Skip to main content

AI / ML

379 CVEs product

Monthly

CVE-2025-62616 CRITICAL POC Act Now

AutoGPT has a second SSRF vulnerability (CVSS 9.8) in a different endpoint, providing an additional path to access internal network resources.

SSRF AI / ML Autogpt Platform
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-62615 CRITICAL POC Act Now

AutoGPT has a Server-Side Request Forgery vulnerability (CVSS 9.8) allowing unauthenticated attackers to make the AI platform access internal network resources.

SSRF AI / ML Autogpt Platform
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-25481 PyPI CRITICAL POC PATCH GHSA Act Now

Langroid LLM framework prior to 0.5 has a code injection vulnerability (CVSS 9.6) allowing attackers to execute arbitrary code through the AI agent system.

Code Injection AI / ML Langroid
NVD GitHub
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-25475 npm MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.1.30 suffer from a path traversal vulnerability in the isValidMedia() function that permits authenticated agents to read arbitrary files on the system by crafting malicious MEDIA output directives. An attacker with agent access can leverage this flaw to exfiltrate sensitive data accessible to the application process. Public exploit code exists for this vulnerability, and no patch is currently available.

Path Traversal AI / ML Openclaw
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-25157 npm HIGH PATCH This Week

OpenClaw AI assistant versions prior to 2026.1.29 contain two command injection vulnerabilities: unescaped user input in SSH project paths allows remote code execution on SSH hosts, and insufficient validation of SSH target parameters enables local command execution through malicious flag injection. An attacker can exploit these flaws to achieve arbitrary code execution either remotely via SSH or locally on the system running OpenClaw.

SSH Command Injection AI / ML Openclaw
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-25056 npm HIGH PATCH This Week

N8N versions up to 1.118.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

RCE AI / ML N8n
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-25055 npm HIGH PATCH This Week

n8n is an open source workflow automation platform. [CVSS 8.1 HIGH]

SSH RCE AI / ML N8n
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-25054 npm MEDIUM PATCH This Month

Stored cross-site scripting in n8n's markdown rendering component allows authenticated users to inject malicious scripts into workflows and sticky notes that execute with session privileges when viewed by other users. An attacker with workflow modification permissions can exploit this to hijack sessions and compromise accounts of users who interact with affected workflows. Versions 1.123.9 and 2.2.1 contain fixes for this vulnerability.

XSS AI / ML N8n
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-25053 npm CRITICAL PATCH Act Now

n8n has a command injection vulnerability (CVSS 9.9) allowing authenticated users to execute arbitrary OS commands through workflow definitions.

RCE Command Injection Information Disclosure Node.js AI / ML +1
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-25052 npm CRITICAL PATCH Act Now

n8n has a TOCTOU race condition vulnerability (CVSS 9.9) enabling bypass of execution restrictions in workflow processing.

Information Disclosure AI / ML N8n
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-25051 npm MEDIUM PATCH This Month

Improper Content Security Policy enforcement in n8n workflow automation allows authenticated users to inject persistent XSS payloads into webhook responses that execute with same-origin privileges when other users access the affected workflows. An attacker with workflow creation/modification permissions could exploit this to hijack sessions and compromise user accounts. The vulnerability affects n8n versions prior to 1.123.2.

XSS AI / ML N8n
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-25049 npm CRITICAL POC PATCH Act Now

n8n workflow automation platform has an authenticated code execution vulnerability (CVSS 9.9) through improper runtime behavior modification, enabling server takeover.

RCE Command Injection Code Injection Node.js AI / ML +1
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-24887 npm HIGH POC PATCH This Week

Claude Code versions before 2.0.72 allow authenticated attackers to execute arbitrary commands by exploiting a command parsing defect that bypasses the execution confirmation prompt via malicious find command syntax. An attacker with the ability to inject untrusted content into a Claude Code context can trigger unintended command execution with high impact to confidentiality, integrity, and availability. No patch is currently available for affected deployments.

Command Injection AI / ML Claude Code
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-24053 npm MEDIUM PATCH This Month

Claude Code versions prior to 2.0.74 allow authenticated users to write files outside designated directories by exploiting inadequate Bash command validation in ZSH clobber syntax parsing. An attacker with the ability to inject malicious content into a Claude Code context window on a ZSH-based system can bypass file restrictions and achieve unauthorized file writes without triggering user permission prompts. This vulnerability requires user interaction and ZSH environment configuration, making it suitable for supply chain or prompt injection attacks against Claude Code users.

Path Traversal AI / ML Claude Code
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24052 npm HIGH PATCH This Week

Claude Code versions prior to 1.0.111 fail to properly validate trusted domains for WebFetch requests, allowing attackers to register lookalike domains (e.g., modelcontextprotocol.io.example.com) that bypass validation checks. This enables unauthorized automated requests to attacker-controlled servers without user interaction, potentially resulting in sensitive data exfiltration from the user's environment. The vulnerability affects Claude Code's agentic coding functionality and requires upgrading to version 1.0.111 or later to remediate.

Python AI / ML Claude Code
NVD GitHub
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-24149 HIGH This Week

Local code injection in NVIDIA Megatron-LM allows authenticated users to achieve arbitrary code execution and privilege escalation through malicious input to vulnerable scripts. An attacker with local access can craft specially designed data to trigger unsafe code evaluation, enabling complete system compromise including data theft and modification. No patch is currently available for this vulnerability affecting all supported platforms.

Privilege Escalation Code Injection Information Disclosure AI / ML
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-67849 PHP HIGH PATCH This Week

A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. [CVSS 7.3 HIGH]

Moodle XSS AI / ML
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-24763 npm HIGH PATCH This Week

Command injection in OpenClaw's Docker sandbox execution allows authenticated users to manipulate the PATH environment variable and execute arbitrary commands within containers prior to version 2026.1.29. An attacker with valid credentials and ability to control environment variables could achieve code execution within the containerized AI assistant. A patch is available in version 2026.1.29 and later.

Docker Command Injection AI / ML Openclaw
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-1778 PyPI MEDIUM PATCH This Month

Amazon SageMaker Python SDK versions prior to v2.256.0 or v3.1.1 disable TLS certificate verification when importing Triton Python models, enabling attackers to perform man-in-the-middle attacks by presenting invalid or self-signed certificates. This vulnerability affects organizations using the affected SDK versions for model imports over HTTPS connections. No patch is currently available for this vulnerability.

Python TLS AI / ML
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-1777 PyPI HIGH PATCH This Week

Amazon SageMaker Python SDK versions before 3.2.0 and 2.256.0 expose the ModelBuilder HMAC signing key in cleartext API responses, allowing authenticated users with S3 bucket write access to inject malicious artifacts into training jobs that execute with elevated privileges. An attacker with dual permissions to call the DescribeTrainingJob API and modify the training output S3 location can achieve arbitrary code execution when the compromised job runs. No patch is currently available for this vulnerability.

Python AI / ML
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-69207 PyPI MEDIUM POC PATCH This Month

Khoj is a self-hostable artificial intelligence app. Prior to 2.0.0-beta.23, an IDOR in the Notion OAuth callback allows an attacker to hijack any user's Notion integration by manipulating the state parameter. The callback endpoint accepts any user UUID without verifying the OAuth flow was initiated by that user, allowing attackers to replace victims' Notion configurations with their own, resulting in data poisoning and unauthorized access to the victim's Khoj search index. This attack requir...

Authentication Bypass AI / ML Khoj
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2024-5386 HIGH POC This Week

In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. [CVSS 8.8 HIGH]

Information Disclosure AI / ML Lunary
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-4147 MEDIUM POC This Month

Lunary contains a vulnerability that allows attackers to delete prompts created in other organizations through ID manipulation (CVSS 6.5).

Authentication Bypass AI / ML Lunary
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-25130 PyPI CRITICAL POC Act Now

Multiple command injection vulnerabilities in CAI (Cybersecurity AI) framework up to 0.5.10 allow OS command execution through the security testing platform.

RCE AI / ML
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-24780 PyPI HIGH POC This Week

Remote code execution in AutoGPT Platform prior to v0.6.44 allows authenticated users to execute disabled blocks and write arbitrary Python code to the server filesystem. The vulnerability stems from insufficient validation of the disabled flag in block execution endpoints, enabling attackers to achieve code execution via the BlockInstallationBlock component. Public exploit code exists, and self-hosted instances with Supabase signup enabled are particularly vulnerable to account creation and exploitation.

Python RCE AI / ML Autogpt Platform
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-71011 MEDIUM POC This Month

An input validation vulnerability in the flow.Tensor.new_empty/flow.Tensor.new_ones/flow.Tensor.new_zeros component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.2 MEDIUM]

Denial Of Service AI / ML Oneflow
NVD GitHub
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-71009 MEDIUM POC This Month

An input validation vulnerability in the flow.scatter/flow.scatter_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted indices. [CVSS 6.2 MEDIUM]

Denial Of Service AI / ML Oneflow
NVD GitHub
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-71008 MEDIUM POC This Month

Oneflow versions up to 0.9.0 contains a vulnerability that allows attackers to cause a Denial of Service (DoS) via a crafted input (CVSS 6.2).

Denial Of Service AI / ML Oneflow
NVD GitHub
CVSS 3.1
6.2
EPSS
0.0%
CVE-2025-71007 HIGH POC This Week

An input validation vulnerability in the oneflow.index_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 7.5 HIGH]

Denial Of Service AI / ML Oneflow
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-71006 MEDIUM POC This Month

A floating point exception (FPE) in the oneflow.reshape component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]

Denial Of Service AI / ML Oneflow
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-71005 MEDIUM POC This Month

A floating point exception (FPE) in the oneflow.view component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]

Denial Of Service AI / ML Oneflow
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-71004 MEDIUM POC This Month

A segmentation violation in the oneflow.logical_or component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]

Denial Of Service AI / ML Oneflow
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-71003 HIGH POC This Week

An input validation vulnerability in the flow.arange() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 7.5 HIGH]

Denial Of Service AI / ML Oneflow
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-71002 MEDIUM POC This Month

A floating-point exception (FPE) in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]

Denial Of Service AI / ML Oneflow
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-13981 PHP MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4. [CVSS 4.4 MEDIUM]

Drupal XSS AI / ML Artificial Intelligence
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-68660 MEDIUM This Month

Discourse is an open source discussion platform. [CVSS 5.4 MEDIUM]

Authentication Bypass AI / ML Discourse
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1400 HIGH This Week

Arbitrary file upload in AI Engine WordPress plugin versions up to 3.3.2 allows authenticated Editor-level users to bypass file type validation and execute remote code by uploading files through the `update_media_metadata` REST endpoint. An attacker can upload a benign image file and then rename it to PHP, placing executable code in the web-accessible uploads directory. The vulnerability affects WordPress installations with the plugin installed and requires Editor or higher privileges to exploit.

WordPress PHP RCE AI / ML
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-24770 CRITICAL POC PATCH Act Now

Path traversal vulnerability in RAGFlow RAG engine version 0.23.1 allows unauthenticated attackers to read arbitrary files from the server filesystem. PoC available, patch available.

RCE AI / ML Ragflow
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2026-0746 MEDIUM This Month

The AI Engine plugin for WordPress versions up to 3.3.2 contains a server-side request forgery vulnerability in the 'get_audio' function that allows authenticated subscribers and higher-privileged users to make arbitrary web requests from the server. When the Public API setting is enabled and allow_url_fopen is active, attackers can query and modify data on internal services accessible to the web application. No patch is currently available for this vulnerability.

WordPress SSRF AI / ML
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-33234 HIGH This Week

NVIDIA runx contains a vulnerability where an attacker could cause a code injection. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

Denial Of Service Privilege Escalation Code Injection Information Disclosure AI / ML
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-1470 npm CRITICAL POC PATCH Act Now

n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through crafted workflow expressions.

RCE AI / ML N8n
NVD GitHub
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-24478 HIGH POC This Week

AnythingLLM versions prior to 1.10.0 contain a path traversal vulnerability in the DrupalWiki integration that allows malicious administrators or attackers with admin privileges to write arbitrary files to the server, potentially achieving remote code execution through configuration file overwriting or malicious script injection. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. The attack requires high-level privileges but carries critical risk due to the ability to completely compromise server integrity.

Drupal RCE Path Traversal AI / ML Anythingllm
NVD GitHub
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-24477 HIGH POC This Week

Anythingllm versions up to 1.10.0 contains a vulnerability that allows attackers to complete compromise of the semantic search / retrieval functionality and indirec (CVSS 7.5).

Information Disclosure AI / ML Anythingllm
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24123 PyPI HIGH PATCH This Week

BentoML versions prior to 1.4.34 allow path traversal attacks through improperly validated file path fields in bentofile.yaml configurations, enabling attackers to embed arbitrary files from the victim's system into bento archives during the build process. This vulnerability can be exploited to exfiltrate sensitive data such as credentials, SSH keys, and environment variables into supply chain artifacts that may be pushed to registries or deployed in production environments. A patch is available in version 1.4.34.

Python Docker Path Traversal AI / ML Bentoml
NVD GitHub
CVSS 3.1
7.4
EPSS
0.0%
CVE-2025-13374 CRITICAL Act Now

Arbitrary file upload in Kalrav AI Agent WordPress plugin due to missing file type validation in the kalrav_upload_file AJAX action.

WordPress RCE AI / ML PHP
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-24399 CRITICAL POC PATCH Act Now

Stored XSS in ChatterMate AI chatbot framework versions 1.0.8 and below. The chatbot accepts and renders malicious HTML/JavaScript from user input. PoC and patch available.

XSS AI / ML Chattermate
NVD GitHub
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-13921 MEDIUM This Month

The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. [CVSS 4.3 MEDIUM]

WordPress AI / ML PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0773 CRITICAL Act Now

Upsonic has an insecure deserialization via cloudpickle (EPSS 1.3%) enabling remote code execution through crafted serialized AI agent data.

RCE Deserialization AI / ML
NVD
CVSS 3.0
9.8
EPSS
1.3%
CVE-2026-0772 HIGH This Week

Remote code execution in Langflow's disk cache service allows authenticated attackers to execute arbitrary code by exploiting improper deserialization of untrusted data. The vulnerability affects Langflow installations and requires valid authentication credentials to exploit, enabling attackers to gain code execution within the service account context. No patch is currently available.

RCE Deserialization AI / ML Langflow
NVD
CVSS 3.0
7.5
EPSS
0.9%
CVE-2026-0771 HIGH This Week

Langflow's PythonFunction component allows authenticated attackers with user interaction to inject and execute arbitrary Python code within application workflows, achieving remote code execution. The vulnerability affects Langflow deployments using Python-based AI/ML components, with exploitation feasibility depending on specific product configurations. No patch is currently available.

Python RCE Code Injection AI / ML Langflow
NVD
CVSS 3.0
7.1
EPSS
0.1%
CVE-2026-0770 PyPI CRITICAL POC THREAT Emergency

Langflow has a third RCE vulnerability via exec_globals (EPSS 10.0%) allowing inclusion of untrusted code that executes in the application's global scope.

RCE AI / ML Langflow
NVD Exploit-DB VulDB
CVSS 3.0
9.8
EPSS
10.0%
CVE-2026-0769 CRITICAL Act Now

Langflow has an eval injection in eval_custom_component_code (EPSS 2.0%) enabling remote code execution through crafted custom component definitions.

Python RCE AI / ML Langflow
NVD
CVSS 3.0
9.8
EPSS
2.0%
CVE-2026-0768 CRITICAL Act Now

Langflow has a code injection vulnerability in the code component (EPSS 2.6%) enabling remote code execution through the visual AI workflow builder.

Python RCE Code Injection AI / ML Langflow
NVD
CVSS 3.0
9.8
EPSS
2.6%
CVE-2026-0766 HIGH This Week

Remote code execution in Open WebUI through the load_tool_module_by_id function allows authenticated attackers to execute arbitrary Python code due to insufficient input validation on user-supplied strings. An attacker with valid credentials can leverage this vulnerability to achieve code execution with service account privileges. No patch is currently available, making this a critical risk for deployed Open WebUI instances.

Python RCE Command Injection AI / ML Open Webui
NVD
CVSS 3.0
8.8
EPSS
0.6%
CVE-2026-0765 HIGH This Week

Remote code execution in Open WebUI's install_frontmatter_requirements function allows authenticated attackers to execute arbitrary commands on the host system by bypassing input validation in system call parameters. The vulnerability affects AI/ML deployments using Open WebUI and requires valid authentication credentials to exploit. No patch is currently available.

RCE Command Injection AI / ML Open Webui
NVD
CVSS 3.0
8.8
EPSS
0.6%
CVE-2026-0764 CRITICAL Act Now

GPT Academic has a second insecure deserialization vulnerability in the upload function (EPSS 1.5%) allowing remote code execution through crafted file uploads.

RCE Deserialization AI / ML Gpt Academic
NVD
CVSS 3.0
9.8
EPSS
1.5%
CVE-2026-0763 CRITICAL Act Now

GPT Academic has an insecure deserialization in run_in_subprocess_wrapper_func (EPSS 1.7%) enabling remote code execution through crafted subprocess data.

RCE Deserialization AI / ML Gpt Academic
NVD
CVSS 3.0
9.8
EPSS
1.7%
CVE-2026-0762 HIGH This Week

Remote code execution in GPT Academic's stream_daas function results from improper deserialization of untrusted data when communicating with external servers, allowing unauthenticated attackers to execute arbitrary code with root privileges. The vulnerability requires interaction with a malicious DAAS server and currently has no available patch. Organizations using GPT Academic should implement network controls to restrict connections to untrusted DAAS services until patching is available.

RCE Deserialization AI / ML Gpt Academic
NVD
CVSS 3.0
8.1
EPSS
0.5%
CVE-2026-0761 CRITICAL Act Now

MetaGPT has a code injection vulnerability in actionoutput_str_to_mapping (EPSS 2.6%) allowing remote attackers to execute arbitrary code through crafted AI agent output processing.

Python RCE Code Injection AI / ML Metagpt
NVD
CVSS 3.0
9.8
EPSS
2.6%
CVE-2026-0760 CRITICAL Act Now

MetaGPT by Foundation Agents has an insecure deserialization in deserialize_message (EPSS 1.7%) enabling remote code execution through crafted serialized data in AI agent communications.

RCE Deserialization AI / ML Metagpt
NVD
CVSS 3.0
9.8
EPSS
1.7%
CVE-2026-0759 CRITICAL Act Now

Katana Network Development Starter Kit has a command injection in executeCommand enabling remote code execution through the development framework.

RCE Command Injection AI / ML
NVD
CVSS 3.0
9.8
EPSS
1.0%
CVE-2026-0758 HIGH This Week

mcp-server-siri-shortcuts fails to validate the shortcutName parameter before using it in system calls, enabling local attackers with low-privileged code execution to inject arbitrary commands and escalate to service account privileges. This command injection vulnerability (CVE-2026-0758, CVSS 7.8) affects the AI/ML tool and currently lacks a patch. An attacker exploiting this flaw can execute arbitrary code with elevated privileges on the affected system.

Privilege Escalation Command Injection AI / ML
NVD
CVSS 3.0
7.8
EPSS
0.1%
CVE-2026-0757 HIGH This Week

MCP Manager for Claude Desktop is vulnerable to command injection through improperly validated MCP config objects, enabling remote attackers to escape the sandbox and execute arbitrary code on affected systems. The vulnerability requires user interaction such as visiting a malicious page or opening a malicious file, and currently lacks an available patch. An attacker can leverage this flaw to achieve code execution with medium integrity privileges in the context of the running process.

Command Injection AI / ML
NVD
CVSS 3.0
8.8
EPSS
0.1%
CVE-2026-0756 CRITICAL Act Now

github-kanban-mcp-server has a command injection in execAsync (EPSS 1.0%) enabling remote code execution on developer machines using the GitHub Kanban MCP integration.

Github RCE Command Injection AI / ML
NVD
CVSS 3.0
9.8
EPSS
1.0%
CVE-2026-0755 npm CRITICAL POC PATCH GHSA Act Now

gemini-mcp-tool has a command injection in execAsync allowing remote code execution on systems using the Gemini AI MCP integration.

RCE Command Injection AI / ML
NVD GitHub VulDB
CVSS 3.0
9.8
EPSS
0.5%
CVE-2025-15063 CRITICAL Act Now

Ollama MCP Server has a command injection vulnerability in execAsync (EPSS 1.0%) allowing remote attackers to execute arbitrary commands on systems running the Ollama AI integration.

RCE Command Injection AI / ML Ollama
NVD
CVSS 3.0
9.8
EPSS
1.0%
CVE-2025-15061 npm CRITICAL PATCH Act Now

Framelink Figma MCP Server has a command injection vulnerability in fetchWithRetry (EPSS 1.4%) enabling remote code execution on developer machines using the MCP integration.

RCE Command Injection AI / ML
NVD GitHub
CVSS 3.0
9.8
EPSS
1.4%
CVE-2026-21521 HIGH PATCH This Week

Information disclosure in Microsoft 365 Word Copilot enables unauthenticated attackers to extract sensitive data through improper handling of escape and control sequences in network communications. The vulnerability requires user interaction to trigger and affects the Copilot AI/ML service with a CVSS score of 7.4. No patch is currently available.

Information Disclosure AI / ML 365 Word Copilot
NVD
CVSS 3.1
7.4
EPSS
0.1%
CVE-2026-21520 HIGH PATCH This Week

Unauthenticated attackers can remotely access sensitive information in Microsoft Copilot Studio due to improper access controls, requiring no authentication or user interaction. This network-based vulnerability exposes confidential data to unauthorized disclosure with no patch currently available.

Command Injection AI / ML Copilot Studio
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-65098 npm HIGH POC PATCH This Week

Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. [CVSS 7.4 HIGH]

AI / ML Typebot
NVD GitHub
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-24055 MEDIUM POC PATCH This Month

Langfuse versions 3.146.0 and below allow unauthenticated attackers to hijack Slack OAuth integrations by injecting arbitrary projectIds into the /api/public/slack/install endpoint, enabling them to bind malicious Slack workspaces to any project and intercept prompt management data. An attacker can replace existing Prompt Slack Automations or pre-register malicious integrations that execute when authenticated users unknowingly configure them. Public exploit code exists for this vulnerability, which affects the DNS and AI/ML components of the Langfuse platform.

DNS AI / ML Langfuse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24002 CRITICAL PATCH Act Now

Grist spreadsheet software has an injection vulnerability in Python formula execution that allows authenticated users to escape the formula sandbox and execute arbitrary code.

Python AI / ML Grist Core
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-23526 HIGH PATCH This Week

CVAT is an open source interactive video and image annotation tool for computer vision. [CVSS 8.8 HIGH]

Information Disclosure AI / ML Computer Vision Annotation Tool
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-23516 MEDIUM PATCH This Month

CVAT is an open source interactive video and image annotation tool for computer vision. [CVSS 5.4 MEDIUM]

RCE AI / ML Computer Vision Annotation Tool
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-21852 npm HIGH POC PATCH This Week

Claude Code versions prior to 2.0.65 allow attackers to steal Anthropic API keys from users by crafting malicious repositories that redirect API calls to attacker-controlled servers before the trust confirmation dialog appears. When a victim opens an infected repository, the tool automatically reads malicious configuration settings and sends API requests containing credentials before displaying any security prompt, enabling credential theft. Users should upgrade to version 2.0.65 or later, though auto-update users have already received the patch.

Authentication Bypass AI / ML Claude Code
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-69285 MEDIUM POC This Month

SQLBot is an intelligent data query system based on a large language model and RAG. [CVSS 6.1 MEDIUM]

PostgreSQL AI / ML Sqlbot
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-66960 PyPI HIGH POC This Week

An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata [CVSS 7.5 HIGH]

Denial Of Service AI / ML Ollama Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-66959 PyPI HIGH POC This Week

An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder [CVSS 7.5 HIGH]

Denial Of Service AI / ML Ollama Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-33233 HIGH This Week

NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

Privilege Escalation Code Injection Information Disclosure AI / ML
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-23875 MEDIUM POC PATCH This Month

Improper permission validation in CrawlChat versions prior to 0.0.8 allows unauthenticated Discord guild members to inject malicious content into the bot's knowledge base through the jigsaw emoji feature, enabling attackers to manipulate chatbot responses across all integrations and redirect users to malicious sites. The vulnerability affects the AI/ML platform's ability to maintain knowledge base integrity, as normal users can bypass intended admin-only controls. Public exploit code exists for this issue, though a patch is available.

Authentication Bypass AI / ML Crawlchat
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-23842 PyPI HIGH POC PATCH This Week

ChatterBot versions through 1.2.10 suffer from denial-of-service vulnerabilities due to improper connection pool management that allows attackers to exhaust database connections through concurrent requests to the get_response() method, causing persistent service unavailability. Public exploit code exists for this vulnerability, which affects all deployments of the affected ChatterBot versions and requires manual service restart to recover. ChatterBot 1.2.11 addresses this issue.

Denial Of Service AI / ML Chatterbot
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-23733 npm MEDIUM This Month

Stored XSS in LobeChat's Mermaid artifact renderer prior to version 2.0.0-next.180 enables attackers to execute arbitrary JavaScript, which can be escalated to remote code execution through the exposed electronAPI IPC bridge to run system commands. This affects users of the open source chat platform running vulnerable versions, requiring local interaction and high privileges to exploit but resulting in full system compromise. No patch is currently available.

RCE XSS AI / ML
NVD GitHub
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-0863 HIGH POC PATCH This Week

Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox restrictions and execute arbitrary code on the underlying operating system, with full instance takeover possible in Internal execution mode. Public exploit code exists for this vulnerability, which affects n8n deployments running under Internal execution mode where the Python executor has direct OS access. External execution mode deployments using Docker sidecars have reduced impact as code execution is confined to the container rather than the main node.

Python Docker AI / ML N8n
NVD GitHub
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-23744 npm CRITICAL POC PATCH THREAT Act Now

MCPJam Inspector versions 1.4.2 and earlier allow unauthenticated remote code execution through missing authentication in the MCP server debugging platform, with EPSS 17.2% indicating active scanning.

RCE Authentication Bypass AI / ML Inspector
NVD GitHub VulDB Exploit-DB
CVSS 3.1
9.8
EPSS
17.2%
Threat
4.0
CVE-2026-23528 PyPI MEDIUM PATCH This Month

Dask distributed is a distributed task scheduler for Dask. [CVSS 6.1 MEDIUM]

Linux Python AI / ML Dask
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-23523 CRITICAL POC PATCH Act Now

Dive, an MCP Host Desktop Application for LLM integration, allows code injection prior to version 0.13.0 through malicious tool responses, enabling attackers to execute arbitrary code on the user's machine.

RCE Code Injection AI / ML Dive
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-0616 HIGH This Week

TheLibrarian's web_fetch tool can expose the Adminer interface, enabling unauthenticated remote attackers to obtain credentials for the internal backend system. This high-severity vulnerability affects AI/ML deployments and TheLibrarian installations, with no patch currently available. An attacker with network access could leverage the exposed interface to gain unauthorized administrative access to the backend infrastructure.

Information Disclosure AI / ML The Librarian
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-0615 HIGH This Week

The Librarian's web_fetch tool can access the supervisord status page, exposing information about running backend processes to unauthenticated remote attackers. This information disclosure vulnerability (CVSS 7.3) affects AI/ML deployments and could enable attackers to map internal service architecture and identify targets for further exploitation. No patch is currently available for this vulnerability.

Information Disclosure AI / ML The Librarian
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-0613 HIGH This Week

The Librarian's web_fetch tool can be exploited via SSRF to perform unauthorized GET requests against internal IP addresses and cloud services within the Hertzner environment, allowing attackers to conduct port scanning and reconnaissance of the infrastructure. This unauthenticated network-based attack requires no user interaction and could expose sensitive internal services and their configurations. While the vendor has released patches, exploitation remains possible on unpatched instances.

SSRF AI / ML The Librarian
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-0612 HIGH This Week

The Librarian's web_fetch tool permits attackers to retrieve arbitrary external content and proxy requests through the application's infrastructure without authentication, resulting in information disclosure. This network-accessible vulnerability affects all versions of The Librarian AI/ML product and has high severity due to its ease of exploitation and potential for infrastructure abuse. A vendor patch is currently unavailable.

Information Disclosure AI / ML The Librarian
NVD
CVSS 3.1
7.5
EPSS
0.0%
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

AutoGPT has a second SSRF vulnerability (CVSS 9.8) in a different endpoint, providing an additional path to access internal network resources.

SSRF AI / ML Autogpt Platform
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

AutoGPT has a Server-Side Request Forgery vulnerability (CVSS 9.8) allowing unauthenticated attackers to make the AI platform access internal network resources.

SSRF AI / ML Autogpt Platform
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL POC PATCH Act Now

Langroid LLM framework prior to 0.5 has a code injection vulnerability (CVSS 9.6) allowing attackers to execute arbitrary code through the AI agent system.

Code Injection AI / ML Langroid
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

OpenClaw versions prior to 2026.1.30 suffer from a path traversal vulnerability in the isValidMedia() function that permits authenticated agents to read arbitrary files on the system by crafting malicious MEDIA output directives. An attacker with agent access can leverage this flaw to exfiltrate sensitive data accessible to the application process. Public exploit code exists for this vulnerability, and no patch is currently available.

Path Traversal AI / ML Openclaw
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

OpenClaw AI assistant versions prior to 2026.1.29 contain two command injection vulnerabilities: unescaped user input in SSH project paths allows remote code execution on SSH hosts, and insufficient validation of SSH target parameters enables local command execution through malicious flag injection. An attacker can exploit these flaws to achieve arbitrary code execution either remotely via SSH or locally on the system running OpenClaw.

SSH Command Injection AI / ML +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

N8N versions up to 1.118.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

RCE AI / ML N8n
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

n8n is an open source workflow automation platform. [CVSS 8.1 HIGH]

SSH RCE AI / ML +1
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored cross-site scripting in n8n's markdown rendering component allows authenticated users to inject malicious scripts into workflows and sticky notes that execute with session privileges when viewed by other users. An attacker with workflow modification permissions can exploit this to hijack sessions and compromise accounts of users who interact with affected workflows. Versions 1.123.9 and 2.2.1 contain fixes for this vulnerability.

XSS AI / ML N8n
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

n8n has a command injection vulnerability (CVSS 9.9) allowing authenticated users to execute arbitrary OS commands through workflow definitions.

RCE Command Injection Information Disclosure +3
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

n8n has a TOCTOU race condition vulnerability (CVSS 9.9) enabling bypass of execution restrictions in workflow processing.

Information Disclosure AI / ML N8n
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Improper Content Security Policy enforcement in n8n workflow automation allows authenticated users to inject persistent XSS payloads into webhook responses that execute with same-origin privileges when other users access the affected workflows. An attacker with workflow creation/modification permissions could exploit this to hijack sessions and compromise user accounts. The vulnerability affects n8n versions prior to 1.123.2.

XSS AI / ML N8n
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

n8n workflow automation platform has an authenticated code execution vulnerability (CVSS 9.9) through improper runtime behavior modification, enabling server takeover.

RCE Command Injection Code Injection +3
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Claude Code versions before 2.0.72 allow authenticated attackers to execute arbitrary commands by exploiting a command parsing defect that bypasses the execution confirmation prompt via malicious find command syntax. An attacker with the ability to inject untrusted content into a Claude Code context can trigger unintended command execution with high impact to confidentiality, integrity, and availability. No patch is currently available for affected deployments.

Command Injection AI / ML Claude Code
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Claude Code versions prior to 2.0.74 allow authenticated users to write files outside designated directories by exploiting inadequate Bash command validation in ZSH clobber syntax parsing. An attacker with the ability to inject malicious content into a Claude Code context window on a ZSH-based system can bypass file restrictions and achieve unauthorized file writes without triggering user permission prompts. This vulnerability requires user interaction and ZSH environment configuration, making it suitable for supply chain or prompt injection attacks against Claude Code users.

Path Traversal AI / ML Claude Code
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Claude Code versions prior to 1.0.111 fail to properly validate trusted domains for WebFetch requests, allowing attackers to register lookalike domains (e.g., modelcontextprotocol.io.example.com) that bypass validation checks. This enables unauthorized automated requests to attacker-controlled servers without user interaction, potentially resulting in sensitive data exfiltration from the user's environment. The vulnerability affects Claude Code's agentic coding functionality and requires upgrading to version 1.0.111 or later to remediate.

Python AI / ML Claude Code
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Local code injection in NVIDIA Megatron-LM allows authenticated users to achieve arbitrary code execution and privilege escalation through malicious input to vulnerable scripts. An attacker with local access can craft specially designed data to trigger unsafe code evaluation, enabling complete system compromise including data theft and modification. No patch is currently available for this vulnerability affecting all supported platforms.

Privilege Escalation Code Injection Information Disclosure +1
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. [CVSS 7.3 HIGH]

Moodle XSS AI / ML
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Command injection in OpenClaw's Docker sandbox execution allows authenticated users to manipulate the PATH environment variable and execute arbitrary commands within containers prior to version 2026.1.29. An attacker with valid credentials and ability to control environment variables could achieve code execution within the containerized AI assistant. A patch is available in version 2026.1.29 and later.

Docker Command Injection AI / ML +1
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Amazon SageMaker Python SDK versions prior to v2.256.0 or v3.1.1 disable TLS certificate verification when importing Triton Python models, enabling attackers to perform man-in-the-middle attacks by presenting invalid or self-signed certificates. This vulnerability affects organizations using the affected SDK versions for model imports over HTTPS connections. No patch is currently available for this vulnerability.

Python TLS AI / ML
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Amazon SageMaker Python SDK versions before 3.2.0 and 2.256.0 expose the ModelBuilder HMAC signing key in cleartext API responses, allowing authenticated users with S3 bucket write access to inject malicious artifacts into training jobs that execute with elevated privileges. An attacker with dual permissions to call the DescribeTrainingJob API and modify the training output S3 location can achieve arbitrary code execution when the compromised job runs. No patch is currently available for this vulnerability.

Python AI / ML
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Khoj is a self-hostable artificial intelligence app. Prior to 2.0.0-beta.23, an IDOR in the Notion OAuth callback allows an attacker to hijack any user's Notion integration by manipulating the state parameter. The callback endpoint accepts any user UUID without verifying the OAuth flow was initiated by that user, allowing attackers to replace victims' Notion configurations with their own, resulting in data poisoning and unauthorized access to the victim's Khoj search index. This attack requir...

Authentication Bypass AI / ML Khoj
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. [CVSS 8.8 HIGH]

Information Disclosure AI / ML Lunary
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC This Month

Lunary contains a vulnerability that allows attackers to delete prompts created in other organizations through ID manipulation (CVSS 6.5).

Authentication Bypass AI / ML Lunary
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL POC Act Now

Multiple command injection vulnerabilities in CAI (Cybersecurity AI) framework up to 0.5.10 allow OS command execution through the security testing platform.

RCE AI / ML
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC This Week

Remote code execution in AutoGPT Platform prior to v0.6.44 allows authenticated users to execute disabled blocks and write arbitrary Python code to the server filesystem. The vulnerability stems from insufficient validation of the disabled flag in block execution endpoints, enabling attackers to achieve code execution via the BlockInstallationBlock component. Public exploit code exists, and self-hosted instances with Supabase signup enabled are particularly vulnerable to account creation and exploitation.

Python RCE AI / ML +1
NVD GitHub
EPSS 0% CVSS 6.2
MEDIUM POC This Month

An input validation vulnerability in the flow.Tensor.new_empty/flow.Tensor.new_ones/flow.Tensor.new_zeros component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.2 MEDIUM]

Denial Of Service AI / ML Oneflow
NVD GitHub
EPSS 0% CVSS 6.2
MEDIUM POC This Month

An input validation vulnerability in the flow.scatter/flow.scatter_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted indices. [CVSS 6.2 MEDIUM]

Denial Of Service AI / ML Oneflow
NVD GitHub
EPSS 0% CVSS 6.2
MEDIUM POC This Month

Oneflow versions up to 0.9.0 contains a vulnerability that allows attackers to cause a Denial of Service (DoS) via a crafted input (CVSS 6.2).

Denial Of Service AI / ML Oneflow
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

An input validation vulnerability in the oneflow.index_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 7.5 HIGH]

Denial Of Service AI / ML Oneflow
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC This Month

A floating point exception (FPE) in the oneflow.reshape component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]

Denial Of Service AI / ML Oneflow
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC This Month

A floating point exception (FPE) in the oneflow.view component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]

Denial Of Service AI / ML Oneflow
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC This Month

A segmentation violation in the oneflow.logical_or component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]

Denial Of Service AI / ML Oneflow
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

An input validation vulnerability in the flow.arange() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 7.5 HIGH]

Denial Of Service AI / ML Oneflow
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC This Month

A floating-point exception (FPE) in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]

Denial Of Service AI / ML Oneflow
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM PATCH This Month

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4. [CVSS 4.4 MEDIUM]

Drupal XSS AI / ML +1
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Discourse is an open source discussion platform. [CVSS 5.4 MEDIUM]

Authentication Bypass AI / ML Discourse
NVD GitHub
EPSS 0% CVSS 7.2
HIGH This Week

Arbitrary file upload in AI Engine WordPress plugin versions up to 3.3.2 allows authenticated Editor-level users to bypass file type validation and execute remote code by uploading files through the `update_media_metadata` REST endpoint. An attacker can upload a benign image file and then rename it to PHP, placing executable code in the web-accessible uploads directory. The vulnerability affects WordPress installations with the plugin installed and requires Editor or higher privileges to exploit.

WordPress PHP RCE +1
NVD
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Path traversal vulnerability in RAGFlow RAG engine version 0.23.1 allows unauthenticated attackers to read arbitrary files from the server filesystem. PoC available, patch available.

RCE AI / ML Ragflow
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

The AI Engine plugin for WordPress versions up to 3.3.2 contains a server-side request forgery vulnerability in the 'get_audio' function that allows authenticated subscribers and higher-privileged users to make arbitrary web requests from the server. When the Public API setting is enabled and allow_url_fopen is active, attackers can query and modify data on internal services accessible to the web application. No patch is currently available for this vulnerability.

WordPress SSRF AI / ML
NVD
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA runx contains a vulnerability where an attacker could cause a code injection. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

Denial Of Service Privilege Escalation Code Injection +2
NVD
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through crafted workflow expressions.

RCE AI / ML N8n
NVD GitHub
EPSS 0% CVSS 7.2
HIGH POC This Week

AnythingLLM versions prior to 1.10.0 contain a path traversal vulnerability in the DrupalWiki integration that allows malicious administrators or attackers with admin privileges to write arbitrary files to the server, potentially achieving remote code execution through configuration file overwriting or malicious script injection. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. The attack requires high-level privileges but carries critical risk due to the ability to completely compromise server integrity.

Drupal RCE Path Traversal +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

Anythingllm versions up to 1.10.0 contains a vulnerability that allows attackers to complete compromise of the semantic search / retrieval functionality and indirec (CVSS 7.5).

Information Disclosure AI / ML Anythingllm
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

BentoML versions prior to 1.4.34 allow path traversal attacks through improperly validated file path fields in bentofile.yaml configurations, enabling attackers to embed arbitrary files from the victim's system into bento archives during the build process. This vulnerability can be exploited to exfiltrate sensitive data such as credentials, SSH keys, and environment variables into supply chain artifacts that may be pushed to registries or deployed in production environments. A patch is available in version 1.4.34.

Python Docker Path Traversal +2
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Arbitrary file upload in Kalrav AI Agent WordPress plugin due to missing file type validation in the kalrav_upload_file AJAX action.

WordPress RCE AI / ML +1
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

Stored XSS in ChatterMate AI chatbot framework versions 1.0.8 and below. The chatbot accepts and renders malicious HTML/JavaScript from user input. PoC and patch available.

XSS AI / ML Chattermate
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. [CVSS 4.3 MEDIUM]

WordPress AI / ML PHP
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Upsonic has an insecure deserialization via cloudpickle (EPSS 1.3%) enabling remote code execution through crafted serialized AI agent data.

RCE Deserialization AI / ML
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Remote code execution in Langflow's disk cache service allows authenticated attackers to execute arbitrary code by exploiting improper deserialization of untrusted data. The vulnerability affects Langflow installations and requires valid authentication credentials to exploit, enabling attackers to gain code execution within the service account context. No patch is currently available.

RCE Deserialization AI / ML +1
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Langflow's PythonFunction component allows authenticated attackers with user interaction to inject and execute arbitrary Python code within application workflows, achieving remote code execution. The vulnerability affects Langflow deployments using Python-based AI/ML components, with exploitation feasibility depending on specific product configurations. No patch is currently available.

Python RCE Code Injection +2
NVD
EPSS 10% CVSS 9.8
CRITICAL POC THREAT Emergency

Langflow has a third RCE vulnerability via exec_globals (EPSS 10.0%) allowing inclusion of untrusted code that executes in the application's global scope.

RCE AI / ML Langflow
NVD Exploit-DB VulDB
EPSS 2% CVSS 9.8
CRITICAL Act Now

Langflow has an eval injection in eval_custom_component_code (EPSS 2.0%) enabling remote code execution through crafted custom component definitions.

Python RCE AI / ML +1
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

Langflow has a code injection vulnerability in the code component (EPSS 2.6%) enabling remote code execution through the visual AI workflow builder.

Python RCE Code Injection +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Remote code execution in Open WebUI through the load_tool_module_by_id function allows authenticated attackers to execute arbitrary Python code due to insufficient input validation on user-supplied strings. An attacker with valid credentials can leverage this vulnerability to achieve code execution with service account privileges. No patch is currently available, making this a critical risk for deployed Open WebUI instances.

Python RCE Command Injection +2
NVD
EPSS 1% CVSS 8.8
HIGH This Week

Remote code execution in Open WebUI's install_frontmatter_requirements function allows authenticated attackers to execute arbitrary commands on the host system by bypassing input validation in system call parameters. The vulnerability affects AI/ML deployments using Open WebUI and requires valid authentication credentials to exploit. No patch is currently available.

RCE Command Injection AI / ML +1
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

GPT Academic has a second insecure deserialization vulnerability in the upload function (EPSS 1.5%) allowing remote code execution through crafted file uploads.

RCE Deserialization AI / ML +1
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

GPT Academic has an insecure deserialization in run_in_subprocess_wrapper_func (EPSS 1.7%) enabling remote code execution through crafted subprocess data.

RCE Deserialization AI / ML +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Remote code execution in GPT Academic's stream_daas function results from improper deserialization of untrusted data when communicating with external servers, allowing unauthenticated attackers to execute arbitrary code with root privileges. The vulnerability requires interaction with a malicious DAAS server and currently has no available patch. Organizations using GPT Academic should implement network controls to restrict connections to untrusted DAAS services until patching is available.

RCE Deserialization AI / ML +1
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

MetaGPT has a code injection vulnerability in actionoutput_str_to_mapping (EPSS 2.6%) allowing remote attackers to execute arbitrary code through crafted AI agent output processing.

Python RCE Code Injection +2
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

MetaGPT by Foundation Agents has an insecure deserialization in deserialize_message (EPSS 1.7%) enabling remote code execution through crafted serialized data in AI agent communications.

RCE Deserialization AI / ML +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Katana Network Development Starter Kit has a command injection in executeCommand enabling remote code execution through the development framework.

RCE Command Injection AI / ML
NVD
EPSS 0% CVSS 7.8
HIGH This Week

mcp-server-siri-shortcuts fails to validate the shortcutName parameter before using it in system calls, enabling local attackers with low-privileged code execution to inject arbitrary commands and escalate to service account privileges. This command injection vulnerability (CVE-2026-0758, CVSS 7.8) affects the AI/ML tool and currently lacks a patch. An attacker exploiting this flaw can execute arbitrary code with elevated privileges on the affected system.

Privilege Escalation Command Injection AI / ML
NVD
EPSS 0% CVSS 8.8
HIGH This Week

MCP Manager for Claude Desktop is vulnerable to command injection through improperly validated MCP config objects, enabling remote attackers to escape the sandbox and execute arbitrary code on affected systems. The vulnerability requires user interaction such as visiting a malicious page or opening a malicious file, and currently lacks an available patch. An attacker can leverage this flaw to achieve code execution with medium integrity privileges in the context of the running process.

Command Injection AI / ML
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

github-kanban-mcp-server has a command injection in execAsync (EPSS 1.0%) enabling remote code execution on developer machines using the GitHub Kanban MCP integration.

Github RCE Command Injection +1
NVD
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

gemini-mcp-tool has a command injection in execAsync allowing remote code execution on systems using the Gemini AI MCP integration.

RCE Command Injection AI / ML
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL Act Now

Ollama MCP Server has a command injection vulnerability in execAsync (EPSS 1.0%) allowing remote attackers to execute arbitrary commands on systems running the Ollama AI integration.

RCE Command Injection AI / ML +1
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Framelink Figma MCP Server has a command injection vulnerability in fetchWithRetry (EPSS 1.4%) enabling remote code execution on developer machines using the MCP integration.

RCE Command Injection AI / ML
NVD GitHub
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Information disclosure in Microsoft 365 Word Copilot enables unauthenticated attackers to extract sensitive data through improper handling of escape and control sequences in network communications. The vulnerability requires user interaction to trigger and affects the Copilot AI/ML service with a CVSS score of 7.4. No patch is currently available.

Information Disclosure AI / ML 365 Word Copilot
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated attackers can remotely access sensitive information in Microsoft Copilot Studio due to improper access controls, requiring no authentication or user interaction. This network-based vulnerability exposes confidential data to unauthorized disclosure with no patch currently available.

Command Injection AI / ML Copilot Studio
NVD
EPSS 0% CVSS 7.4
HIGH POC PATCH This Week

Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. [CVSS 7.4 HIGH]

AI / ML Typebot
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Langfuse versions 3.146.0 and below allow unauthenticated attackers to hijack Slack OAuth integrations by injecting arbitrary projectIds into the /api/public/slack/install endpoint, enabling them to bind malicious Slack workspaces to any project and intercept prompt management data. An attacker can replace existing Prompt Slack Automations or pre-register malicious integrations that execute when authenticated users unknowingly configure them. Public exploit code exists for this vulnerability, which affects the DNS and AI/ML components of the Langfuse platform.

DNS AI / ML Langfuse
NVD GitHub
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Grist spreadsheet software has an injection vulnerability in Python formula execution that allows authenticated users to escape the formula sandbox and execute arbitrary code.

Python AI / ML Grist Core
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

CVAT is an open source interactive video and image annotation tool for computer vision. [CVSS 8.8 HIGH]

Information Disclosure AI / ML Computer Vision Annotation Tool
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

CVAT is an open source interactive video and image annotation tool for computer vision. [CVSS 5.4 MEDIUM]

RCE AI / ML Computer Vision Annotation Tool
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Claude Code versions prior to 2.0.65 allow attackers to steal Anthropic API keys from users by crafting malicious repositories that redirect API calls to attacker-controlled servers before the trust confirmation dialog appears. When a victim opens an infected repository, the tool automatically reads malicious configuration settings and sends API requests containing credentials before displaying any security prompt, enabling credential theft. Users should upgrade to version 2.0.65 or later, though auto-update users have already received the patch.

Authentication Bypass AI / ML Claude Code
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

SQLBot is an intelligent data query system based on a large language model and RAG. [CVSS 6.1 MEDIUM]

PostgreSQL AI / ML Sqlbot
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata [CVSS 7.5 HIGH]

Denial Of Service AI / ML Ollama +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder [CVSS 7.5 HIGH]

Denial Of Service AI / ML Ollama +2
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]

Privilege Escalation Code Injection Information Disclosure +1
NVD
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Improper permission validation in CrawlChat versions prior to 0.0.8 allows unauthenticated Discord guild members to inject malicious content into the bot's knowledge base through the jigsaw emoji feature, enabling attackers to manipulate chatbot responses across all integrations and redirect users to malicious sites. The vulnerability affects the AI/ML platform's ability to maintain knowledge base integrity, as normal users can bypass intended admin-only controls. Public exploit code exists for this issue, though a patch is available.

Authentication Bypass AI / ML Crawlchat
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

ChatterBot versions through 1.2.10 suffer from denial-of-service vulnerabilities due to improper connection pool management that allows attackers to exhaust database connections through concurrent requests to the get_response() method, causing persistent service unavailability. Public exploit code exists for this vulnerability, which affects all deployments of the affected ChatterBot versions and requires manual service restart to recover. ChatterBot 1.2.11 addresses this issue.

Denial Of Service AI / ML Chatterbot
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored XSS in LobeChat's Mermaid artifact renderer prior to version 2.0.0-next.180 enables attackers to execute arbitrary JavaScript, which can be escalated to remote code execution through the exposed electronAPI IPC bridge to run system commands. This affects users of the open source chat platform running vulnerable versions, requiring local interaction and high privileges to exploit but resulting in full system compromise. No patch is currently available.

RCE XSS AI / ML
NVD GitHub
EPSS 0% CVSS 8.5
HIGH POC PATCH This Week

Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox restrictions and execute arbitrary code on the underlying operating system, with full instance takeover possible in Internal execution mode. Public exploit code exists for this vulnerability, which affects n8n deployments running under Internal execution mode where the Python executor has direct OS access. External execution mode deployments using Docker sidecars have reduced impact as code execution is confined to the container rather than the main node.

Python Docker AI / ML +1
NVD GitHub
EPSS 17% 4.0 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

MCPJam Inspector versions 1.4.2 and earlier allow unauthenticated remote code execution through missing authentication in the MCP server debugging platform, with EPSS 17.2% indicating active scanning.

RCE Authentication Bypass AI / ML +1
NVD GitHub VulDB Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Dask distributed is a distributed task scheduler for Dask. [CVSS 6.1 MEDIUM]

Linux Python AI / ML +1
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL POC PATCH Act Now

Dive, an MCP Host Desktop Application for LLM integration, allows code injection prior to version 0.13.0 through malicious tool responses, enabling attackers to execute arbitrary code on the user's machine.

RCE Code Injection AI / ML +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

TheLibrarian's web_fetch tool can expose the Adminer interface, enabling unauthenticated remote attackers to obtain credentials for the internal backend system. This high-severity vulnerability affects AI/ML deployments and TheLibrarian installations, with no patch currently available. An attacker with network access could leverage the exposed interface to gain unauthorized administrative access to the backend infrastructure.

Information Disclosure AI / ML The Librarian
NVD
EPSS 0% CVSS 7.3
HIGH This Week

The Librarian's web_fetch tool can access the supervisord status page, exposing information about running backend processes to unauthenticated remote attackers. This information disclosure vulnerability (CVSS 7.3) affects AI/ML deployments and could enable attackers to map internal service architecture and identify targets for further exploitation. No patch is currently available for this vulnerability.

Information Disclosure AI / ML The Librarian
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The Librarian's web_fetch tool can be exploited via SSRF to perform unauthorized GET requests against internal IP addresses and cloud services within the Hertzner environment, allowing attackers to conduct port scanning and reconnaissance of the infrastructure. This unauthenticated network-based attack requires no user interaction and could expose sensitive internal services and their configurations. While the vendor has released patches, exploitation remains possible on unpatched instances.

SSRF AI / ML The Librarian
NVD
EPSS 0% CVSS 7.5
HIGH This Week

The Librarian's web_fetch tool permits attackers to retrieve arbitrary external content and proxy requests through the application's infrastructure without authentication, resulting in information disclosure. This network-accessible vulnerability affects all versions of The Librarian AI/ML product and has high severity due to its ease of exploitation and potential for infrastructure abuse. A vendor patch is currently unavailable.

Information Disclosure AI / ML The Librarian
NVD
Prev Page 3 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy