AI Threat Alert
ATLAS Landscape
AML.T0058
Publish Poisoned Models
Adversaries may publish a poisoned model to a public location such as a model registry or code repository. The poisoned model may be a novel model or a poisoned variant of an existing open-source model. This model may be introduced to a victim system via [AI Supply Chain Compromise](/techniques/AML.T0010).
106 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | GHSA-vvpj-8cmc-gx39 | picklescan: security flaw enables exploitation | picklescan | 10.0 |
| CRITICAL | CVE-2024-12029 | InvokeAI: RCE via unsafe torch.load deserialization | 9.8 | |
| CRITICAL | CVE-2025-32434 | PyTorch: RCE bypasses weights_only=True safe-load guard | pytorch | 9.8 |
| CRITICAL | CVE-2025-49655 | keras: Deserialization enables RCE | keras | 9.8 |
| CRITICAL | GHSA-g38g-8gr9-h9xp | picklescan: Allowlist Bypass evades input filtering | picklescan | 9.8 |
| CRITICAL | CVE-2026-22807 | vllm: Code Injection enables RCE | vllm | 9.8 |
| CRITICAL | CVE-2020-13092 | scikit-learn: RCE via malicious joblib model deserialization | scikit-learn | 9.8 |
| CRITICAL | CVE-2025-1550 | Keras: safe_mode bypass enables RCE via model loading | keras | 9.8 |
| CRITICAL | CVE-2025-54949 | ExecuTorch: heap buffer overflow RCE via model loading | executorch | 9.8 |
| CRITICAL | GHSA-ggpf-24jw-3fcw | vLLM: RCE via malicious model, PyTorch < 2.6 bypass | vllm | 9.8 |
| CRITICAL | CVE-2025-1945 | picklescan: ZIP flag bypass enables RCE in PyTorch models | picklescan | 9.8 |
| CRITICAL | CVE-2024-3568 | HuggingFace Transformers: RCE via pickle deserialization | transformers | 9.6 |
| CRITICAL | CVE-2026-28500 | onnx: Integrity Verification bypass enables tampering | onnx | 9.1 |
| HIGH | CVE-2025-66448 | vllm: Code Injection enables RCE | vllm | 8.8 |
| HIGH | GHSA-hgrh-qx5j-jfwx | picklescan: Protection Bypass circumvents security controls | picklescan | 8.8 |
| HIGH | CVE-2025-67729 | lmdeploy: Deserialization enables RCE | 8.8 | |
| HIGH | CVE-2024-37059 | MLflow: RCE via malicious PyTorch model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37058 | MLflow: RCE via malicious LangChain model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37057 | MLflow: RCE via malicious TensorFlow model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37056 | MLflow: RCE via LightGBM model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37055 | MLflow: RCE via pmdarima model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37054 | MLflow: deserialization RCE via malicious PyFunc model | mlflow | 8.8 |
| HIGH | CVE-2024-37053 | MLflow: RCE via malicious scikit-learn model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-37052 | MLflow: RCE via malicious scikit-learn model upload | mlflow | 8.8 |
| HIGH | CVE-2023-6730 | HuggingFace Transformers: RCE via unsafe deserialization | transformers | 8.8 |
| HIGH | CVE-2026-27893 | vLLM: trust_remote_code bypass enables RCE | vllm | 8.8 |
| HIGH | CVE-2026-1462 | Keras: safe_mode bypass allows RCE via model deserialization | keras | 8.8 |
| HIGH | CVE-2026-44513 | diffusers: trust_remote_code bypass enables silent RCE | diffusers | 8.8 |
| HIGH | GHSA-j7w6-vpvq-j3gm | diffusers: silent RCE via None.py trust_remote_code bypass | diffusers | 8.8 |
| HIGH | CVE-2026-6859 | InstructLab: RCE via hardcoded trust_remote_code flag | 8.8 | |
| HIGH | CVE-2025-58756 | MONAI: unsafe deserialization in CheckpointLoader allows RCE | monai | 8.8 |
| HIGH | CVE-2026-24747 | pytorch: Code Injection enables RCE | pytorch | 8.8 |
| HIGH | CVE-2025-24357 | vLLM: unsafe deserialization RCE via model loading | vllm | 8.8 |
| HIGH | CVE-2024-11394 | Transformers: RCE via Trax model deserialization | transformers | 8.8 |
| HIGH | CVE-2024-11393 | Transformers: RCE via MaskFormer model deserialization | transformers | 8.8 |
| HIGH | CVE-2024-11392 | HuggingFace Transformers: RCE via config deserialization | transformers | 8.8 |
| HIGH | CVE-2025-54886 | skops: joblib fallback enables RCE via model load | skops | 8.4 |
| HIGH | CVE-2025-10157 | PickleScan: subclass bypass enables malicious model RCE | picklescan | 8.3 |
| HIGH | CVE-2025-46567 | LLaMA-Factory: RCE via torch.load() unsafe deserialization | llamafactory | 7.8 |
| HIGH | CVE-2025-5173 | label-studio-ml: PyTorch .pt deserialization RCE in YOLO loader | label-studio-ml | 7.8 |
| HIGH | CVE-2021-43811 | Sockeye: unsafe YAML load RCE via model config file | 7.8 | |
| HIGH | CVE-2026-27905 | bentoml: security flaw enables exploitation | bentoml | 7.8 |
| HIGH | CVE-2021-29589 | TFLite GatherNd: divide-by-zero crashes inference runtime | tensorflow | 7.8 |
| HIGH | CVE-2025-8747 | Keras: safe mode bypass enables RCE via model load | keras | 7.8 |
| HIGH | CVE-2023-7018 | Transformers: unsafe deserialization enables RCE on load | transformers | 7.8 |
| HIGH | CVE-2025-9905 | Keras: safe_mode bypass enables RCE via .h5 model files | keras | 7.3 |
| HIGH | CVE-2025-9906 | Keras: safe_mode bypass enables RCE via model load | keras | 7.3 |
| MEDIUM | CVE-2021-41213 | TensorFlow: tf.function deadlock enables DoS via model load | tensorflow | 5.5 |
| MEDIUM | CVE-2026-4538 | AI component: Input Validation flaw enables exploitation | 5.3 | |
| LOW | CVE-2020-26271 | TensorFlow: OOB read on saved model load leaks heap addresses | tensorflow | 3.3 |
| MEDIUM | GHSA-r54c-2xmf-2cf3 | ms-swift: RCE via pickle deserialization in adapter models | — | |
| MEDIUM | GHSA-v7x6-rv5q-mhwc | picklescan: bypass allows silent RCE in ML pipelines | picklescan | — |
| MEDIUM | GHSA-fj43-3qmq-673f | picklescan: numpy bypass enables RCE in ML model pipelines | picklescan | — |
| MEDIUM | CVE-2025-1889 | picklescan: extension bypass enables RCE on model load | picklescan | — |
| UNKNOWN | CVE-2024-4897 | lollms-webui: RCE via malicious GGUF model loading | — | |
| UNKNOWN | CVE-2026-27489 | ONNX: symlink path traversal allows arbitrary file read | onnx | — |
| MEDIUM | GHSA-3vg9-h568-4w9m | picklescan: RCE bypass via idlelib SetText evasion | picklescan | — |
| HIGH | GHSA-97f8-7cmv-76j2 | picklescan: Allowlist Bypass evades input filtering | picklescan | — |
| HIGH | GHSA-5hwf-rc88-82xm | fickling: Allowlist Bypass evades input filtering | fickling | — |
| MEDIUM | GHSA-mhc9-48gj-9gp3 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | GHSA-9m3x-qqw2-h32h | picklescan: Deserialization enables RCE | picklescan | — |
| HIGH | GHSA-46h3-79wf-xr6c | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | CVE-2026-22607 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | GHSA-955r-x9j8-7rhh | picklescan: Code Injection enables RCE | picklescan | — |
| MEDIUM | GHSA-6556-fwc2-fg2p | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | GHSA-rrxm-2pvv-m66x | picklescan: Code Injection enables RCE | picklescan | — |
| MEDIUM | GHSA-cffc-mxrf-mhh4 | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | GHSA-3329-ghmp-jmv5 | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | GHSA-x843-g5mx-g377 | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | GHSA-vqmv-47xg-9wpr | picklescan: Deserialization enables RCE | picklescan | — |
| UNKNOWN | CVE-2025-14930 | transformers: Deserialization enables RCE | transformers | — |
| HIGH | GHSA-r8g5-cgf2-4m4m | picklescan: Deserialization enables RCE | picklescan | — |
| HIGH | GHSA-m273-6v24-x4m4 | picklescan: Deserialization enables RCE | picklescan | — |
| UNKNOWN | CVE-2025-14929 | transformers: Deserialization enables RCE | transformers | — |
| UNKNOWN | CVE-2025-14928 | transformers: Code Injection enables RCE | transformers | — |
| UNKNOWN | CVE-2025-14927 | transformers: Code Injection enables RCE | transformers | — |
| UNKNOWN | CVE-2025-14926 | transformers: Code Injection enables RCE | transformers | — |
| UNKNOWN | CVE-2025-14924 | transformers: Deserialization enables RCE | transformers | — |
| UNKNOWN | CVE-2025-14921 | transformers: Deserialization enables RCE | transformers | — |
| UNKNOWN | CVE-2025-14920 | transformers: Deserialization enables RCE | transformers | — |
| MEDIUM | GHSA-q77w-mwjj-7mqx | picklescan: scanner bypass enables model RCE | picklescan | — |
| MEDIUM | GHSA-49gj-c84q-6qm9 | picklescan: scanner bypass enables RCE via ML model files | picklescan | — |
| MEDIUM | GHSA-9w88-8rmg-7g2p | picklescan: scan bypass allows silent RCE via ML models | picklescan | — |
| MEDIUM | GHSA-fqq6-7vqf-w3fg | picklescan: detection bypass allows undetected RCE in ML models | picklescan | — |
| MEDIUM | GHSA-3gf5-cxq9-w223 | picklescan: scanner bypass enables pickle RCE in ML models | picklescan | — |
| MEDIUM | GHSA-j343-8v2j-ff7w | picklescan: scanner bypass allows pickle-based RCE | picklescan | — |
| MEDIUM | GHSA-m869-42cg-3xwr | picklescan: scanner bypass enables RCE via ML models | picklescan | — |
| MEDIUM | GHSA-p9w7-82w4-7q8m | picklescan: detection bypass allows pickle RCE in ML pipelines | picklescan | — |
| MEDIUM | GHSA-xp4f-hrf8-rxw7 | picklescan: scanner bypass leads to undetected RCE | picklescan | — |
| MEDIUM | GHSA-4whj-rm5r-c2v8 | picklescan: scanner bypass enables PyTorch gadget RCE | picklescan | — |
| MEDIUM | GHSA-9xph-j2h6-g47v | picklescan: scanner bypass enables RCE via model files | picklescan | — |
| MEDIUM | GHSA-8r4j-24qv-fmq9 | picklescan: RCE bypass enables ML supply chain attack | picklescan | — |
| MEDIUM | GHSA-cj3c-v495-4xqh | picklescan: security bypass enables RCE in ML pipelines | picklescan | — |
| MEDIUM | GHSA-7cq8-mj8x-j263 | picklescan: detection bypass allows malicious pickle RCE | picklescan | — |
| MEDIUM | GHSA-6w4w-5w54-rjvr | picklescan: detection bypass allows RCE via ML model files | picklescan | — |
| MEDIUM | GHSA-f54q-57x4-jg88 | picklescan: scanner bypass enables RCE in ML models | picklescan | — |
| MEDIUM | GHSA-6vqj-c2q5-j97w | picklescan: scanner bypass enables RCE via ML models | picklescan | — |
| MEDIUM | GHSA-x696-vm39-cp64 | picklescan: scan bypass allows RCE in ML pipelines | picklescan | — |
| MEDIUM | GHSA-g344-hcph-8vgg | picklescan: scanner bypass enables RCE in ML pipelines | picklescan | — |
| MEDIUM | GHSA-5qwp-399c-mjwf | picklescan: bypass enables undetected RCE in ML models | picklescan | — |
| MEDIUM | GHSA-vv6j-3g6g-2pvj | picklescan: PyTorch gadget bypasses scanner, enables RCE | picklescan | — |
| MEDIUM | GHSA-vr7h-p6mm-wpmh | picklescan: PyTorch gadget bypasses pickle RCE detection | picklescan | — |
| MEDIUM | GHSA-h3qp-7fh3-f8h4 | picklescan: detection bypass via PyTorch proxy RCE | picklescan | — |
| MEDIUM | GHSA-f745-w6jp-hpxx | picklescan: RCE bypass via torch.utils.collect_env | picklescan | — |
| MEDIUM | GHSA-86cj-95qr-2p4f | picklescan: detection bypass enables PyTorch model RCE | picklescan | — |
| HIGH | GHSA-9gvj-pp9x-gcfr | picklescan: detection bypass allows malicious pickle exec | picklescan | — |