DATA · LIVING REFERENCE · T-DATA-CVE
AI/ML CVE Severity Tracker
Security vulnerabilities affecting the AI software supply chain — the libraries and serving infrastructure that modern LLM applications depend on. We query the NIST National Vulnerability Database for CVEs mentioning RAG stacks, model loaders, and inference servers — langchain, llama-index, transformers, PyTorch, TensorFlow, vLLM, Ollama, Hugging Face, Gradio, Streamlit, ComfyUI, Triton, and ONNX — over the last 90 days. Insecure model deserialization, server-side request forgery, and authentication bypasses are recurring themes: AI dependencies are now a first-class attack surface.
| CVE | CVSS | Severity | Affected | Summary | Published |
|---|---|---|---|---|---|
| CVE-2026-59706 | 9.3 | CRITICAL | ollama | mem0 contains unauthenticated config API endpoints that expose LLM API keys in plaintext and allow server-side request forgery via attacker-controlled ollama_base_url parameter. | 2026-07-07 |
| CVE-2026-58116 | 9.8 | CRITICAL | transformers | LLaMA-Factory through 0.9.5 contains a remote code execution vulnerability that allows attackers with WebUI access to execute arbitrary Python code by supplying a malicious model path in the Chat or Training interfaces. | 2026-06-30 |
| CVE-2026-54316 | 9.1 | CRITICAL | huggingface | Claude Code is an agentic coding tool. | 2026-06-23 |
| CVE-2026-48746 | 9.1 | CRITICAL | vllm | vLLM is an inference and serving engine for large language models (LLMs). | 2026-06-22 |
| CVE-2026-5241 | 9.6 | CRITICAL | huggingface | A vulnerability in the LightGlue model loading path of huggingface/transformers version 5.2.0 allows an attacker-controlled model repository to execute arbitrary code during model initialization. | 2026-06-03 |
| CVE-2026-47117 | 9.8 | CRITICAL | transformers | OpenMed before 1.5.2 contains a remote code execution vulnerability in the PII privacy-filter model loading path. | 2026-06-02 |
| CVE-2026-24207 | 9.8 | CRITICAL | triton | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. | 2026-05-20 |
| CVE-2026-44484 | 9.8 | CRITICAL | pytorch | PyTorch Lightning is a deep learning framework to pretrain and finetune AI models. | 2026-05-14 |
| CVE-2026-31239 | 9.8 | CRITICAL | pytorch, huggingface | The mamba language model framework thru 2.2.6 is vulnerable to insecure deserialization (CWE-502) when loading pre-trained models from HuggingFace Hub. | 2026-05-12 |
| CVE-2026-31238 | 9.8 | CRITICAL | pytorch | The Ludwig framework thru 0.10.4 is vulnerable to insecure deserialization (CWE-502) in its model serving component. | 2026-05-12 |
| CVE-2026-31228 | 9.8 | CRITICAL | pytorch | The Adversarial Robustness Toolbox (ART) thru 1.20.1 contains a remote code execution vulnerability in its Kubeflow component. | 2026-05-12 |
| CVE-2026-31214 | 9.8 | CRITICAL | pytorch | The torch-checkpoint-shrink.py script in the ml-engineering project in commit 0099885db36a8f06556efe1faf552518852cb1e0 (2025-20-27) contains an insecure deserialization vulnerability (CWE-502). | 2026-05-12 |
| CVE-2026-7482 | 9.1 | CRITICAL | ollama | Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. | 2026-05-04 |
| CVE-2026-42249 | 9.8 | CRITICAL | ollama | Ollama for Windows contains a Remote Code Execution vulnerability in its update mechanism due to improper handling of attacker‑controlled HTTP response headers. | 2026-04-29 |
| CVE-2026-42248 | 9.8 | CRITICAL | ollama | Ollama for Windows does not perform integrity or authenticity verification of downloaded update executables. | 2026-04-29 |
| CVE-2026-55405 | 7.6 | HIGH | langchain | LangChain4j is a Java library for building LLM-powered applications on the JVM. | 2026-07-10 |
| CVE-2026-59806 | 7.4 | HIGH | gradio | Gradio before 6.20.0 contains an open redirect and server-side request forgery vulnerability that allows attackers to redirect users to arbitrary URLs or perform client-side SSRF by supplying unvalidated HTTP/HTTPS URLs to the file_fetch() | 2026-07-08 |
| CVE-2026-55574 | 7.5 | HIGH | vllm | vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. | 2026-07-06 |
| CVE-2026-54234 | 7.5 | HIGH | vllm | vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. | 2026-07-06 |
| CVE-2026-14535 | 8.8 | HIGH | transformers | In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shorten_code(node) on every import node it inspects, regardless of whether the import is flagged as unsaf | 2026-07-04 |
| CVE-2025-71342 | 8.1 | HIGH | pytorch | picklescan before 0.0.30 fails to detect malicious pickle files using idlelib.run.Executive.runcode in reduce methods. | 2026-07-04 |
| CVE-2026-49119 | 7.5 | HIGH | gradio | Gradio before 6.16.0 contain a path traversal vulnerability in the FileExplorer component's preprocess() method that allows unauthenticated attackers to escape the configured root directory by supplying path segments containing directory tr | 2026-07-01 |
| CVE-2026-24264 | 7.5 | HIGH | triton | NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause improper handling of highly compressed data. | 2026-07-01 |
| CVE-2026-5757 | 7.5 | HIGH | ollama | Unauthenticated remote information disclosure vulnerability in Ollama's model quantization engine allows an attacker to read and exfiltrate the server's heap memory, potentially leading to sensitive data exposure, further compromise, and st | 2026-06-26 |
| CVE-2025-71340 | 8.1 | HIGH | pytorch | picklescan through 0.0.26 fails to detect malicious pickle files that invoke idlelib.pyshell.ModifiedInterpreter.runcode in __reduce__ methods. | 2026-06-25 |
| CVE-2026-54232 | 8.8 | HIGH | vllm | vLLM is an inference and serving engine for large language models (LLMs). | 2026-06-22 |
| CVE-2026-53923 | 7.5 | HIGH | vllm | vLLM is an inference and serving engine for large language models (LLMs). | 2026-06-22 |
| CVE-2026-41523 | 7.5 | HIGH | vllm, huggingface | vLLM is an inference and serving engine for large language models (LLMs). | 2026-06-22 |
| CVE-2026-56340 | 8.8 | HIGH | pytorch, vllm | vLLM versions >= 0.10.2 and < 0.13.0 are missing sparse tensor validation in multimodal embeddings processing. | 2026-06-20 |
| CVE-2026-47749 | 7.8 | HIGH | pytorch | stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. | 2026-06-16 |
| CVE-2026-5497 | 7.5 | HIGH | vllm | vLLM versions 0.8.0 and later are vulnerable to an Out-of-Memory (OOM) Denial of Service (DoS) attack due to unbounded frame count processing in the `VideoMediaIO.load_base64()` method. | 2026-06-11 |
| CVE-2026-46432 | 7.8 | HIGH | huggingface | LMDeploy is a toolkit for compressing, deploying, and serving large language models. | 2026-06-10 |
| CVE-2026-43624 | 8.2 | HIGH | gradio | F5-TTS through version 1.1.20 contains a path traversal vulnerability in the finetune Gradio handlers that allows unauthenticated attackers to write arbitrary files by passing unsanitized user-supplied project names directly to os.path.join | 2026-06-01 |
| CVE-2026-4944 | 8.8 | HIGH | vllm, huggingface | vllm-project/vllm version 0.14.1 contains a vulnerability where the `trust_remote_code=True` parameter is hardcoded in two model implementation files (`vllm/model_executor/models/nemotron_vl.py` and `vllm/model_executor/models/kimi_k25.py`) | 2026-05-28 |
| CVE-2026-45134 | 7.1 | HIGH | langchain | LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. | 2026-05-27 |
| CVE-2026-44843 | 8.2 | HIGH | langchain | LangChain is a framework for building agents and LLM-powered applications. | 2026-05-26 |
| CVE-2026-24162 | 7.8 | HIGH | transformers | NVIDIA Transformers4Rec for Linux contains a vulnerability where an attacker could cause improper deserialization of untrusted data. | 2026-05-26 |
| CVE-2026-4372 | 7.8 | HIGH | transformers, huggingface | A critical remote code execution vulnerability exists in all versions of the HuggingFace transformers library prior to version 5.3.0. | 2026-05-24 |
| CVE-2026-5817 | 8.2 | HIGH | transformers, vllm | The vllm-metal inference backend in Docker Model Runner on macOS unconditionally sets trust_remote_code=True when loading model tokenizers, and runs without sandboxing. | 2026-05-22 |
| CVE-2026-24214 | 8.0 | HIGH | triton | NVIDIA Triton Inference Server contains a vulnerability in the DALI backend where an attacker could cause an integer overflow. | 2026-05-20 |
| CVE-2026-24213 | 8.0 | HIGH | triton | NVIDIA Triton Inference Server contains a vulnerability in the DALI backend where an attacker could cause an out-of-bounds read. | 2026-05-20 |
| CVE-2026-24210 | 7.5 | HIGH | triton | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an integer overflow. | 2026-05-20 |
| CVE-2026-24209 | 7.5 | HIGH | triton | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a path traversal issue. | 2026-05-20 |
| CVE-2026-24206 | 7.3 | HIGH | triton | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause an authentication bypass. | 2026-05-20 |
| CVE-2026-8756 | 7.3 | HIGH | gradio | A vulnerability has been found in fishaudio Bert-VITS2 up to 8f7fbd8c4770965225d258db548da27dc8dd934c. | 2026-05-17 |
| CVE-2026-45401 | 8.5 | HIGH | langchain | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. | 2026-05-15 |
| CVE-2026-8597 | 7.2 | HIGH | triton | Missing integrity verification in the Triton inference handler in Amazon SageMaker Python SDK v2 before v2.257.2 and v3 before v3.8.0 might allow a remote authenticated actor to achieve code execution in inference containers via replacement | 2026-05-14 |
| CVE-2026-31221 | 7.8 | HIGH | pytorch | PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoint loading mechanism. | 2026-05-12 |
| CVE-2026-31250 | 7.3 | HIGH | pytorch | CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its average_model.py model averaging tool. | 2026-05-11 |
| CVE-2026-31249 | 7.3 | HIGH | pytorch | CosyVoice thru commit 6e01309e01bc93bbeb83bdd996b1182a81aaf11e (2025-30-21) contains an insecure deserialization vulnerability (CWE-502) in its make_parquet_list.py data processing tool. | 2026-05-11 |
| CVE-2026-6859 | 8.8 | HIGH | huggingface | A flaw was found in InstructLab. | 2026-04-22 |
| CVE-2026-30617 | 8.6 | HIGH | langchain | LangChain-ChatChat 0.3.1 contains a remote code execution vulnerability in its MCP STDIO server configuration and execution handling. | 2026-04-15 |
| CVE-2026-44512 | 5.5 | MEDIUM | onnx | Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. | 2026-07-08 |
| CVE-2026-55514 | 6.5 | MEDIUM | vllm | vLLM is a library for LLM inference and serving. | 2026-07-06 |
| CVE-2026-55646 | 6.5 | MEDIUM | vllm | vLLM is an inference and serving engine for large language models. | 2026-07-06 |
| CVE-2026-14647 | 4.3 | MEDIUM | onnx | A weakness has been identified in onnx up to 1.21.x. | 2026-07-04 |
| CVE-2026-24266 | 5.9 | MEDIUM | triton | NVIDIA Triton Inference Server for Linux contains a vulnerability where an attacker can cause a use-after-free issue. | 2026-07-01 |
| CVE-2026-54021 | 6.3 | MEDIUM | ollama | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. | 2026-06-23 |
| CVE-2026-54236 | 5.3 | MEDIUM | vllm | vLLM is an inference and serving engine for large language models (LLMs). | 2026-06-22 |
| CVE-2026-54235 | 6.5 | MEDIUM | vllm | vLLM is an inference and serving engine for large language models (LLMs). | 2026-06-22 |
| CVE-2026-54233 | 6.5 | MEDIUM | vllm | vLLM is an inference and serving engine for large language models (LLMs). | 2026-06-22 |
| CVE-2026-47155 | 6.5 | MEDIUM | vllm | vLLM is an inference and serving engine for large language models (LLMs). | 2026-06-22 |
| CVE-2026-55443 | 5.1 | MEDIUM | langchain | LangChain is a framework for building agents and LLM-powered applications. | 2026-06-22 |
| CVE-2025-71379 | 4.3 | MEDIUM | vllm | vLLM versions >= 0.6.3 and < 0.9.0 contain multiple regular expression denial of service (ReDoS) vulnerabilities. | 2026-06-20 |
| CVE-2026-12491 | 4.8 | MEDIUM | vllm | A flaw was found in vLLM, an open-source library for large language model inference. | 2026-06-17 |
| CVE-2026-47748 | 5.5 | MEDIUM | pytorch | stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. | 2026-06-16 |
| CVE-2026-43625 | 5.9 | MEDIUM | ollama | CodexBar prior to 0.32.0 contains a session cookie leakage vulnerability that allows network attackers to intercept imported browser session cookies by exploiting improper redirect handling for Amp and Ollama provider sessions. | 2026-06-01 |
| CVE-2026-48545 | 6.8 | MEDIUM | gradio | Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. | 2026-05-27 |
| CVE-2026-9540 | 5.3 | MEDIUM | vllm | A vulnerability was identified in vllm-project vllm 0.19.0. | 2026-05-26 |
| CVE-2026-24215 | 5.7 | MEDIUM | triton | NVIDIA Triton Inference Server contains a vulnerability in the DALI backend, where an attacker could cause uncontrolled resource consumption. | 2026-05-20 |
| CVE-2026-24208 | 5.3 | MEDIUM | triton | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a path traversal issue. | 2026-05-20 |
| CVE-2026-44563 | 5.4 | MEDIUM | ollama | Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. | 2026-05-15 |
| CVE-2026-44223 | 6.5 | MEDIUM | vllm | vLLM is an inference and serving engine for large language models (LLMs). | 2026-05-12 |
| CVE-2026-44222 | 6.5 | MEDIUM | vllm | vLLM is an inference and serving engine for large language models (LLMs). | 2026-05-12 |
| CVE-2026-7844 | 6.3 | MEDIUM | langchain | A vulnerability was detected in chatchat-space Langchain-Chatchat up to 0.3.1.3. | 2026-05-05 |
| CVE-2026-7669 | 5.6 | MEDIUM | transformers, huggingface | A vulnerability was detected in sgl-project SGLang up to 0.5.9. | 2026-05-02 |
| CVE-2026-40979 | 6.1 | MEDIUM | onnx | In Spring AI, having access to a shared environment can expose the ONNX model used by the application. | 2026-04-28 |
| CVE-2026-7141 | 5.6 | MEDIUM | vllm | A vulnerability was found in vllm up to 0.19.0. | 2026-04-27 |
| CVE-2026-41481 | 6.5 | MEDIUM | langchain | LangChain is a framework for building agents and LLM-powered applications. | 2026-04-24 |
| CVE-2026-6608 | 5.3 | MEDIUM | gradio | A vulnerability was detected in lm-sys fastchat up to 0.2.36. | 2026-04-20 |
| CVE-2026-6591 | 4.3 | MEDIUM | comfyui | A flaw has been found in ComfyUI up to 0.13.0. | 2026-04-20 |
| CVE-2026-6590 | 4.3 | MEDIUM | comfyui | A vulnerability was detected in ComfyUI up to 0.13.0. | 2026-04-20 |
| CVE-2026-6589 | 4.3 | MEDIUM | comfyui | A security vulnerability has been detected in ComfyUI up to 0.13.0. | 2026-04-20 |
| CVE-2026-14742 | 3.1 | LOW | langchain | A vulnerability was determined in langchain-ai langgraph up to 1.2.4. | 2026-07-05 |
| CVE-2026-13493 | 3.1 | LOW | comfyui | A flaw has been found in AIDC-AI ComfyUI-Copilot up to 2.0.28. | 2026-06-28 |
| CVE-2026-11329 | 3.6 | LOW | onnx | A vulnerability has been found in onnx onnx-mlir up to 0.5.0.0. | 2026-06-05 |
| CVE-2026-10804 | 3.6 | LOW | streamlit | A vulnerability has been found in Streamlit up to 1.53.0. | 2026-06-04 |
| CVE-2026-10783 | 2.5 | LOW | gradio | A security flaw has been discovered in gradio-app gradio 6.14.0. | 2026-06-04 |
| CVE-2026-7847 | 2.6 | LOW | langchain | A vulnerability was found in chatchat-space Langchain-Chatchat up to 0.3.1.3. | 2026-05-05 |
| CVE-2026-7846 | 2.6 | LOW | langchain | A vulnerability has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. | 2026-05-05 |
| CVE-2026-7845 | 2.6 | LOW | langchain | A flaw has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. | 2026-05-05 |
| CVE-2026-7020 | 3.7 | LOW | ollama | A security flaw has been discovered in Ollama up to 0.20.2. | 2026-04-26 |
| CVE-2026-41488 | 3.1 | LOW | langchain | LangChain is a framework for building agents and LLM-powered applications. | 2026-04-24 |
| CVE-2026-6593 | 3.5 | LOW | comfyui | A vulnerability was found in ComfyUI up to 0.13.0. | 2026-04-20 |
| CVE-2026-6592 | 3.5 | LOW | comfyui | A vulnerability has been found in ComfyUI up to 0.13.0. | 2026-04-20 |
| CVE-2026-53875 | — | UNKNOWN | pytorch | picklescan before 1.0.3 contains a scanning bypass vulnerability in the scan_pytorch function that allows attackers to embed malicious magic numbers via dynamic eval using the __reduce__ trick. | 2026-06-17 |
| CVE-2026-48797 | — | UNKNOWN | huggingface | Backpropagate is a Python library for fine-tuning large language models on a single GPU. | 2026-06-17 |
Related: Prompt injection · Jailbreak · AI safety · Software coverage · Policy coverage
Data is mirrored from the public NIST NVD 2.0 API and refreshed weekly. Severity and CVSS reflect the highest score recorded across CVSS v3.x metrics. This page is a reference aid, not security advice; always consult the upstream advisory.