AML.T0078

Drive-by Compromise

Adversaries may gain access to an AI system through a user visiting a website over the normal course of browsing, or an AI agent retrieving information from the web on behalf of a user. Websites can contain an [LLM Prompt Injection](/techniques/AML.T0051) which, when executed, can change the behavior of the AI model. The same approach may be used to deliver other types of malicious code that don't target AI directly (See [Drive-by Compromise in ATT&CK](https://attack.mitre.org/techniques/T1189/)).

40 CVEs mapped View on MITRE ATLAS →

Severity	CVE	Headline	Package	CVSS
CRITICAL	CVE-2026-25130	cai-framework: Command Injection enables RCE		9.7
CRITICAL	CVE-2026-44211	cline: WebSocket auth bypass enables terminal RCE		9.6
HIGH	CVE-2025-34291	langflow: security flaw enables exploitation	langflow	8.8
HIGH	CVE-2024-11392	HuggingFace Transformers: RCE via config deserialization	transformers	8.8
HIGH	CVE-2024-11393	Transformers: RCE via MaskFormer model deserialization	transformers	8.8
HIGH	CVE-2024-11394	Transformers: RCE via Trax model deserialization	transformers	8.8
HIGH	CVE-2026-28416	gradio: SSRF allows internal network access	gradio	8.6
HIGH	CVE-2024-47084	Gradio: CORS bypass exposes local instances to credential theft	gradio	8.3
HIGH	GHSA-x462-jjpc-q4q4	praisonaiagents: CORS bypass enables silent agent RCE	praisonaiagents	8.1
HIGH	CVE-2025-14279	mlflow: security flaw enables exploitation	mlflow	8.1
HIGH	CVE-2024-7806	Open-WebUI: CSRF enables RCE via pipeline code injection	open-webui	8.0
MEDIUM	CVE-2024-7035	Open WebUI: CSRF wipes RAG DB and AI memories via GET	open-webui	6.9
MEDIUM	CVE-2024-7044	Open WebUI: Stored XSS via file upload, session hijack	open-webui	6.8
MEDIUM	CVE-2024-6581	Lollms: SVG upload XSS enables session hijack and RCE	lollms	6.5
MEDIUM	CVE-2025-7021	OpenAI Operator: fullscreen spoofing captures credentials	operator	6.5
MEDIUM	CVE-2026-26320	OpenClaw: UI deception enables arbitrary command execution	openclaw	6.5
MEDIUM	CVE-2024-4940	Gradio: open redirect enables phishing against ML users	gradio	6.1
MEDIUM	CVE-2026-44897	mistune: XSS via unescaped heading id= attribute	mistune	6.1
MEDIUM	CVE-2021-28796	Qiita::Markdown: XSS in transformer components		6.1
MEDIUM	CVE-2026-27482	ray: Missing Auth allows unauthenticated access	ray	5.9
MEDIUM	CVE-2025-58177	n8n: stored XSS in LangChain chat trigger (public)	n8n	5.4
MEDIUM	GHSA-3c7f-5hgj-h279	n8n: Stored XSS in Chat Trigger via CSS injection	n8n	5.4
MEDIUM	CVE-2025-52478	n8n: Stored XSS enables full account takeover	n8n	5.4
MEDIUM	CVE-2024-47165	Gradio: CORS null origin bypass leaks auth tokens	gradio	5.4
MEDIUM	CVE-2026-25640	pydantic-ai: Path Traversal enables file access	pydantic-ai-slim	5.4
LOW	CVE-2025-5320	Gradio: CORS origin bypass in ML UI handler	gradio	3.7
LOW	CVE-2026-32722			3.6
HIGH	GHSA-2r2p-4cgf-hv7h	engramx: CSRF injects persistent prompts into AI agents		—
UNKNOWN	CVE-2025-14921	transformers: Deserialization enables RCE	transformers	—
HIGH	CVE-2025-47783	Label Studio: XSS enables unauthorized actions via CSRF	label-studio	—
UNKNOWN	CVE-2025-14924	transformers: Deserialization enables RCE	transformers	—
MEDIUM	CVE-2026-21883			—
MEDIUM	CVE-2026-23528			—
HIGH	CVE-2026-2472	google-cloud-aiplatform: XSS enables session hijacking		—
UNKNOWN	CVE-2024-1727	Gradio: CSRF enables disk exhaustion via file upload DoS	gradio	—
MEDIUM	GHSA-h8r8-wccr-v5f2	DOMPurify: mXSS bypass achieves XSS via parse-context switch		—
MEDIUM	GHSA-vr5g-mmx7-h897	OpenClaw: SSRF bypass via interaction-triggered navigation	openclaw	—
CRITICAL	CVE-2025-62593	ray: Code Injection enables RCE	ray	—
HIGH	CVE-2026-42557	JupyterLab: one-click RCE via notebook HTML cell output	notebook	—
UNKNOWN	CVE-2025-14920	transformers: Deserialization enables RCE	transformers	—