AML.T0025

Exfiltration via Cyber Means

Adversaries may exfiltrate AI artifacts or other information relevant to their goals via traditional cyber means. See the ATT&CK [Exfiltration](https://attack.mitre.org/tactics/TA0010/) tactic for more information.

285 CVEs mapped View on MITRE ATLAS →

Severity	CVE	Headline	Package	CVSS
CRITICAL	CVE-2026-21858	n8n: Input Validation flaw enables exploitation	n8n	10.0
CRITICAL	CVE-2023-3765	MLflow: path traversal allows arbitrary file read	mlflow	10.0
CRITICAL	CVE-2026-27494	n8n: security flaw enables exploitation	n8n	9.9
CRITICAL	CVE-2026-25052	n8n: security flaw enables exploitation	n8n	9.9
CRITICAL	CVE-2026-27495	n8n: Code Injection enables RCE	n8n	9.9
CRITICAL	CVE-2025-54381	BentoML: unauthenticated SSRF via file upload URLs	bentoml	9.9
CRITICAL	CVE-2023-1177	MLflow: path traversal allows arbitrary file read/write	mlflow	9.8
CRITICAL	CVE-2024-41120	streamlit-geospatial: blind SSRF via unvalidated URL input	streamlit-geospatial	9.8
CRITICAL	CVE-2025-47277	vLLM: RCE via exposed TCPStore in distributed inference	vllm	9.8
CRITICAL	CVE-2025-6853	Langchain-Chatchat: path traversal in KB upload	langchain-chatchat	9.8
CRITICAL	CVE-2023-25668	TensorFlow: unauthenticated RCE via heap buffer overflow	tensorflow	9.8
CRITICAL	CVE-2025-1793	llama_index: SQL injection in vector store integrations	llama-index	9.8
CRITICAL	CVE-2024-48063	PyTorch: RCE via RemoteModule deserialization	pytorch	9.8
CRITICAL	CVE-2025-27520	BentoML: unauthenticated RCE via insecure deserialization	bentoml	9.8
CRITICAL	CVE-2026-2635	mlflow: security flaw enables exploitation	mlflow	9.8
CRITICAL	CVE-2023-2780	MLflow: path traversal allows arbitrary file read/write	mlflow	9.8
CRITICAL	CVE-2023-34540	LangChain: RCE via JiraAPIWrapper crafted input	langchain	9.8
CRITICAL	CVE-2023-34541	LangChain: RCE via unsafe load_prompt deserialization	langchain	9.8
CRITICAL	CVE-2025-11201	mlflow: Path Traversal enables file access	mlflow	9.8
CRITICAL	CVE-2024-41117	streamlit-geospatial: eval() injection allows RCE	streamlit-geospatial	9.8
CRITICAL	CVE-2024-41118	streamlit-geospatial: blind SSRF via WMS URL input	streamlit-geospatial	9.8
CRITICAL	CVE-2026-33017	langflow: Code Injection enables RCE	langflow	9.8
CRITICAL	CVE-2024-41119	streamlit-geospatial: RCE via eval() on vis_params input	streamlit-geospatial	9.8
CRITICAL	CVE-2026-35022	Claude Code: OS command injection, credential theft		9.8
CRITICAL	CVE-2024-47167	Gradio: unauthenticated SSRF in /queue/join, internal pivot	gradio	9.8
CRITICAL	CVE-2023-6019	Ray: unauthenticated RCE via dashboard command injection	ray	9.8
CRITICAL	CVE-2023-6014	MLflow: auth bypass allows arbitrary account creation	mlflow	9.8
CRITICAL	CVE-2023-48022	Ray: unauthenticated RCE via job submission API	ray	9.8
CRITICAL	CVE-2026-42208	LiteLLM: SQL injection exposes LLM API credentials	litellm	9.8
CRITICAL	CVE-2026-25960	vllm: SSRF allows internal network access	vllm	9.8
CRITICAL	CVE-2026-30821	flowise: Arbitrary File Upload enables RCE	flowise	9.8
CRITICAL	CVE-2026-22778	vllm: security flaw enables exploitation	vllm	9.8
CRITICAL	CVE-2024-2057	LangChain TFIDFRetriever: SSRF/RCE via load_local	langchain	9.8
CRITICAL	CVE-2024-49326	Affiliator WP Plugin: Unauthenticated Web Shell Upload	affiliator	9.8
CRITICAL	CVE-2025-32375	BentoML: RCE via insecure deserialization in runner	bentoml	9.8
CRITICAL	CVE-2020-15205	TensorFlow: heap overflow in StringNGrams, ASLR bypass	tensorflow	9.8
CRITICAL	CVE-2024-52803	LlamaFactory: RCE via OS command injection in training	llamafactory	9.8
CRITICAL	CVE-2024-5452	pytorch-lightning: RCE via deepdiff Delta deserialization	pytorch_lightning	9.8
CRITICAL	CVE-2024-41116	streamlit-geospatial: RCE via eval() injection	streamlit-geospatial	9.8
CRITICAL	CVE-2023-25823	Gradio: hardcoded SSH key leaks via share=True demos	gradio	9.8
CRITICAL	CVE-2025-32444	vLLM: RCE via pickle deserialization on ZeroMQ	vllm	9.8
CRITICAL	CVE-2024-3234	ChuanhuChatGPT: path traversal exposes LLM API keys	chuanhuchatgpt	9.8
CRITICAL	CVE-2025-11200	mlflow: security flaw enables exploitation	mlflow	9.8
CRITICAL	CVE-2025-63389	ollama: Missing Auth allows unauthenticated access	ollama	9.8
CRITICAL	CVE-2024-41112	streamlit-geospatial: RCE via eval() on palette input	streamlit-geospatial	9.8
CRITICAL	CVE-2024-41113	streamlit-geospatial: RCE via eval() in Timelapse page	streamlit-geospatial	9.8
CRITICAL	CVE-2025-45150	ChatGLM-Webui: arbitrary file read, no auth required	langchain-chatglm-webui	9.8
CRITICAL	CVE-2024-41114	streamlit-geospatial: RCE via eval() on palette input	streamlit-geospatial	9.8
CRITICAL	CVE-2023-43654	TorchServe: SSRF + RCE via unrestricted model URL loading	torchserve	9.8
CRITICAL	CVE-2025-25362	spacy-llm: SSTI allows unauthenticated RCE (CVSS 9.8)	spacy-llm	9.8
CRITICAL	CVE-2024-27132	MLflow: XSS in recipes enables client-side RCE	mlflow	9.6
CRITICAL	CVE-2026-44211	cline: WebSocket auth bypass enables terminal RCE		9.6
CRITICAL	CVE-2024-0964	Gradio: unauthenticated LFI exposes full server filesystem	gradio	9.4
CRITICAL	CVE-2026-40154	PraisonAI: supply chain RCE via unverified template exec	PraisonAI	9.3
CRITICAL	CVE-2023-6021	Ray: LFI allows unauthenticated file read	ray	9.3
CRITICAL	CVE-2023-6020	Ray: unauthenticated LFI exposes entire filesystem	ray	9.3
CRITICAL	CVE-2024-3573	MLflow: LFI via URI parsing allows arbitrary file read	mlflow	9.3
CRITICAL	CVE-2023-34239	Gradio: path traversal + SSRF exposes model files & infra	gradio	9.1
CRITICAL	CVE-2024-47871	Gradio: cleartext MITM exposes ML demo data via share=True	gradio	9.1
CRITICAL	CVE-2026-35216	Budibase: Unauthenticated RCE as root via webhook		9.1
CRITICAL	CVE-2026-21445	langflow: Missing Auth allows unauthenticated access	langflow	9.1
CRITICAL	CVE-2026-0545	MLflow: auth bypass in job API enables unauthenticated RCE	mlflow	9.1
CRITICAL	CVE-2026-33475	langflow: security flaw enables exploitation	langflow	9.1
CRITICAL	CVE-2024-7774	LangChain.js: path traversal, arbitrary file read/write	langchain.js	9.1
CRITICAL	CVE-2026-7482	Ollama: heap OOB read leaks API keys and chat data	ollama	9.1
CRITICAL	CVE-2026-28500	onnx: Integrity Verification bypass enables tampering	onnx	9.1
CRITICAL	CVE-2022-41902	TensorFlow Grappler: OOB read/crash via crafted model	tensorflow	9.1
CRITICAL	CVE-2024-4253	Gradio: CI/CD command injection enables secrets exfiltration	gradio	9.1
CRITICAL	CVE-2025-68665	langchain.js: Deserialization enables RCE	langchain.js	9.1
CRITICAL	CVE-2025-62608	mlx: security flaw enables exploitation	mlx	9.1
CRITICAL	CVE-2025-55526	n8n-workflows: path traversal in download_workflow endpoint	fastapi	9.1
CRITICAL	CVE-2025-29783	vLLM: RCE via unsafe deserialization in Mooncake KV	vllm	9.0
CRITICAL	CVE-2026-33749	n8n: stored XSS enables credential theft via workflow	n8n	9.0
CRITICAL	CVE-2025-33244	NVIDIA: Deserialization enables RCE		9.0
HIGH	CVE-2026-33713	n8n: SQLi in Data Table node, full DB compromise	n8n	8.8
HIGH	CVE-2021-39160	nbgitpuller: RCE via OS command injection in git URLs		8.8
HIGH	CVE-2026-27497	n8n: SQL Injection exposes database	n8n	8.8
HIGH	CVE-2023-46229	LangChain: SSRF in URL loader exposes internal network	langchain	8.8
HIGH	CVE-2026-24780	agpt: Code Injection enables RCE		8.8
HIGH	CVE-2023-6753	MLflow: path traversal exposes arbitrary file read/write	mlflow	8.8
HIGH	CVE-2024-3571	LangChain: path traversal allows arbitrary file R/W	langchain	8.8
HIGH	CVE-2024-37032	Ollama: path traversal enables RCE via model blob API	ollama	8.8
HIGH	CVE-2022-23573	TensorFlow: uninitialized memory in AssignOp	tensorflow	8.8
HIGH	CVE-2024-0520	MLflow: path traversal enables RCE via dataset loading	mlflow	8.8
HIGH	CVE-2026-40217	LiteLLM: RCE via bytecode rewriting in guardrails API	litellm	8.8
HIGH	CVE-2025-6855	Langchain-Chatchat: path traversal exposes system files	langchain-chatchat	8.8
HIGH	CVE-2024-7297	Langflow: mass assignment grants super admin access	langflow	8.8
HIGH	CVE-2021-41134	nbdime: stored XSS in Jupyter notebook diff viewer		8.7
HIGH	CVE-2026-28416	gradio: SSRF allows internal network access	gradio	8.6
HIGH	CVE-2025-25297	Label Studio: SSRF via S3 endpoint exposes internal services	label-studio	8.6
HIGH	CVE-2024-4325	Gradio: SSRF exposes internal network and cloud metadata	gradio	8.6
HIGH	CVE-2024-21513	langchain-experimental: RCE via eval() in VectorSQL chain	langchain-experimental	8.5
HIGH	CVE-2025-65958	open-webui: SSRF allows internal network access	open-webui	8.5
HIGH	CVE-2026-41271	Flowise: SSRF via prompt template injection in API Chain	flowise	8.3
HIGH	CVE-2024-47084	Gradio: CORS bypass exposes local instances to credential theft	gradio	8.3
HIGH	CVE-2026-32763			8.2
HIGH	CVE-2024-1540	Gradio: CI/CD command injection enables secrets exfil	gradio	8.2
HIGH	CVE-2025-15381	MLflow: broken access control exposes experiment traces	mlflow	8.1
HIGH	CVE-2026-25750	langsmith: security flaw enables exploitation	langsmith	8.1
HIGH	CVE-2026-2033	mlflow: Path Traversal enables file access	mlflow	8.1
HIGH	CVE-2026-44553	open-webui: stale Socket.IO role allows cross-user note R/W	open-webui	8.1
HIGH	CVE-2025-14279	mlflow: security flaw enables exploitation	mlflow	8.1
HIGH	CVE-2025-61784	LLaMA-Factory: SSRF+LFI in multimodal chat API	llamafactory	8.1
HIGH	CVE-2024-8060	OpenWebUI: path traversal RCE via audio upload API	open-webui	8.1
HIGH	CVE-2024-7043	Open WebUI: auth bypass exposes all user files	open-webui	8.1
HIGH	CVE-2024-47870	Gradio: race condition enables backend URL hijacking	gradio	8.1
HIGH	CVE-2024-43598	LightGBM: heap buffer overflow enables network RCE	lightgbm	8.1
HIGH	CVE-2023-6572	Gradio: command injection enables RCE on ML servers	gradio	8.1
HIGH	CVE-2022-21730	TensorFlow: OOB read leaks heap memory, enables DoS	tensorflow	8.1
HIGH	CVE-2025-30165	vLLM: pickle RCE in multi-node inference deployments	vllm	8.0
HIGH	CVE-2021-41221	TensorFlow: CuDNN heap overflow, local code execution	tensorflow	7.8
HIGH	CVE-2021-29518	TensorFlow: null ptr deref in session ops, local RCE	tensorflow	7.8
HIGH	CVE-2021-29520	TensorFlow: heap buffer overflow in Conv3DBackprop ops	tensorflow	7.8
HIGH	CVE-2018-8768	Jupyter Notebook: XSS via malicious .ipynb file	notebook	7.8
HIGH	CVE-2021-41208	TensorFlow: heap R/W + DoS in boosted trees APIs	tensorflow	7.8
HIGH	CVE-2026-35043	BentoML: cmd injection RCE on cloud build infra	bentoml	7.8
HIGH	CVE-2023-4033	MLflow: OS command injection enables local code execution	mlflow	7.8
HIGH	CVE-2021-37679	TensorFlow: heap over-read leaks memory via RaggedTensor	tensorflow	7.8
HIGH	CVE-2025-33233	NVIDIA: Code Injection enables RCE		7.8
HIGH	GHSA-cvrr-qhgw-2mm6	Flowise: unauthenticated RCE via FILE-STORAGE bypass	flowise-components	7.7
HIGH	CVE-2026-34936	PraisonAI: SSRF via api_base steals cloud IAM credentials	praisonai	7.7
HIGH	CVE-2021-43831	Gradio: path traversal exposes host filesystem to users	gradio	7.7
HIGH	CVE-2026-22219	chainlit: SSRF allows internal network access	chainlit	7.7
HIGH	CVE-2024-7053	open-webui: XSS enables admin session hijack via chat	open-webui	7.6
HIGH	CVE-2024-11031	GPT Academic: SSRF in Markdown plugin leaks credentials	gpt_academic	7.5
HIGH	CVE-2025-14287	mlflow: Code Injection enables RCE	mlflow	7.5
HIGH	CVE-2025-23042	Gradio: ACL bypass via path case manipulation	gradio	7.5
HIGH	CVE-2025-0330	LiteLLM: Langfuse API key leak via error handling	litellm	7.5
HIGH	CVE-2024-47868	Gradio: path traversal leaks arbitrary server files	gradio	7.5
HIGH	CVE-2025-30202	vLLM: ZeroMQ socket exposure enables DoS in multi-node	vllm	7.5
HIGH	CVE-2024-45436	Ollama: ZIP path traversal exposes host filesystem	ollama	7.5
HIGH	CVE-2025-25185	gpt_academic: symlink traversal exposes all server files	gpt_academic	7.5
HIGH	CVE-2025-6209	llama_index: path traversal allows arbitrary file read	llama-index-core	7.5
HIGH	CVE-2024-36421	Flowise: CORS wildcard enables file read and data theft	flowise	7.5
HIGH	CVE-2025-6984	EverNoteLoader: XXE exposes host files in LangChain	langchain-community	7.5
HIGH	CVE-2025-6985	langchain-text-splitters: XXE enables arbitrary file read	langchain-text-splitters	7.5
HIGH	CVE-2024-36420	Flowise: unauthenticated arbitrary file read via API	flowise	7.5
HIGH	CVE-2024-2928	MLflow: URI fragment LFI exposes arbitrary files	mlflow	7.5
HIGH	CVE-2024-4941	Gradio: LFI via JSON path key exposes server files	gradio	7.5
HIGH	CVE-2024-3848	MLflow: URL fragment bypass leaks SSH and cloud keys	mlflow	7.5
HIGH	CVE-2024-34527	SolidUI: OpenAI API key exposed via log print statement		7.5
HIGH	CVE-2024-34510	Gradio: credential leakage via Windows path encoding bug	gradio	7.5
HIGH	CVE-2024-1593	MLflow: path traversal via ';' smuggling exposes files	mlflow	7.5
HIGH	CVE-2025-68616			7.5
HIGH	CVE-2024-1594	MLflow: path traversal via URI fragment reads arbitrary files	mlflow	7.5
HIGH	CVE-2026-34070	langchain-core: path traversal exposes host secrets via prompt config	langchain-core	7.5
HIGH	CVE-2024-1558	MLflow: path traversal enables arbitrary file read	mlflow	7.5
HIGH	CVE-2024-1483	MLflow: path traversal exposes arbitrary server files	mlflow	7.5
HIGH	CVE-2024-1728	Gradio: path traversal leaks arbitrary files, potential RCE	gradio	7.5
HIGH	CVE-2026-21852	claude_code: Weak Credentials allow account compromise	claude_code	7.5
HIGH	CVE-2023-51449	Gradio: path traversal grants arbitrary file read	gradio	7.5
HIGH	CVE-2023-6909	MLflow: path traversal exposes arbitrary files (no auth)	mlflow	7.5
HIGH	CVE-2023-43472	MLflow: unauth REST API leaks sensitive ML data	mlflow	7.5
HIGH	CVE-2023-6015	MLflow: unauthenticated arbitrary file write via PUT	mlflow	7.5
HIGH	CVE-2023-46315	Infinite Image Browsing: path traversal leaks credentials		7.5
HIGH	CVE-2026-33484	langflow: Access Control bypass enables privilege escalation	langflow	7.5
HIGH	CVE-2023-36189	LangChain SQLDatabaseChain: SQL injection, DB exfil	langchain	7.5
HIGH	CVE-2026-33497	langflow: Path Traversal enables file access	langflow	7.5
HIGH	CVE-2026-1669	keras: File Control enables path manipulation	keras	7.5
HIGH	CVE-2026-4503	Langflow Desktop: IDOR leaks user images unauthenticated	langflow	7.5
HIGH	CVE-2023-30172	MLflow: path traversal exposes arbitrary server files	mlflow	7.5
HIGH	CVE-2023-27564	n8n: unauthenticated info disclosure exposes credentials	n8n	7.5
HIGH	CVE-2023-2356	MLflow: path traversal allows unauthenticated file read	mlflow	7.5
HIGH	CVE-2026-28414	gradio: security flaw enables exploitation	gradio	7.5
HIGH	CVE-2024-8859	MLflow: path traversal allows arbitrary file read via DBFS	mlflow	7.5
HIGH	CVE-2026-32887			7.4
HIGH	CVE-2025-30370	jupyterlab-git: command injection via malicious repo name		7.4
HIGH	CVE-2025-65098	typebot: XSS enables session hijacking		7.4
HIGH	CVE-2026-44566	Open WebUI: path traversal + file upload leads to RCE	open-webui	7.3
HIGH	CVE-2025-8709	langgraph-checkpoint-sqlite: SQL Injection exposes database	langgraph-checkpoint-sqlite	7.3
HIGH	CVE-2026-21893	n8n: Input Validation flaw enables exploitation	n8n	7.2
HIGH	CVE-2026-1777	sagemaker: security flaw enables exploitation	sagemaker	7.2
HIGH	CVE-2021-29553	TensorFlow: heap OOB read via malicious axis in quant op	tensorflow	7.1
HIGH	GHSA-6r77-hqx7-7vw8	FlowiseAI: SSRF via prompt injection in API Chain	flowise-components	7.1
HIGH	CVE-2021-29590	TensorFlow TFLite: OOB read via empty tensor in Min/Max ops	tensorflow	7.1
HIGH	CVE-2026-24779	vllm: SSRF allows internal network access	vllm	7.1
HIGH	CVE-2025-6242	vLLM: SSRF in media loader exposes internal network	vllm	7.1
HIGH	CVE-2021-29559	TensorFlow: heap OOB read in UnicodeEncode leaks memory	tensorflow	7.1
HIGH	CVE-2021-41223	TensorFlow: FusedBatchNorm heap OOB allows data leak/crash	tensorflow	7.1
HIGH	CVE-2024-21799	Intel Extension for Transformers: path traversal privesc		7.1
HIGH	CVE-2021-37664	TensorFlow: heap OOB read in BoostedTrees ops	tensorflow	7.1
HIGH	CVE-2026-35397	Jupyter Server: path traversal leaks sibling directories	jupyter-server	7.1
HIGH	CVE-2021-41205	TensorFlow: heap OOB read in quantize ops, DoS+leak	tensorflow	7.1
HIGH	CVE-2024-27134	MLflow: local privilege escalation via spark_udf ToCToU	mlflow	7.0
MEDIUM	CVE-2025-53621	DSpace: XXE injection enables server file disclosure		6.9
MEDIUM	CVE-2026-40934	jupyter-server: auth cookie survives password reset	jupyter-server	6.8
MEDIUM	GHSA-pgx6-7jcq-2qff			6.8
MEDIUM	CVE-2025-51481	Dagster: path traversal exposes arbitrary file read via gRPC		6.6
MEDIUM	GHSA-fv5p-p927-qmxr	langchain-text-splitters: SSRF bypass exposes cloud metadata	langchain-text-splitters	6.5
MEDIUM	CVE-2026-41481	LangChain: SSRF redirect bypass exposes internal endpoints	langchain	6.5
MEDIUM	CVE-2025-13922	AI component: SQL Injection exposes database		6.5
MEDIUM	CVE-2022-35918	Streamlit: path traversal leaks server filesystem	streamlit	6.5
MEDIUM	CVE-2026-43570	OpenClaw: symlink traversal exposes host filesystem	openclaw	6.5
MEDIUM	CVE-2025-13359	taxopress: SQL Injection exposes database		6.5
MEDIUM	CVE-2024-47164	Gradio: path traversal bypasses directory access controls	gradio	6.5
MEDIUM	CVE-2024-42474	Streamlit: path traversal leaks Windows NTLM hash	streamlit	6.5
MEDIUM	CVE-2026-24123	bentoml: Path Traversal enables file access	bentoml	6.5
MEDIUM	CVE-2018-21233	TensorFlow: integer overflow leaks process memory via BMP	tensorflow	6.5
MEDIUM	CVE-2026-39378	nbconvert: path traversal exfiltrates files via HTML export	nbconvert	6.5
MEDIUM	CVE-2022-36551	Label Studio: SSRF + file read, self-reg bypass	label-studio	6.5
MEDIUM	CVE-2024-2206	Gradio: SSRF exposes internal HuggingFace endpoints	gradio	6.5
MEDIUM	CVE-2024-48052	Gradio: SSRF in DownloadButton exposes internal resources	gradio	6.5
MEDIUM	CVE-2024-51751	Gradio: path traversal exposes arbitrary server files	gradio	6.5
MEDIUM	CVE-2026-3346	Langflow Desktop: stored XSS enables credential theft	langflow	6.4
MEDIUM	CVE-2025-1979	Ray: Redis password exposed via plaintext logging	ray	6.4
MEDIUM	CVE-2022-23563	TensorFlow: TOC/TOU race allows temp file hijacking	tensorflow	6.3
MEDIUM	CVE-2024-6577	TorchServe: unverified S3 bucket exposes benchmark data		6.3
MEDIUM	CVE-2026-5530	Ollama: SSRF in Model Pull API enables network pivot		6.3
MEDIUM	CVE-2026-7844	Langchain-Chatchat: auth bypass on file service endpoints		6.3
MEDIUM	CVE-2025-6210	llama-index Obsidian reader: hardlink path traversal leaks files	llama-index-readers-obsidian	6.2
MEDIUM	CVE-2024-36423	Flowise: reflected XSS in chatflow API enables session hijack	flowise	6.1
MEDIUM	GHSA-qq9g-96v4-m3cj			6.1
MEDIUM	CVE-2025-25296	Label Studio: reflected XSS via label_config param	label-studio	6.1
MEDIUM	CVE-2023-6568	MLflow: reflected XSS via Content-Type header injection	mlflow	6.1
MEDIUM	CVE-2024-37146	Flowise: reflected XSS enables credential theft	flowise	6.1
MEDIUM	CVE-2024-37145	Flowise: reflected XSS enables file read chain via chatflow	flowise	6.1
MEDIUM	CVE-2026-44708	mistune: math plugin XSS bypasses escape=True control	mistune	6.1
MEDIUM	CVE-2026-27167	gradio: Weak Credentials allow account compromise	gradio	5.9
MEDIUM	CVE-2026-7020	Ollama: path traversal in tensor model transfer handler	ollama	5.6
MEDIUM	CVE-2021-37672	TensorFlow: heap OOB read in SdcaOptimizerV2	tensorflow	5.5
MEDIUM	CVE-2021-37687	TFLite: heap OOB read via negative indices in GatherNd	tensorflow	5.5
MEDIUM	CVE-2021-37670	TensorFlow: heap OOB read in sorting ops	tensorflow	5.5
MEDIUM	CVE-2024-31584	PyTorch: OOB read in mobile model loader leaks memory	pytorch	5.5
MEDIUM	CVE-2026-34447	ONNX: symlink traversal reads host files via model loading	onnx	5.5
MEDIUM	CVE-2021-41227	TensorFlow: OOB read in ImmutableConst leaks memory	tensorflow	5.5
MEDIUM	CVE-2026-40159	PraisonAI: MCP env inheritance exposes API keys	PraisonAI	5.5
MEDIUM	CVE-2026-40610	BentoML: symlink traversal exfiltrates host secrets at build	bentoml	5.5
MEDIUM	CVE-2024-47872	Gradio: stored XSS via malicious file upload	gradio	5.4
MEDIUM	CVE-2024-47165	Gradio: CORS null origin bypass leaks auth tokens	gradio	5.4
MEDIUM	CVE-2025-45809	LiteLLM: SQL injection in key management API	litellm	5.4
MEDIUM	CVE-2025-52478	n8n: Stored XSS enables full account takeover	n8n	5.4
MEDIUM	CVE-2026-27578	n8n: XSS enables session hijacking	n8n	5.4
MEDIUM	CVE-2024-12217	Gradio: NTFS ADS bypass exposes blocked file paths	gradio	5.3
MEDIUM	CVE-2018-21030	Jupyter Notebook: XSS via missing CSP on served files	notebook	5.3
MEDIUM	CVE-2026-40086	rembg: path traversal exposes arbitrary files via HTTP API	rembg	5.3
MEDIUM	CVE-2024-47166	Gradio: path traversal leaks custom component source	gradio	5.3
MEDIUM	CVE-2025-2999	PyTorch: memory corruption in RNN sequence unpacking	pytorch	5.3
MEDIUM	CVE-2026-2589	Greenshift: Info Disclosure leaks sensitive data		5.3
MEDIUM	CVE-2026-41495	n8n-mcp: bearer tokens exposed in HTTP transport logs	n8n-mcp	5.3
MEDIUM	CVE-2025-11972	AI component: SQL Injection exposes database		4.9
MEDIUM	CVE-2023-41626	Gradio: arbitrary file upload via /upload endpoint	gradio	4.8
MEDIUM	CVE-2024-5206	scikit-learn: TfidfVectorizer leaks training data tokens	scikit-learn	4.7
MEDIUM	GHSA-xgx4-2wgv-4jhm			4.4
MEDIUM	CVE-2024-6985	lollms: path traversal allows arbitrary directory read	lollms	4.4
MEDIUM	CVE-2025-6854	Langchain-Chatchat: path traversal in file API exposes host FS	langchain-chatchat	4.3
LOW	CVE-2026-6600	Langflow: stored XSS in chat message editor	langflow	3.5
LOW	CVE-2025-3777	Transformers: URL validation bypass exposes image pipeline	transformers	3.5
LOW	CVE-2023-1176	MLflow: path traversal exposes arbitrary local files	mlflow	3.3
LOW	CVE-2020-26271	TensorFlow: OOB read on saved model load leaks heap addresses	tensorflow	3.3
LOW	CVE-2026-7847	Langchain-Chatchat: predictable file IDs leak uploaded files	langchain-chatchat	2.6
LOW	CVE-2024-40594	ChatGPT macOS: cleartext conversation storage exposed		2.3
HIGH	CVE-2026-40171	Jupyter Notebook: stored XSS enables full account takeover	@jupyterlab/help-extension	—
UNKNOWN	CVE-2024-1561	Gradio: path traversal enables arbitrary file read	gradio	—
UNKNOWN	CVE-2024-4254	Gradio: secrets exfiltration via unsafe fork PR workflow	gradio	—
CRITICAL	GHSA-5mg7-485q-xm76	litellm: supply chain attack harvests AI API credentials	litellm	—
HIGH	CVE-2025-25295	Label Studio SDK: path traversal leaks server filesystem	label-studio-sdk	—
UNKNOWN	CVE-2024-10707	ChuanhuChatGPT: path traversal exposes server files unauthed	chuanhuchatgpt	—
UNKNOWN	CVE-2024-12065	LLaVA: path traversal allows arbitrary file read		—
HIGH	CVE-2025-46417	picklescan: scanner bypass enables DNS data exfiltration	picklescan	—
CRITICAL	GHSA-955r-262c-33jc	telnyx: PyPI supply chain attack steals cloud creds		—
CRITICAL	CVE-2025-32428	jupyter-remote-desktop-proxy: VNC network exposure	jupyter-remote-desktop-proxy	—
UNKNOWN	CVE-2026-27489	ONNX: symlink path traversal allows arbitrary file read	onnx	—
UNKNOWN	CVE-2025-34072	Slack MCP: zero-click exfiltration via link unfurling		—
MEDIUM	CVE-2026-33866	MLflow: auth bypass exposes model artifacts across experiments	mlflow	—
MEDIUM	CVE-2026-33865	MLflow: stored XSS via MLmodel YAML artifact upload	mlflow	—
HIGH	GHSA-2r2p-4cgf-hv7h	engramx: CSRF injects persistent prompts into AI agents		—
MEDIUM	CVE-2025-12058	Keras: safe_mode bypass enables file read and SSRF	keras	—
CRITICAL	CVE-2025-62593	ray: Code Injection enables RCE	ray	—
UNKNOWN	CVE-2025-66479	Anthropic: Protection Bypass circumvents security controls		—
HIGH	GHSA-9726-w42j-3qjr	picklescan: Path Traversal enables file access	picklescan	—
MEDIUM	CVE-2025-68131			—
HIGH	GHSA-4jpm-cgx2-8h37	Flowise: unauth API exposes plaintext API keys and tokens	flowise	—
MEDIUM	CVE-2026-21883			—
HIGH	CVE-2026-22033	label-studio: XSS enables session hijacking	label-studio	—
UNKNOWN	CVE-2026-0772	langflow: Deserialization enables RCE	langflow	—
CRITICAL	CVE-2026-44484	pytorch-lightning: supply chain, credential harvesting	pytorch-lightning	—
MEDIUM	GHSA-mhc9-48gj-9gp3	fickling: Allowlist Bypass evades input filtering	fickling	—
HIGH	CVE-2026-40110	Jupyter Server: CORS bypass via regex anchor omission	jupyter-server	—
LOW	GHSA-83pf-v6qq-pwmr	fickling: Allowlist Bypass evades input filtering	fickling	—
MEDIUM	CVE-2025-61669	jupyter-server: Open redirect enables credential phishing	jupyter-server	—
HIGH	CVE-2026-2472	google-cloud-aiplatform: XSS enables session hijacking		—
HIGH	CVE-2026-23982			—
UNKNOWN	CVE-2026-2492	TensorFlow: security flaw enables exploitation		—
CRITICAL	CVE-2025-34351	ray: security flaw enables exploitation	ray	—
CRITICAL	GHSA-r75f-5x8p-qvmc	litellm: SQLi exposes all managed LLM API credentials	litellm	—