AI Threat Alert
ATLAS Landscape
AML.T0107
Exploitation for Defense Evasion
Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.
97 CVEs mapped
View on MITRE ATLAS →
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | GHSA-vvpj-8cmc-gx39 | picklescan: security flaw enables exploitation | picklescan | 10.0 |
| CRITICAL | CVE-2025-1945 | picklescan: ZIP flag bypass enables RCE in PyTorch models | picklescan | 9.8 |
| CRITICAL | GHSA-7wx9-6375-f5wh | picklescan: Allowlist Bypass evades input filtering | picklescan | 9.8 |
| CRITICAL | GHSA-g38g-8gr9-h9xp | picklescan: Allowlist Bypass evades input filtering | picklescan | 9.8 |
| CRITICAL | CVE-2026-28500 | onnx: Integrity Verification bypass enables tampering | onnx | 9.1 |
| HIGH | GHSA-hgrh-qx5j-jfwx | picklescan: Protection Bypass circumvents security controls | picklescan | 8.8 |
| HIGH | GHSA-j7w6-vpvq-j3gm | diffusers: silent RCE via None.py trust_remote_code bypass | diffusers | 8.8 |
| HIGH | GHSA-gqqj-85qm-8qhf | paperclipai: connector trust bypass enables Gmail read/write | paperclipai | 8.7 |
| HIGH | CVE-2025-10157 | PickleScan: subclass bypass enables malicious model RCE | picklescan | 8.3 |
| HIGH | GHSA-8g7g-hmwm-6rv2 | n8n-mcp: path traversal + SSRF exposes n8n API keys | n8n-mcp | 8.3 |
| HIGH | CVE-2026-44553 | open-webui: stale Socket.IO role allows cross-user note R/W | open-webui | 8.1 |
| HIGH | CVE-2026-40149 | PraisonAI: auth bypass disables agent safety controls | PraisonAI | 7.9 |
| HIGH | CVE-2025-10155 | picklescan: file extension bypass allows model RCE | picklescan | 7.8 |
| HIGH | CVE-2025-23042 | Gradio: ACL bypass via path case manipulation | gradio | 7.5 |
| HIGH | CVE-2025-10156 | Picklescan: CRC bypass hides malicious pickle in ZIP | picklescan | 7.5 |
| HIGH | CVE-2026-32597 | 7.5 | ||
| HIGH | CVE-2026-40153 | praisonaiagents: env var expansion exposes production secrets | praisonaiagents | 7.4 |
| MEDIUM | CVE-2025-1944 | picklescan: ZIP spoof lets malicious PyTorch models bypass scan | picklescan | 6.5 |
| MEDIUM | CVE-2026-44708 | mistune: math plugin XSS bypasses escape=True control | mistune | 6.1 |
| MEDIUM | CVE-2026-41358 | OpenClaw: sender allowlist bypass via Slack thread context | openclaw | 5.4 |
| MEDIUM | CVE-2026-35651 | OpenClaw: ANSI injection spoof AI agent approval prompts | openclaw | 4.3 |
| HIGH | GHSA-rrxm-2pvv-m66x | picklescan: Code Injection enables RCE | picklescan | — |
| MEDIUM | GHSA-cffc-mxrf-mhh4 | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | GHSA-3329-ghmp-jmv5 | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | GHSA-x843-g5mx-g377 | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | GHSA-9726-w42j-3qjr | picklescan: Path Traversal enables file access | picklescan | — |
| HIGH | GHSA-vqmv-47xg-9wpr | picklescan: Deserialization enables RCE | picklescan | — |
| MEDIUM | GHSA-6556-fwc2-fg2p | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | GHSA-84r2-jw7c-4r5q | picklescan: Allowlist Bypass evades input filtering | picklescan | — |
| HIGH | GHSA-4675-36f9-wf6r | picklescan: Allowlist Bypass evades input filtering | picklescan | — |
| HIGH | GHSA-m273-6v24-x4m4 | picklescan: Deserialization enables RCE | picklescan | — |
| CRITICAL | CVE-2025-62593 | ray: Code Injection enables RCE | ray | — |
| MEDIUM | GHSA-q77w-mwjj-7mqx | picklescan: scanner bypass enables model RCE | picklescan | — |
| MEDIUM | GHSA-9w88-8rmg-7g2p | picklescan: scan bypass allows silent RCE via ML models | picklescan | — |
| MEDIUM | GHSA-fqq6-7vqf-w3fg | picklescan: detection bypass allows undetected RCE in ML models | picklescan | — |
| MEDIUM | GHSA-3gf5-cxq9-w223 | picklescan: scanner bypass enables pickle RCE in ML models | picklescan | — |
| MEDIUM | GHSA-j343-8v2j-ff7w | picklescan: scanner bypass allows pickle-based RCE | picklescan | — |
| MEDIUM | GHSA-m869-42cg-3xwr | picklescan: scanner bypass enables RCE via ML models | picklescan | — |
| MEDIUM | GHSA-p9w7-82w4-7q8m | picklescan: detection bypass allows pickle RCE in ML pipelines | picklescan | — |
| MEDIUM | GHSA-xp4f-hrf8-rxw7 | picklescan: scanner bypass leads to undetected RCE | picklescan | — |
| MEDIUM | GHSA-4whj-rm5r-c2v8 | picklescan: scanner bypass enables PyTorch gadget RCE | picklescan | — |
| MEDIUM | GHSA-9xph-j2h6-g47v | picklescan: scanner bypass enables RCE via model files | picklescan | — |
| MEDIUM | GHSA-8r4j-24qv-fmq9 | picklescan: RCE bypass enables ML supply chain attack | picklescan | — |
| MEDIUM | GHSA-cj3c-v495-4xqh | picklescan: security bypass enables RCE in ML pipelines | picklescan | — |
| MEDIUM | GHSA-7cq8-mj8x-j263 | picklescan: detection bypass allows malicious pickle RCE | picklescan | — |
| MEDIUM | GHSA-6w4w-5w54-rjvr | picklescan: detection bypass allows RCE via ML model files | picklescan | — |
| MEDIUM | GHSA-3vg9-h568-4w9m | picklescan: RCE bypass via idlelib SetText evasion | picklescan | — |
| MEDIUM | GHSA-f54q-57x4-jg88 | picklescan: scanner bypass enables RCE in ML models | picklescan | — |
| MEDIUM | GHSA-x696-vm39-cp64 | picklescan: scan bypass allows RCE in ML pipelines | picklescan | — |
| MEDIUM | GHSA-g344-hcph-8vgg | picklescan: scanner bypass enables RCE in ML pipelines | picklescan | — |
| MEDIUM | GHSA-5qwp-399c-mjwf | picklescan: bypass enables undetected RCE in ML models | picklescan | — |
| MEDIUM | GHSA-vv6j-3g6g-2pvj | picklescan: PyTorch gadget bypasses scanner, enables RCE | picklescan | — |
| MEDIUM | GHSA-vr7h-p6mm-wpmh | picklescan: PyTorch gadget bypasses pickle RCE detection | picklescan | — |
| MEDIUM | GHSA-h3qp-7fh3-f8h4 | picklescan: detection bypass via PyTorch proxy RCE | picklescan | — |
| MEDIUM | GHSA-f4x7-rfwp-v3xw | picklescan: scanner bypass enables RCE via PyTorch function | picklescan | — |
| MEDIUM | GHSA-86cj-95qr-2p4f | picklescan: detection bypass enables PyTorch model RCE | picklescan | — |
| MEDIUM | GHSA-4r9r-ch6f-vxmx | picklescan: PyTorch bypass allows undetected RCE | picklescan | — |
| HIGH | GHSA-9gvj-pp9x-gcfr | picklescan: detection bypass allows malicious pickle exec | picklescan | — |
| HIGH | CVE-2025-54412 | skops: OperatorFuncNode type confusion → RCE | skops | — |
| MEDIUM | GHSA-v7x6-rv5q-mhwc | picklescan: bypass allows silent RCE in ML pipelines | picklescan | — |
| MEDIUM | GHSA-fj43-3qmq-673f | picklescan: numpy bypass enables RCE in ML model pipelines | picklescan | — |
| HIGH | CVE-2025-46417 | picklescan: scanner bypass enables DNS data exfiltration | picklescan | — |
| MEDIUM | CVE-2025-1716 | picklescan: scanner bypass enables supply chain RCE | picklescan | — |
| MEDIUM | CVE-2025-1889 | picklescan: extension bypass enables RCE on model load | picklescan | — |
| MEDIUM | CVE-2026-34425 | OpenClaw: script preflight bypass enables unsafe exec | openclaw | — |
| MEDIUM | GHSA-98ch-45wp-ch47 | OpenClaw: approval bypass via env key normalization gap | openclaw | — |
| MEDIUM | GHSA-wpc6-37g7-8q4w | OpenClaw: exec allowlist bypass via shell init-file options | openclaw | — |
| MEDIUM | GHSA-fwjq-xwfj-gv75 | openclaw: auth bypass exposes agent session visibility | openclaw | — |
| MEDIUM | GHSA-q2gc-xjqw-qp89 | OpenClaw: eval approval bypass enables unintended code exec | openclaw | — |
| MEDIUM | GHSA-qqvm-66q4-vf5c | Flowise: SSRF bypass enables cloud credential theft | flowise-components | — |
| LOW | GHSA-gj9q-8w99-mp8j | openclaw: TOCTOU race bypasses exec script preflight | openclaw | — |
| MEDIUM | GHSA-x3h8-jrgh-p8jx | OpenClaw: exec allowlist bypass allows hidden shell code | openclaw | — |
| MEDIUM | GHSA-q3jj-46pq-826r | openclaw: ACP child session security envelope bypass | openclaw | — |
| MEDIUM | GHSA-7jm2-g593-4qrc | openclaw: config guard bypass, persistent settings mutation | openclaw | — |
| MEDIUM | GHSA-qrp5-gfw2-gxv4 | openclaw: tool policy bypass via bundled MCP/LSP tools | openclaw | — |
| MEDIUM | GHSA-72q8-jcmc-97wx | openclaw: DM policy bypass via Feishu card-action callbacks | openclaw | — |
| HIGH | CVE-2026-40068 | Claude Code: git worktree trust bypass executes hooks | @anthropic-ai/claude-code | — |
| HIGH | CVE-2025-67748 | fickling: Code Injection enables RCE | fickling | — |
| HIGH | CVE-2025-67747 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | CVE-2026-33143 | — | ||
| MEDIUM | GHSA-5cxw-w2xg-2m8h | fickling: Allowlist Bypass evades input filtering | fickling | — |
| MEDIUM | GHSA-r48f-3986-4f9c | fickling: Allowlist Bypass evades input filtering | fickling | — |
| LOW | GHSA-83pf-v6qq-pwmr | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | GHSA-97f8-7cmv-76j2 | picklescan: Allowlist Bypass evades input filtering | picklescan | — |
| HIGH | GHSA-5hwf-rc88-82xm | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | GHSA-wccx-j62j-r448 | fickling: Protection Bypass circumvents security controls | fickling | — |
| MEDIUM | GHSA-mhc9-48gj-9gp3 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | GHSA-mxhj-88fx-4pcv | fickling: security flaw enables exploitation | fickling | — |
| HIGH | GHSA-9m3x-qqw2-h32h | picklescan: Deserialization enables RCE | picklescan | — |
| UNKNOWN | CVE-2025-66479 | Anthropic: Protection Bypass circumvents security controls | — | |
| HIGH | GHSA-46h3-79wf-xr6c | picklescan: Code Injection enables RCE | picklescan | — |
| HIGH | CVE-2026-22612 | fickling: Deserialization enables RCE | fickling | — |
| HIGH | CVE-2026-22609 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | CVE-2026-22608 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | CVE-2026-22607 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | CVE-2026-22606 | fickling: Allowlist Bypass evades input filtering | fickling | — |
| HIGH | GHSA-955r-x9j8-7rhh | picklescan: Code Injection enables RCE | picklescan | — |