DATA · LIVING REFERENCE · T-DATA-CVE
AI/ML CVE Severity Tracker
Security vulnerabilities affecting the AI software supply chain — the libraries and serving infrastructure that modern LLM applications depend on. We query the NIST National Vulnerability Database for CVEs mentioning RAG stacks, model loaders, and inference servers — langchain, llama-index, transformers, PyTorch, TensorFlow, vLLM, Ollama, Hugging Face, Gradio, Streamlit, ComfyUI, Triton, and ONNX — over the last 90 days. Insecure model deserialization, server-side request forgery, and authentication bypasses are recurring themes: AI dependencies are now a first-class attack surface.
CRITICAL 10 HIGH 38 MEDIUM 29 LOW 7
| CVE | CVSS | Severity | Affected | Summary | Published |
|---|---|---|---|---|---|
| CVE-2026-24207 | 9.8 | CRITICAL | triton | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. | 2026-05-20 |
| CVE-2026-44484 | 9.8 | CRITICAL | pytorch | PyTorch Lightning is a deep learning framework to pretrain and finetune AI models. | 2026-05-14 |
| CVE-2026-31239 | 9.8 | CRITICAL | pytorch, huggingface | The mamba language model framework thru 2.2.6 is vulnerable to insecure deserialization (CWE-502) when loading pre-trained models from HuggingFace Hub. | 2026-05-12 |
| CVE-2026-31238 | 9.8 | CRITICAL | pytorch | The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) in its model serving component. | 2026-05-12 |
| CVE-2026-31228 | 9.8 | CRITICAL | pytorch | The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a remote code execution vulnerability in its Kubeflow component. | 2026-05-12 |
| CVE-2026-31214 | 9.8 | CRITICAL | pytorch | The torch-checkpoint-shrink.py script in the ml-engineering project in commit 0099885db36a8f06556efe1faf552518852cb1e0 (2025-20-27) contains an insecure deserialization vulnerability (CWE-502). | 2026-05-12 |
| CVE-2026-7482 | 9.1 | CRITICAL | ollama | Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. | 2026-05-04 |
| CVE-2026-42249 | 9.8 | CRITICAL | ollama | Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP response headers. | 2026-04-29 |
| CVE-2026-42248 | 9.8 | CRITICAL | ollama | Ollama for Windows does not perform integrity or authenticity verification of downloaded update executables. | 2026-04-29 |
| CVE-2025-33244 | 9.0 | CRITICAL | pytorch | NVIDIA APEX for Linux contains a vulnerability where an unauthorized attacker could cause a deserialization of untrusted data. | 2026-03-24 |
| CVE-2026-4944 | 8.8 | HIGH | vllm, huggingface | vllm-project/vllm version 0.14.1 contains a vulnerability where the `trust_remote_code=True` parameter is hardcoded in two model implementation files (`vllm/model_executor/models/nemotron_vl.py` and `vllm/model_executor/models/kimi_k25.py`) | 2026-05-28 |
| CVE-2026-45134 | 7.1 | HIGH | langchain | LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. | 2026-05-27 |
| CVE-2026-44843 | 8.2 | HIGH | langchain | LangChain is a framework for building agents and LLM-powered applications. | 2026-05-26 |
| CVE-2026-24162 | 7.8 | HIGH | transformers | NVIDIA Transformers4Rec for Linux contains a vulnerability where an attacker could cause improper deserialization of untrusted data. | 2026-05-26 |
| CVE-2026-4372 | 7.8 | HIGH | transformers, huggingface | A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. | 2026-05-24 |
| CVE-2026-5817 | 8.2 | HIGH | transformers, vllm | The vllm-metal inference backend in Docker Model Runner on macOS unconditionally sets trust_remote_code=True when loading model tokenizers, and runs without sandboxing. | 2026-05-22 |
| CVE-2026-24214 | 8.0 | HIGH | triton | NVIDIA Triton Inference Server contains a vulnerability in the DALI backend where an attacker could cause an integer overflow. | 2026-05-20 |
| CVE-2026-24213 | 8.0 | HIGH | triton | NVIDIA Triton Inference Server contains a vulnerability in the DALI backend where an attacker could cause an out-of-bounds read. | 2026-05-20 |
| CVE-2026-24210 | 7.5 | HIGH | triton | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an integer overflow. | 2026-05-20 |
| CVE-2026-24209 | 7.5 | HIGH | triton | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a path traversal issue. | 2026-05-20 |
| CVE-2026-24206 | 7.3 | HIGH | triton | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. | 2026-05-20 |
| CVE-2026-8756 | 7.3 | HIGH | gradio | A vulnerability has been found in fishaudio Bert-VITS2 up to 8f7fbd8c4770965225d258db548da27dc8dd934c. | 2026-05-17 |
| CVE-2026-45401 | 8.5 | HIGH | langchain | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. | 2026-05-15 |
| CVE-2026-8597 | 7.2 | HIGH | triton | Missing integrity verification in the Triton inference handler in Amazon SageMaker Python SDK v2 before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to achieve code execution in inference containers via replacement | 2026-05-14 |
| CVE-2026-31221 | 7.8 | HIGH | pytorch | PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoint loading mechanism. | 2026-05-12 |
| CVE-2026-31250 | 7.3 | HIGH | pytorch | CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its average_model.py model averaging tool. | 2026-05-11 |
| CVE-2026-31249 | 7.3 | HIGH | pytorch | CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its make_parquet_list.py data processing tool. | 2026-05-11 |
| CVE-2026-6859 | 8.8 | HIGH | huggingface | A flaw was found in InstructLab. | 2026-04-22 |
| CVE-2026-30617 | 8.6 | HIGH | langchain | LangChain-ChatChat 0.3.1 contains a remote code execution vulnerability in its MCP STDIO server configuration and execution handling. | 2026-04-15 |
| CVE-2026-1462 | 8.8 | HIGH | tensorflow | A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. | 2026-04-13 |
| CVE-2026-24175 | 7.5 | HIGH | triton | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request header to the server. | 2026-04-07 |
| CVE-2026-24174 | 7.5 | HIGH | triton | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request to the server. | 2026-04-07 |
| CVE-2026-24173 | 7.5 | HIGH | triton | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a server crash by sending a malformed request to the server. | 2026-04-07 |
| CVE-2026-24146 | 7.5 | HIGH | triton | NVIDIA Triton Inference Server contains a vulnerability where insufficient input validation and a large number of outputs could cause a server crash. | 2026-04-07 |
| CVE-2026-35485 | 7.5 | HIGH | gradio | text-generation-webui is an open-source web interface for running Large Language Models. | 2026-04-07 |
| CVE-2026-1839 | 7.8 | HIGH | transformers, pytorch, huggingface | A vulnerability in the HuggingFace Transformers library, specifically in the `Trainer` class, allows for arbitrary code execution. | 2026-04-07 |
| CVE-2026-34940 | 8.7 | HIGH | ollama | KubeAI is an AI inference operator for kubernetes. | 2026-04-06 |
| CVE-2026-34445 | 8.6 | HIGH | onnx | Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. | 2026-04-01 |
| CVE-2026-34070 | 7.5 | HIGH | langchain | LangChain is a framework for building agents and LLM-powered applications. | 2026-03-31 |
| CVE-2026-29872 | 8.2 | HIGH | streamlit | A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 (2026-01-19). | 2026-03-30 |
| CVE-2026-27893 | 8.8 | HIGH | vllm | vLLM is an inference and serving engine for large language models (LLMs). | 2026-03-27 |
| CVE-2026-24158 | 7.5 | HIGH | triton | NVIDIA Triton Inference Server contains a vulnerability in the HTTP endpoint where an attacker may cause a denial of service by providing a large compressed payload. | 2026-03-24 |
| CVE-2026-24141 | 7.8 | HIGH | onnx | NVIDIA Model Optimizer for Windows and Linux contains a vulnerability in the ONNX quantization feature, where a user could cause unsafe deserialization by providing a specially crafted input file. | 2026-03-24 |
| CVE-2025-33254 | 7.5 | HIGH | triton | NVIDIA Triton Inference Server contains a vulnerability where an attacker may cause internal state corruption. | 2026-03-24 |
| CVE-2025-33238 | 7.5 | HIGH | triton | NVIDIA Triton Inference Server Sagemaker HTTP server contains a vulnerability where an attacker may cause an exception. | 2026-03-24 |
| CVE-2026-28500 | 8.6 | HIGH | onnx | Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. | 2026-03-18 |
| CVE-2026-25960 | 7.1 | HIGH | vllm | vLLM is an inference and serving engine for large language models (LLMs). | 2026-03-09 |
| CVE-2026-25750 | 8.1 | HIGH | langchain | Langchain Helm Charts are Helm charts for deploying Langchain applications on Kubernetes. | 2026-03-04 |
| CVE-2026-48545 | 6.8 | MEDIUM | gradio | Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. | 2026-05-27 |
| CVE-2026-9540 | 5.3 | MEDIUM | vllm | A vulnerability was identified in vllm-project vllm 0.19.0. | 2026-05-26 |
| CVE-2026-24215 | 5.7 | MEDIUM | triton | NVIDIA Triton Inference Server contains a vulnerability in the DALI backend, where an attacker could cause uncontrolled resource consumption. | 2026-05-20 |
| CVE-2026-24208 | 5.3 | MEDIUM | triton | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a path traversal issue. | 2026-05-20 |
| CVE-2026-44563 | 5.4 | MEDIUM | ollama | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. | 2026-05-15 |
| CVE-2026-44223 | 6.5 | MEDIUM | vllm | vLLM is an inference and serving engine for large language models (LLMs). | 2026-05-12 |
| CVE-2026-44222 | 6.5 | MEDIUM | vllm | vLLM is an inference and serving engine for large language models (LLMs). | 2026-05-12 |
| CVE-2026-7844 | 6.3 | MEDIUM | langchain | A vulnerability was detected in chatchat-space Langchain-Chatchat up to 0.3.1.3. | 2026-05-05 |
| CVE-2026-7669 | 5.6 | MEDIUM | transformers, huggingface | A vulnerability was detected in sgl-project SGLang up to 0.5.9. | 2026-05-02 |
| CVE-2026-40979 | 6.1 | MEDIUM | onnx | In Spring AI, having access to a shared environment can expose the ONNX model used by the application. | 2026-04-28 |
| CVE-2026-7141 | 5.6 | MEDIUM | vllm | A vulnerability was found in vllm up to 0.19.0. | 2026-04-27 |
| CVE-2026-41481 | 6.5 | MEDIUM | langchain | LangChain is a framework for building agents and LLM-powered applications. | 2026-04-24 |
| CVE-2026-6608 | 5.3 | MEDIUM | gradio | A vulnerability was detected in lm-sys fastchat up to 0.2.36. | 2026-04-20 |
| CVE-2026-6591 | 4.3 | MEDIUM | comfyui | A flaw has been found in ComfyUI up to 0.13.0. | 2026-04-20 |
| CVE-2026-6590 | 4.3 | MEDIUM | comfyui | A vulnerability was detected in ComfyUI up to 0.13.0. | 2026-04-20 |
| CVE-2026-6589 | 4.3 | MEDIUM | comfyui | A security vulnerability has been detected in ComfyUI up to 0.13.0. | 2026-04-20 |
| CVE-2026-40086 | 5.3 | MEDIUM | onnx | Rembg is a tool to remove images background. | 2026-04-10 |
| CVE-2026-40087 | 5.3 | MEDIUM | langchain | LangChain is a framework for building agents and LLM-powered applications. | 2026-04-09 |
| CVE-2026-24147 | 4.8 | MEDIUM | triton | NVIDIA Triton Inference Server contains a vulnerability in triton server where an attacker may cause an information disclosure by uploading a model configuration. | 2026-04-07 |
| CVE-2026-34756 | 6.5 | MEDIUM | vllm | vLLM is an inference and serving engine for large language models (LLMs). | 2026-04-06 |
| CVE-2026-34755 | 6.5 | MEDIUM | vllm | vLLM is an inference and serving engine for large language models (LLMs). | 2026-04-06 |
| CVE-2026-34753 | 5.4 | MEDIUM | vllm | vLLM is an inference and serving engine for large language models (LLMs). | 2026-04-06 |
| CVE-2026-5530 | 6.3 | MEDIUM | ollama | A flaw has been found in Ollama up to 18.1. | 2026-04-05 |
| CVE-2026-34760 | 5.9 | MEDIUM | vllm | vLLM is an inference and serving engine for large language models (LLMs). | 2026-04-02 |
| CVE-2026-34446 | 4.7 | MEDIUM | onnx | Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. | 2026-04-01 |
| CVE-2026-4963 | 6.3 | MEDIUM | huggingface | A weakness has been identified in huggingface smolagents 1.25.0.dev0. | 2026-03-27 |
| CVE-2026-33682 | 4.7 | MEDIUM | streamlit | Streamlit is a data oriented application development framework for python. | 2026-03-26 |
| CVE-2026-33401 | 6.5 | MEDIUM | ollama | Wallos is an open-source, self-hostable personal subscription tracker. | 2026-03-24 |
| CVE-2026-4538 | 5.3 | MEDIUM | pytorch | A vulnerability was identified in PyTorch 2.10.0. | 2026-03-22 |
| CVE-2026-7847 | 2.6 | LOW | langchain | A vulnerability was found in chatchat-space Langchain-Chatchat up to 0.3.1.3. | 2026-05-05 |
| CVE-2026-7846 | 2.6 | LOW | langchain | A vulnerability has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. | 2026-05-05 |
| CVE-2026-7845 | 2.6 | LOW | langchain | A flaw has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. | 2026-05-05 |
| CVE-2026-7020 | 3.7 | LOW | ollama | A security flaw has been discovered in Ollama up to 0.20.2. | 2026-04-26 |
| CVE-2026-41488 | 3.1 | LOW | langchain | LangChain is a framework for building agents and LLM-powered applications. | 2026-04-24 |
| CVE-2026-6593 | 3.5 | LOW | comfyui | A vulnerability was found in ComfyUI up to 0.13.0. | 2026-04-20 |
| CVE-2026-6592 | 3.5 | LOW | comfyui | A vulnerability has been found in ComfyUI up to 0.13.0. | 2026-04-20 |
Related: Prompt injection · Jailbreak · AI safety · Software coverage · Policy coverage
Data is mirrored from the public NIST NVD 2.0 API and refreshed weekly. Severity and CVSS reflect the highest score recorded across CVSS v3.x metrics. This page is a reference aid, not security advice; always consult the upstream advisory.