AI Threat Alert
ATLAS Landscape
AML.T0072
Reverse Shell
Adversaries may utilize a reverse shell to communicate and control the victim system. Typically, a user uses a client to connect to a remote machine which is listening for connections. With a reverse shell, the adversary is listening for incoming connections initiated from the victim system.
137 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-34938 | praisonaiagents: sandbox bypass enables full host RCE | praisonaiagents | 10.0 |
| CRITICAL | CVE-2025-59528 | Flowise: Unauthenticated RCE via MCP config injection | flowise | 10.0 |
| CRITICAL | CVE-2026-26030 | semantic-kernel: Code Injection enables RCE | semantic-kernel | 10.0 |
| CRITICAL | CVE-2024-2912 | BentoML: RCE via insecure deserialization (CVSS 10) | 10.0 | |
| CRITICAL | CVE-2026-25049 | n8n: security flaw enables exploitation | n8n | 9.9 |
| CRITICAL | CVE-2026-0863 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2026-40933 | Flowise: RCE via MCP stdio command injection | flowise-components | 9.9 |
| CRITICAL | CVE-2026-21877 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2026-25115 | n8n: Protection Bypass circumvents security controls | n8n | 9.9 |
| CRITICAL | CVE-2026-27577 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2026-1470 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2024-52384 | Sage AI Plugin: unrestricted upload → web shell RCE | 9.9 | |
| CRITICAL | CVE-2026-27494 | n8n: security flaw enables exploitation | n8n | 9.9 |
| CRITICAL | CVE-2026-27495 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2026-33309 | langflow: Path Traversal enables file access | langflow | 9.9 |
| CRITICAL | CVE-2026-25053 | n8n: Command Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2025-61913 | Flowise: path traversal in file tools leads to RCE | flowise | 9.9 |
| CRITICAL | CVE-2025-13374 | Kalrav: Arbitrary File Upload enables RCE | 9.8 | |
| CRITICAL | CVE-2023-34540 | LangChain: RCE via JiraAPIWrapper crafted input | langchain | 9.8 |
| CRITICAL | CVE-2023-34541 | LangChain: RCE via unsafe load_prompt deserialization | langchain | 9.8 |
| CRITICAL | CVE-2023-36258 | LangChain: unauthenticated RCE via code injection | langchain | 9.8 |
| CRITICAL | CVE-2023-38860 | LangChain: RCE via unsanitized prompt parameter | langchain | 9.8 |
| CRITICAL | CVE-2023-38896 | LangChain: RCE via unsandboxed LLM code execution | langchain | 9.8 |
| CRITICAL | CVE-2026-22807 | vllm: Code Injection enables RCE | vllm | 9.8 |
| CRITICAL | CVE-2026-41265 | Flowise: RCE via prompt injection in Airtable Agent | flowise | 9.8 |
| CRITICAL | CVE-2025-11201 | mlflow: Path Traversal enables file access | mlflow | 9.8 |
| CRITICAL | CVE-2026-30821 | flowise: Arbitrary File Upload enables RCE | flowise | 9.8 |
| CRITICAL | CVE-2023-39659 | LangChain: RCE via unsanitized PythonAstREPL input | langchain | 9.8 |
| CRITICAL | CVE-2024-42835 | Langflow: Unauthenticated RCE via PythonCodeTool | langflow | 9.8 |
| CRITICAL | CVE-2024-12366 | PandasAI: prompt injection enables unauthenticated RCE | 9.8 | |
| CRITICAL | CVE-2024-52803 | LlamaFactory: RCE via OS command injection in training | llamafactory | 9.8 |
| CRITICAL | CVE-2024-41112 | streamlit-geospatial: RCE via eval() on palette input | streamlit-geospatial | 9.8 |
| CRITICAL | CVE-2024-41113 | streamlit-geospatial: RCE via eval() in Timelapse page | streamlit-geospatial | 9.8 |
| CRITICAL | CVE-2024-48061 | Langflow: RCE via unsandboxed code component execution | langflow | 9.8 |
| CRITICAL | CVE-2024-41114 | streamlit-geospatial: RCE via eval() on palette input | streamlit-geospatial | 9.8 |
| CRITICAL | CVE-2024-46946 | LangChain-Experimental: RCE via eval in math chain | langchain-experimental | 9.8 |
| CRITICAL | GHSA-vc46-vw85-3wvm | PraisonAI: RCE via malicious workflow YAML execution | PraisonAI | 9.8 |
| CRITICAL | CVE-2024-41117 | streamlit-geospatial: eval() injection allows RCE | streamlit-geospatial | 9.8 |
| CRITICAL | CVE-2024-41116 | streamlit-geospatial: RCE via eval() injection | streamlit-geospatial | 9.8 |
| CRITICAL | CVE-2024-41115 | streamlit-geospatial: eval() injection enables RCE | streamlit-geospatial | 9.8 |
| CRITICAL | CVE-2026-39890 | PraisonAI: YAML deserialization enables unauthenticated RCE | praisonai | 9.8 |
| CRITICAL | CVE-2026-27966 | langflow: Code Injection enables RCE | langflow | 9.8 |
| CRITICAL | CVE-2024-31224 | gpt_academic: deserialization RCE, no auth required | gpt_academic | 9.8 |
| CRITICAL | CVE-2026-22778 | vllm: security flaw enables exploitation | vllm | 9.8 |
| CRITICAL | CVE-2026-33017 | langflow: Code Injection enables RCE | langflow | 9.8 |
| CRITICAL | CVE-2024-9052 | vLLM: RCE via pickle deserialization in distributed API | vllm | 9.8 |
| CRITICAL | CVE-2024-9070 | BentoML: unauthenticated RCE via runner deserialization | bentoml | 9.8 |
| CRITICAL | CVE-2024-9053 | vllm: RCE via unsafe pickle deserialization in RPC server | vllm | 9.8 |
| CRITICAL | CVE-2024-5452 | pytorch-lightning: RCE via deepdiff Delta deserialization | pytorch_lightning | 9.8 |
| CRITICAL | CVE-2024-37014 | Langflow: unauthenticated RCE via custom component API | langflow | 9.8 |
| CRITICAL | CVE-2024-11041 | vllm: RCE via unsafe pickle deserialization in MessageQueue | vllm | 9.8 |
| CRITICAL | CVE-2023-39631 | LangChain: RCE via numexpr evaluate injection | langchain | 9.8 |
| CRITICAL | CVE-2023-6018 | MLflow: unauth file overwrite enables model poisoning | mlflow | 9.8 |
| CRITICAL | CVE-2023-6019 | Ray: unauthenticated RCE via dashboard command injection | ray | 9.8 |
| CRITICAL | CVE-2023-48022 | Ray: unauthenticated RCE via job submission API | ray | 9.8 |
| CRITICAL | CVE-2025-47277 | vLLM: RCE via exposed TCPStore in distributed inference | vllm | 9.8 |
| CRITICAL | CVE-2025-53002 | LLaMA-Factory: RCE via unsafe checkpoint deserialization | llamafactory | 9.8 |
| CRITICAL | CVE-2025-32444 | vLLM: RCE via pickle deserialization on ZeroMQ | vllm | 9.8 |
| CRITICAL | CVE-2024-49326 | Affiliator WP Plugin: Unauthenticated Web Shell Upload | affiliator | 9.8 |
| CRITICAL | CVE-2025-32434 | PyTorch: RCE bypasses weights_only=True safe-load guard | pytorch | 9.8 |
| CRITICAL | CVE-2025-32375 | BentoML: RCE via insecure deserialization in runner | bentoml | 9.8 |
| CRITICAL | CVE-2025-3248 | Langflow: Unauth RCE via code injection endpoint | langflow | 9.8 |
| CRITICAL | CVE-2025-27520 | BentoML: unauthenticated RCE via insecure deserialization | bentoml | 9.8 |
| CRITICAL | CVE-2025-67511 | cai-framework: Command Injection enables RCE | 9.6 | |
| CRITICAL | CVE-2024-3568 | HuggingFace Transformers: RCE via pickle deserialization | transformers | 9.6 |
| CRITICAL | CVE-2026-0596 | MLflow: command injection via model_uri in mlserver mode | 9.6 | |
| CRITICAL | CVE-2024-8019 | pytorch-lightning: file upload RCE (Windows) | pytorch-lightning | 9.1 |
| CRITICAL | CVE-2026-35216 | Budibase: Unauthenticated RCE as root via webhook | 9.1 | |
| CRITICAL | CVE-2025-29783 | vLLM: RCE via unsafe deserialization in Mooncake KV | vllm | 9.0 |
| HIGH | CVE-2026-41269 | Flowise: unrestricted file upload enables persistent RCE | flowise | 8.8 |
| HIGH | CVE-2026-27498 | n8n: Code Injection enables RCE | n8n | 8.8 |
| HIGH | CVE-2026-27497 | n8n: SQL Injection exposes database | n8n | 8.8 |
| HIGH | CVE-2026-25056 | n8n: Arbitrary File Upload enables RCE | n8n | 8.8 |
| HIGH | CVE-2026-24780 | agpt: Code Injection enables RCE | 8.8 | |
| HIGH | CVE-2025-62726 | n8n: security flaw enables exploitation | n8n | 8.8 |
| HIGH | CVE-2025-66448 | vllm: Code Injection enables RCE | vllm | 8.8 |
| HIGH | CVE-2025-68613 | n8n: security flaw enables exploitation | n8n | 8.8 |
| HIGH | CVE-2025-67729 | lmdeploy: Deserialization enables RCE | 8.8 | |
| HIGH | CVE-2025-65964 | n8n: security flaw enables exploitation | n8n | 8.8 |
| HIGH | CVE-2025-34291 | langflow: security flaw enables exploitation | langflow | 8.8 |
| HIGH | CVE-2024-6825 | LiteLLM: RCE via post_call_rules callback injection | litellm | 8.8 |
| HIGH | CVE-2024-45848 | MindsDB: RCE via eval() injection in ChromaDB INSERT | 8.8 | |
| HIGH | CVE-2024-0520 | MLflow: path traversal enables RCE via dataset loading | mlflow | 8.8 |
| HIGH | CVE-2024-37061 | MLflow: RCE via malicious MLproject file execution | mlflow | 8.8 |
| HIGH | CVE-2024-37053 | MLflow: RCE via malicious scikit-learn model deserialization | mlflow | 8.8 |
| HIGH | CVE-2024-3571 | LangChain: path traversal allows arbitrary file R/W | langchain | 8.8 |
| HIGH | CVE-2026-27893 | vLLM: trust_remote_code bypass enables RCE | vllm | 8.8 |
| HIGH | CVE-2026-33696 | n8n: Prototype pollution enables RCE via workflow nodes | n8n | 8.8 |
| HIGH | CVE-2026-34955 | PraisonAI: sandbox escape via shell=True blocklist bypass | praisonai | 8.8 |
| HIGH | CVE-2025-61687 | Flowise: unrestricted file upload enables persistent RCE | flowise | 8.8 |
| HIGH | CVE-2026-3357 | Langflow: deserialization RCE via FAISS component default | langflow | 8.8 |
| HIGH | CVE-2026-42271 | LiteLLM: RCE via MCP test endpoint command injection | litellm | 8.8 |
| HIGH | CVE-2025-64495 | Open WebUI: XSS-to-RCE via malicious prompt injection | open-webui | 8.7 |
| HIGH | CVE-2026-30617 | LangChain-ChatChat: RCE via unauthenticated MCP interface | 8.6 | |
| HIGH | CVE-2026-35020 | Claude Code CLI: OS command injection via TERMINAL env | claude-code | 8.4 |
| HIGH | GHSA-f228-chmx-v6j6 | Flowise: prompt injection RCE via AirtableAgent | flowise-components | 8.3 |
| HIGH | CVE-2024-49048 | TorchGeo: RCE via code injection in geospatial ML lib | 8.1 | |
| HIGH | CVE-2024-43598 | LightGBM: heap buffer overflow enables network RCE | lightgbm | 8.1 |
| HIGH | CVE-2024-28088 | LangChain: path traversal enables RCE and API key theft | langchain | 8.1 |
| HIGH | CVE-2026-25055 | n8n: Path Traversal enables file access | n8n | 8.1 |
| HIGH | CVE-2023-6572 | Gradio: command injection enables RCE on ML servers | gradio | 8.1 |
| HIGH | CVE-2024-8060 | OpenWebUI: path traversal RCE via audio upload API | open-webui | 8.1 |
| HIGH | CVE-2026-2033 | mlflow: Path Traversal enables file access | mlflow | 8.1 |
| HIGH | CVE-2024-7806 | Open-WebUI: CSRF enables RCE via pipeline code injection | open-webui | 8.0 |
| HIGH | CVE-2026-34937 | PraisonAI: OS command injection via run_python() shell escape | praisonaiagents | 7.8 |
| HIGH | CVE-2024-38459 | LangChain: Python REPL code execution without opt-in | langchain-experimental | 7.8 |
| HIGH | CVE-2023-4033 | MLflow: OS command injection enables local code execution | mlflow | 7.8 |
| HIGH | CVE-2022-29216 | TensorFlow CLI: eval() injection enables reverse shell | tensorflow | 7.8 |
| HIGH | CVE-2025-64496 | open-webui: Code Injection enables RCE | open-webui | 7.3 |
| HIGH | CVE-2026-44566 | Open WebUI: path traversal + file upload leads to RCE | open-webui | 7.3 |
| HIGH | CVE-2025-12973 | AI component: Arbitrary File Upload enables RCE | 7.2 | |
| HIGH | CVE-2026-21893 | n8n: Input Validation flaw enables exploitation | n8n | 7.2 |
| HIGH | GHSA-rh7v-6w34-w2rr | Flowise: MIME bypass enables persistent Node.js web shell RCE | flowise | 7.1 |
| HIGH | CVE-2025-68478 | langflow: File Control enables path manipulation | langflow | 7.1 |
| MEDIUM | CVE-2024-7033 | open-webui: path traversal allows file write and RCE | open-webui | 6.5 |
| MEDIUM | CVE-2024-7034 | open-webui: path traversal allows arbitrary file write/RCE | open-webui | 6.5 |
| MEDIUM | CVE-2024-7037 | open-webui: path traversal → arbitrary file write/RCE | open-webui | 6.5 |
| MEDIUM | CVE-2025-3108 | llama-index: RCE via unsafe pickle deserialization | llama-index-core | 5.0 |
| HIGH | CVE-2026-0770 | langflow: security flaw enables exploitation | langflow | — |
| HIGH | CVE-2026-40171 | Jupyter Notebook: stored XSS enables full account takeover | @jupyterlab/help-extension | — |
| HIGH | GHSA-mxhj-88fx-4pcv | fickling: security flaw enables exploitation | fickling | — |
| MEDIUM | GHSA-mhc9-48gj-9gp3 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| CRITICAL | CVE-2025-62593 | ray: Code Injection enables RCE | ray | — |
| CRITICAL | GHSA-2679-6mx9-h9xc | Marimo: pre-auth RCE via terminal WebSocket | marimo | — |
| UNKNOWN | CVE-2026-0769 | langflow: Code Injection enables RCE | langflow | — |
| UNKNOWN | CVE-2026-0768 | langflow: Code Injection enables RCE | langflow | — |
| UNKNOWN | CVE-2025-15063 | Ollama: Command Injection enables RCE | — | |
| UNKNOWN | CVE-2025-14930 | transformers: Deserialization enables RCE | transformers | — |
| UNKNOWN | CVE-2025-14926 | transformers: Code Injection enables RCE | transformers | — |
| MEDIUM | GHSA-w6v6-49gh-mc9w | Flowise: path traversal allows arbitrary file write via vector store | flowise-components | — |
| HIGH | CVE-2026-42557 | JupyterLab: one-click RCE via notebook HTML cell output | notebook | — |
| UNKNOWN | CVE-2026-2275 | CrewAI: RCE via Docker fallback in CodeInterpreter | — | |
| CRITICAL | CVE-2025-34351 | ray: security flaw enables exploitation | ray | — |
| CRITICAL | CVE-2026-25481 | langroid: Code Injection enables RCE | — | |
| UNKNOWN | CVE-2026-0772 | langflow: Deserialization enables RCE | langflow | — |
| UNKNOWN | CVE-2026-33873 | Langflow: server-side RCE via LLM-generated code exec | langflow | — |
| UNKNOWN | CVE-2026-0771 | langflow: Code Injection enables RCE | langflow | — |