Cyber Resilience

Vulnerabilities in AI Software

Daily-updated analysis of CVEs affecting AI and machine-learning software — frameworks, libraries, LLM platforms, agent protocols, enterprise assistants, and supporting infrastructure. Compares vulnerabilities in AI software against all other software, with breakdowns by severity, vector, weakness, exploitability and priority.

Last updated: 04 July 2026 00:28 UTC

AI CVEs in 2025
868
1.7% of all CVEs published
AI CVEs in 2026 so far
1,249
185 days (6.1 months) of data
2026 annualised
2,464
↑ +184% vs. 2025
CISA KEV-listed
5
0 ransomware-linked

Volume & Trend

→ Top: AI-related CVEs as a share of all new CVEs, by month. Bottom: monthly AI-related vs. non-AI volume — the non-AI (right) axis is scaled so the two lines share the same average height, so the relative trend is what stands out. AI volume has climbed steeply through 2025 and 2026.

CVSS Distribution by Year

→ Box plot of CVSS base score distributions for AI-related vs. all other software, in 2025 and 2026. The middle line is the median; the box is the interquartile range.

AI Subcategory Risk Profile

→ Top 10 AI subcategories by all-time annotated CVE count. Bar length is volume; bar colour is mean CVSS (severity), and each bar is labelled with its mean CVSS and mean EPSS (exploitation probability), so you can read which kinds of AI software are most common, most severe, and under the most exploit pressure. Model Context Protocol (MCP) and similar agent integrations live under “AI Agent Protocols and Integrations.”

Who Builds It

→ Top: vendors with the most AI-related CVEs, 2025–2026 (a CVE can name more than one vendor). Bottom: the open-source vs. proprietary split across the same cohort, from per-CVE source-availability tagging. Most AI-related vulnerabilities land in open-source software.

CVSS Vector Profile

→ Distribution of four CVSS sub-vectors across AI-related vs. all other software, 2025 + 2026 combined. Attack Vector (network accessibility), Privileges Required, User Interaction, and the highest of Confidentiality / Integrity / Availability impact.

Top CWEs — 2025 vs 2026 Rank Shift

→ Top weaknesses in AI-related CVEs, comparing 2025 totals against 2026 (Q1+Q2 so far). Server-Side Request Forgery (CWE-918) has risen sharply in 2026 alongside the established command-injection and cross-site scripting weaknesses.

MITRE ATT&CK Enterprise Techniques

→ Top techniques associated with AI-related vulnerabilities, ranked by annotated CVE count. Click any bar to open the MITRE ATT&CK technique page in a new tab.

EPSS Cumulative Distribution

→ CDF curves comparing EPSS exploit-probability scores across AI-related vs. all other software (2025 + 2026). Curves further to the right indicate higher exploitation probability.

CISA KEV: AI-listed Vulnerabilities

5 AI-related CVEs are on CISA's Known Exploited Vulnerabilities list. 0 have a confirmed ransomware campaign association. 1 added to KEV in 2025 · 4 added in 2026 · 0 added earlier.

Top 25 AI CVEs by Risk Priority

→ Composite priority score = 60% EPSS + 20% KEV + 20% CVSS, scaled to 0–100. Click any column header to re-sort. CVE links open the full detail page.
CVERisk PriorityCVSSEPSSPublished
CVE-2025-3248KEV1009.80.99972025-04-07
CVE-2025-34291KEV1008.80.78892025-12-05
CVE-2026-33017KEV1009.80.98412026-03-20
CVE-2026-42208KEV UPD1009.80.86612026-05-08
CVE-2026-42271KEV UPD1008.80.80192026-05-08
CVE-2025-11749809.80.75062025-11-05
CVE-2025-2294809.80.76762025-03-28
CVE-2025-26319809.80.50792025-03-04
CVE-2025-58434809.80.50122025-09-12
CVE-2025-595288010.00.90182025-09-22
CVE-2025-6514 UPD809.60.76642025-07-09
CVE-2025-8943 UPD809.80.70872025-08-14
CVE-2024-10361709.10.00912025-03-20
CVE-2024-10835709.80.01082025-03-20
CVE-2024-10901709.80.00992025-03-20
CVE-2024-10902709.80.01192025-03-20
CVE-2024-12366709.80.01222025-02-11
CVE-2024-45569709.80.00482025-02-03
CVE-2024-49375709.00.00892025-01-14
CVE-2024-54142709.00.00412025-01-14
CVE-2024-7776709.10.01362025-03-20
CVE-2024-8019709.10.01022025-03-20
CVE-2024-8156709.80.01672025-03-20
CVE-2024-9053709.80.01272025-03-20
CVE-2024-9095709.80.00682025-03-20

Sample CVE Deep-Dives

→ Three representative CVEs — one each from Agent Protocols, Deep Learning Frameworks, and Enterprise AI Assistants — selected as the highest-priority CVE in each category that has a complete AI-generated security summary on file.
CVE-2026-42271KEV AI Agent Protocols and Integrations
Risk Priority: 100 CVSS: 8.8 EPSS: 0.8019 Published: 2026-05-08

LiteLLM is an AI gateway proxy server that routes calls to LLM APIs using OpenAI-compatible or native formats. CVE-2026-42271 affects versions 1.74.2 through 1.83.6 and stems from two unauthenticated-role endpoints, POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list, that accept an arbitrary MCP server configuration containing command, args, and env fields for the stdio transport. When presented with such a configuration the endpoints spawn the supplied command as a child process on the proxy host, inheriting the privileges of the LiteLLM process; the only access control is possession of any valid proxy API key.

Full CVE detail page →
CVE-2024-7776 Deep Learning Frameworks
Risk Priority: 70 CVSS: 9.1 EPSS: 0.0136 Published: 2025-03-20

A vulnerability exists in the download_model function of the onnx/onnx framework in versions up to and including 1.16.1. The issue stems from insufficient safeguards against path traversal in malicious tar files, enabling arbitrary file overwrites on the target system and carrying a CVSS score of 9.1 under CWE-22.

Full CVE detail page →
CVE-2025-10725 Enterprise AI Assistants
Risk Priority: 70 CVSS: 9.9 EPSS: 0.0070 Published: 2025-09-30

CVE-2025-10725 is a privilege escalation vulnerability in Red Hat OpenShift AI Service. The flaw allows a low-privileged attacker with an authenticated account to elevate privileges to full cluster administrator level. It is rated with a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-266: Incorrect Privilege Assignment for Critical Resources.

Full CVE detail page →

Recommendations — Software Producers

Prioritise defence against the dominant weakness classes in AI-related software. Through 2026 these are OS command injection (CWE-78), command injection (CWE-77), server-side request forgery (CWE-918, newly prominent in 2026), path traversal (CWE-22), and cross-site scripting (CWE-79).

Avoid passing user-controlled or LLM-generated text directly to shell commands or HTTP fetchers. Use built-in libraries or APIs, parameterise subprocess invocations, and explicitly enumerate allowed hosts for any outbound HTTP. Add tool sandboxing, least- privilege token scoping, and signed tool manifests for any agentic component that delegates execution. Mandate human approval gates for sensitive actions and log every tool invocation.

Recommendations — Enterprises (Software Consumers)

Request penetration test results from AI-software vendors with explicit coverage of injection (CWE-77/CWE-78), SSRF (CWE-918), path traversal (CWE-22), XSS (CWE-79), and authorisation flaws (CWE-862, CWE-284). For self-hosted AI components, run independent fuzzing against tool interfaces and prompt-injection vectors.

Track the EPSS-driven Risk Priority of CVEs in your AI software stack (see the table above) and treat ransomware-linked KEVs as immediate- remediation. For agentic AI specifically, evaluate platforms providing tool discovery, real-time monitoring, and policy-based execution control as a layer over generic application security.

Future Work

Two analyses depend on annotation coverage that's still maturing: MITRE ATLAS technique mapping (the AI-specific adversarial framework) and OWASP Top 10 for LLMs 2025 categorisation. Once enough 2026 CVEs are processed by our QA tools we'll add tabs covering both. Threat-actor attribution for AI vulnerabilities remains sparse in public reporting and will be incorporated as data improves.