studio-ml: PyTorch .pt deserialization RCE in YOLO loader | label-studio-ml | 7.8 |
| HIGH | CVE-2024-5998 | LangChain: RCE via FAISS pickle deserialization | langchain | 7.8 |
| HIGH | CVE-2025-33233 | NVIDIA: Code Injection enables RCE | 7.8 | |
| HIGH | CVE-2024-34072 | SageMaker SDK: pickle deserialization enables RCE | 7.8 | |
| HIGH | CVE-2024-31583 | PyTorch: use-after-free in JIT mobile interpreter, RCE | pytorch | 7.8 |
| HIGH | CVE-2023-7018 | Transformers: unsafe deserialization enables RCE on load | transformers | 7.8 |
| HIGH | CVE-2021-43811 | Sockeye: unsafe YAML load RCE via model config file | 7.8 | |
| HIGH | CVE-2024-14021 | llamaindex: Deserialization enables RCE | llamaindex | 7.8 |
| HIGH | CVE-2026-27905 | bentoml: security flaw enables exploitation | bentoml | 7.8 |
| HIGH | GHSA-89gg-p5r5-q6r4 | MONAI: pickle deserialization RCE in Auto3DSeg | monai | 7.7 |
| HIGH | CVE-2025-10156 | Picklescan: CRC bypass hides malicious pickle in ZIP | picklescan | 7.5 |
| HIGH | CVE-2026-1669 | keras: File Control enables path manipulation | keras | 7.5 |
| HIGH | CVE-2026-44566 | Open WebUI: path traversal + file upload leads to RCE | open-webui | 7.3 |
| HIGH | CVE-2025-9905 | Keras: safe_mode bypass enables RCE via .h5 model files | keras | 7.3 |
| HIGH | CVE-2025-9906 | Keras: safe_mode bypass enables RCE via model load | keras | 7.3 |
| HIGH | CVE-2025-10279 | mlflow: security flaw enables exploitation | mlflow | 7.0 |
| MEDIUM | CVE-2026-28277 | langgraph: Deserialization enables RCE | langgraph | 6.8 |
| MEDIUM | CVE-2024-7034 | open-webui: path traversal allows arbitrary file write/RCE | open-webui | 6.5 |
| MEDIUM | CVE-2024-55459 | Keras: path traversal enables arbitrary file write | keras | 6.5 |
| MEDIUM | CVE-2025-1944 | picklescan: ZIP spoof lets malicious PyTorch models bypass scan | picklescan | 6.5 |
| MEDIUM | CVE-2026-1839 | HuggingFace Transformers: RCE via malicious checkpoint load | transformers | 6.5 |
| MEDIUM | CVE-2026-1778 | sagemaker: security flaw enables exploitation | sagemaker | 5.9 |
| MEDIUM | CVE-2020-26266 | TensorFlow: uninitialized memory read via crafted SavedModel | tensorflow | 5.3 |
| MEDIUM | CVE-2026-4538 | AI component: Input Validation flaw enables exploitation | 5.3 | |
| MEDIUM | CVE-2023-48299 | TorchServe: ZipSlip arbitrary file write via model upload | torchserve | 5.3 |
| MEDIUM | GHSA-6w4w-5w54-rjvr | picklescan: detection bypass allows RCE via ML model files | picklescan | — |
| HIGH | CVE-2025-67748 | fickling: Code Injection enables RCE | fickling | — |
| HIGH | CVE-2025-67747 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| UNKNOWN | CVE-2025-12638 | Keras: Path Traversal enables file access | — | |
| UNKNOWN | CVE-2026-2492 | TensorFlow: security flaw enables exploitation | — | |
| MEDIUM | GHSA-5cxw-w2xg-2m8h | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | GHSA-97f8-7cmv-76j2 | picklescan: Allowlist Bypass evades input filtering | picklescan | — |
| HIGH | GHSA-5hwf-rc88-82xm | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | GHSA-wccx-j62j-r448 | fickling: Protection Bypass circumvents security controls | fickling | — |
| MEDIUM | GHSA-mhc9-48gj-9gp3 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | GHSA-mxhj-88fx-4pcv | fickling: security flaw enables exploitation | fickling | — |
| LOW | GHSA-83pf-v6qq-pwmr | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | GHSA-9m3x-qqw2-h32h | picklescan: Deserialization enables RCE | picklescan | — |
| HIGH | CVE-2026-22607 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | GHSA-46h3-79wf-xr6c | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | CVE-2026-22612 | fickling: Deserialization enables RCE | fickling | — |
| HIGH | CVE-2026-22609 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | CVE-2026-22608 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | CVE-2026-22606 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | GHSA-955r-x9j8-7rhh | picklescan: Code Injection enables RCE | picklescan | — |
| MEDIUM | GHSA-6556-fwc2-fg2p | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | GHSA-rrxm-2pvv-m66x | picklescan: Code Injection enables RCE | picklescan | — |
| MEDIUM | GHSA-cffc-mxrf-mhh4 | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | GHSA-3329-ghmp-jmv5 | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | GHSA-x843-g5mx-g377 | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | GHSA-vqmv-47xg-9wpr | picklescan: Deserialization enables RCE | picklescan | — |
| UNKNOWN | CVE-2025-14930 | transformers: Deserialization enables RCE | transformers | — |
| UNKNOWN | CVE-2025-14929 | transformers: Deserialization enables RCE | transformers | — |
| HIGH | GHSA-r8g5-cgf2-4m4m | picklescan: Deserialization enables RCE | picklescan | — |
| HIGH | GHSA-84r2-jw7c-4r5q | picklescan: Allowlist Bypass evades input filtering | picklescan | — |
| HIGH | GHSA-4675-36f9-wf6r | picklescan: Allowlist Bypass evades input filtering | picklescan | — |
| HIGH | GHSA-m273-6v24-x4m4 | picklescan: Deserialization enables RCE | picklescan | — |
| UNKNOWN | CVE-2025-14927 | transformers: Code Injection enables RCE | transformers | — |
| UNKNOWN | CVE-2025-14926 | transformers: Code Injection enables RCE | transformers | — |
| UNKNOWN | CVE-2025-14924 | transformers: Deserialization enables RCE | transformers | — |
| UNKNOWN | CVE-2025-14921 | transformers: Deserialization enables RCE | transformers | — |
| UNKNOWN | CVE-2025-14920 | transformers: Deserialization enables RCE | transformers | — |
| UNKNOWN | CVE-2025-14928 | transformers: Code Injection enables RCE | transformers | — |
| CRITICAL | GHSA-m9mp-6x32-5rhg | scio/PyTorch: torch.load weights_only bypass RCE | — | |
| MEDIUM | GHSA-3gf5-cxq9-w223 | picklescan: scanner bypass enables pickle RCE in ML models | picklescan | — |
| MEDIUM | GHSA-q77w-mwjj-7mqx | picklescan: scanner bypass enables model RCE | picklescan | — |
| MEDIUM | GHSA-49gj-c84q-6qm9 | picklescan: scanner bypass enables RCE via ML model files | picklescan | — |
| MEDIUM | GHSA-9w88-8rmg-7g2p | picklescan: scan bypass allows silent RCE via ML models | picklescan | — |
| MEDIUM | GHSA-fqq6-7vqf-w3fg | picklescan: detection bypass allows undetected RCE in ML models | picklescan | — |
| MEDIUM | GHSA-j343-8v2j-ff7w | picklescan: scanner bypass allows pickle-based RCE | picklescan | — |
| MEDIUM | GHSA-m869-42cg-3xwr | picklescan: scanner bypass enables RCE via ML models | picklescan | — |
| MEDIUM | GHSA-p9w7-82w4-7q8m | picklescan: detection bypass allows pickle RCE in ML pipelines | picklescan | — |
| MEDIUM | GHSA-xp4f-hrf8-rxw7 | picklescan: scanner bypass leads to undetected RCE | picklescan | — |
| MEDIUM | GHSA-4whj-rm5r-c2v8 | picklescan: scanner bypass enables PyTorch gadget RCE | picklescan | — |
| MEDIUM | GHSA-9xph-j2h6-g47v | picklescan: scanner bypass enables RCE via model files | picklescan | — |
| MEDIUM | GHSA-8r4j-24qv-fmq9 | picklescan: RCE bypass enables ML supply chain attack | picklescan | — |
| MEDIUM | GHSA-cj3c-v495-4xqh | picklescan: security bypass enables RCE in ML pipelines | picklescan | — |
| MEDIUM | GHSA-7cq8-mj8x-j263 | picklescan: detection bypass allows malicious pickle RCE | picklescan | — |
| MEDIUM | GHSA-3vg9-h568-4w9m | picklescan: RCE bypass via idlelib SetText evasion | picklescan | — |
| MEDIUM | GHSA-f54q-57x4-jg88 | picklescan: scanner bypass enables RCE in ML models | picklescan | — |
| MEDIUM | GHSA-6vqj-c2q5-j97w | picklescan: scanner bypass enables RCE via ML models | picklescan | — |
| MEDIUM | GHSA-x696-vm39-cp64 | picklescan: scan bypass allows RCE in ML pipelines | picklescan | — |
| MEDIUM | GHSA-g344-hcph-8vgg | picklescan: scanner bypass enables RCE in ML pipelines | picklescan | — |
| MEDIUM | GHSA-5qwp-399c-mjwf | picklescan: bypass enables undetected RCE in ML models | picklescan | — |
| MEDIUM | GHSA-vv6j-3g6g-2pvj | picklescan: PyTorch gadget bypasses scanner, enables RCE | picklescan | — |
| MEDIUM | GHSA-vr7h-p6mm-wpmh | picklescan: PyTorch gadget bypasses pickle RCE detection | picklescan | — |
| MEDIUM | GHSA-h3qp-7fh3-f8h4 | picklescan: detection bypass via PyTorch proxy RCE | picklescan | — |
| MEDIUM | GHSA-f745-w6jp-hpxx | picklescan: RCE bypass via torch.utils.collect_env | picklescan | — |
| MEDIUM | GHSA-f4x7-rfwp-v3xw | picklescan: scanner bypass enables RCE via PyTorch function | picklescan | — |
| MEDIUM | GHSA-86cj-95qr-2p4f | picklescan: detection bypass enables PyTorch model RCE | picklescan | — |
| MEDIUM | GHSA-4r9r-ch6f-vxmx | picklescan: PyTorch bypass allows undetected RCE | picklescan | — |
| HIGH | GHSA-9gvj-pp9x-gcfr | picklescan: detection bypass allows malicious pickle exec | picklescan | — |
| MEDIUM | CVE-2025-54952 | ExecuTorch: integer overflow enables RCE via model loading | executorch | — |
| MEDIUM | GHSA-r54c-2xmf-2cf3 | ms-swift: RCE via pickle deserialization in adapter models | — | |
| HIGH | CVE-2025-54413 | skops: RCE via MethodNode unsafe deserialization | skops | — |
| HIGH | CVE-2025-54412 | skops: OperatorFuncNode type confusion → RCE | skops | — |
| MEDIUM | GHSA-fj43-3qmq-673f | picklescan: numpy bypass enables RCE in ML model pipelines | picklescan | — |
| MEDIUM | GHSA-v7x6-rv5q-mhwc | picklescan: bypass allows silent RCE in ML pipelines | picklescan | — |
| MEDIUM | CVE-2025-1889 | picklescan: extension bypass enables RCE on model load | picklescan | — |
| UNKNOWN | CVE-2024-4897 | lollms-webui: RCE via malicious GGUF model loading | — | |
| UNKNOWN | CVE-2024-4254 | Gradio: secrets exfiltration via unsafe fork PR workflow | gradio | — |
| UNKNOWN | CVE-2018-7575 | TensorFlow: buffer overflow, potential RCE in 1.7.x | tensorflow | — |