5 AI-related CVEs are on CISA's Known Exploited Vulnerabilities list. 0 have a confirmed ransomware campaign association. 1 added to KEV in 2025 · 4 added in 2026 · 0 added earlier.
Vulnerabilities in AI Software
Daily-updated analysis of CVEs affecting AI and machine-learning software — frameworks, libraries, LLM platforms, agent protocols, enterprise assistants, and supporting infrastructure. Compares vulnerabilities in AI software against all other software, with breakdowns by severity, vector, weakness, exploitability and priority.
Last updated: 04 July 2026 00:28 UTC
Volume & Trend
CVSS Distribution by Year
AI Subcategory Risk Profile
Who Builds It
CVSS Vector Profile
Top CWEs — 2025 vs 2026 Rank Shift
MITRE ATT&CK Enterprise Techniques
EPSS Cumulative Distribution
CISA KEV: AI-listed Vulnerabilities
Top 25 AI CVEs by Risk Priority
| CVE | Risk Priority | CVSS | EPSS | Published |
|---|---|---|---|---|
| CVE-2025-3248KEV | 100 | 9.8 | 0.9997 | 2025-04-07 |
| CVE-2025-34291KEV | 100 | 8.8 | 0.7889 | 2025-12-05 |
| CVE-2026-33017KEV | 100 | 9.8 | 0.9841 | 2026-03-20 |
| CVE-2026-42208KEV UPD | 100 | 9.8 | 0.8661 | 2026-05-08 |
| CVE-2026-42271KEV UPD | 100 | 8.8 | 0.8019 | 2026-05-08 |
| CVE-2025-11749 | 80 | 9.8 | 0.7506 | 2025-11-05 |
| CVE-2025-2294 | 80 | 9.8 | 0.7676 | 2025-03-28 |
| CVE-2025-26319 | 80 | 9.8 | 0.5079 | 2025-03-04 |
| CVE-2025-58434 | 80 | 9.8 | 0.5012 | 2025-09-12 |
| CVE-2025-59528 | 80 | 10.0 | 0.9018 | 2025-09-22 |
| CVE-2025-6514 UPD | 80 | 9.6 | 0.7664 | 2025-07-09 |
| CVE-2025-8943 UPD | 80 | 9.8 | 0.7087 | 2025-08-14 |
| CVE-2024-10361 | 70 | 9.1 | 0.0091 | 2025-03-20 |
| CVE-2024-10835 | 70 | 9.8 | 0.0108 | 2025-03-20 |
| CVE-2024-10901 | 70 | 9.8 | 0.0099 | 2025-03-20 |
| CVE-2024-10902 | 70 | 9.8 | 0.0119 | 2025-03-20 |
| CVE-2024-12366 | 70 | 9.8 | 0.0122 | 2025-02-11 |
| CVE-2024-45569 | 70 | 9.8 | 0.0048 | 2025-02-03 |
| CVE-2024-49375 | 70 | 9.0 | 0.0089 | 2025-01-14 |
| CVE-2024-54142 | 70 | 9.0 | 0.0041 | 2025-01-14 |
| CVE-2024-7776 | 70 | 9.1 | 0.0136 | 2025-03-20 |
| CVE-2024-8019 | 70 | 9.1 | 0.0102 | 2025-03-20 |
| CVE-2024-8156 | 70 | 9.8 | 0.0167 | 2025-03-20 |
| CVE-2024-9053 | 70 | 9.8 | 0.0127 | 2025-03-20 |
| CVE-2024-9095 | 70 | 9.8 | 0.0068 | 2025-03-20 |
Sample CVE Deep-Dives
LiteLLM is an AI gateway proxy server that routes calls to LLM APIs using OpenAI-compatible or native formats. CVE-2026-42271 affects versions 1.74.2 through 1.83.6 and stems from two unauthenticated-role endpoints, POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list, that accept an arbitrary MCP server configuration containing command, args, and env fields for the stdio transport. When presented with such a configuration the endpoints spawn the supplied command as a child process on the proxy host, inheriting the privileges of the LiteLLM process; the only access control is possession of any valid proxy API key.
A vulnerability exists in the download_model function of the onnx/onnx framework in versions up to and including 1.16.1. The issue stems from insufficient safeguards against path traversal in malicious tar files, enabling arbitrary file overwrites on the target system and carrying a CVSS score of 9.1 under CWE-22.
CVE-2025-10725 is a privilege escalation vulnerability in Red Hat OpenShift AI Service. The flaw allows a low-privileged attacker with an authenticated account to elevate privileges to full cluster administrator level. It is rated with a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and is associated with CWE-266: Incorrect Privilege Assignment for Critical Resources.
Recommendations — Software Producers
Prioritise defence against the dominant weakness classes in AI-related software. Through 2026 these are OS command injection (CWE-78), command injection (CWE-77), server-side request forgery (CWE-918, newly prominent in 2026), path traversal (CWE-22), and cross-site scripting (CWE-79).
Avoid passing user-controlled or LLM-generated text directly to shell commands or HTTP fetchers. Use built-in libraries or APIs, parameterise subprocess invocations, and explicitly enumerate allowed hosts for any outbound HTTP. Add tool sandboxing, least- privilege token scoping, and signed tool manifests for any agentic component that delegates execution. Mandate human approval gates for sensitive actions and log every tool invocation.
Recommendations — Enterprises (Software Consumers)
Request penetration test results from AI-software vendors with explicit coverage of injection (CWE-77/CWE-78), SSRF (CWE-918), path traversal (CWE-22), XSS (CWE-79), and authorisation flaws (CWE-862, CWE-284). For self-hosted AI components, run independent fuzzing against tool interfaces and prompt-injection vectors.
Track the EPSS-driven Risk Priority of CVEs in your AI software stack (see the table above) and treat ransomware-linked KEVs as immediate- remediation. For agentic AI specifically, evaluate platforms providing tool discovery, real-time monitoring, and policy-based execution control as a layer over generic application security.
Future Work
Two analyses depend on annotation coverage that's still maturing: MITRE ATLAS technique mapping (the AI-specific adversarial framework) and OWASP Top 10 for LLMs 2025 categorisation. Once enough 2026 CVEs are processed by our QA tools we'll add tabs covering both. Threat-actor attribution for AI vulnerabilities remains sparse in public reporting and will be incorporated as data improves.