5 AI-related CVEs are on CISA's Known Exploited Vulnerabilities list. 0 have a confirmed ransomware campaign association. 1 listed in 2025 · 3 listed in 2026 · 1 added earlier.
Vulnerabilities in AI-related Software
Daily-updated analysis of CVEs affecting AI and machine-learning software — frameworks, libraries, LLM platforms, agent protocols, enterprise assistants, and supporting infrastructure. Comparing AI-related vulnerabilities against all other software, with breakdowns by severity, vector, weakness, exploitability and priority.
Last updated: 04 May 2026 05:47 UTC
AI CVEs in 2025
853
1.7% of all CVEs published
AI CVEs in 2026 so far
732
124 days (4.1 months) of data
2026 annualised
2,155
↑ +153% vs. 2025
CISA KEV-listed
5
0 ransomware-linked
Quarterly Volume
→ Bar chart shows CVEs published per quarter (log scale) split into
AI-related vs. all other software. AI volume has been climbing through 2025
and 2026.
CVSS Distribution by Year
→ Box plot of CVSS base score distributions for AI-related vs. all
other software, in 2025 and 2026. The middle line is the median; the box
is the interquartile range.
AI Subcategory Share
→ Top 10 AI subcategories by all-time annotated CVE count. Model
Context Protocol (MCP) and similar agent integrations live under
“AI Agent Protocols and Integrations.”
CVSS Vector Profile
→ Distribution of four CVSS sub-vectors across AI-related vs. all
other software, 2025 + 2026 combined. Attack Vector (network
accessibility), Privileges Required, User Interaction,
and the highest of Confidentiality / Integrity / Availability
impact.
Top CWEs — 2025 vs 2026 Rank Shift
→ Top weaknesses in AI-related CVEs, comparing 2025 totals against
2026 (Q1+Q2 so far). Server-Side Request Forgery (CWE-918)
has risen sharply in 2026 alongside the established command-injection and
cross-site scripting weaknesses.
MITRE ATT&CK Enterprise Techniques
→ Top techniques associated with AI-related vulnerabilities, ranked
by annotated CVE count. Click any bar to open the MITRE ATT&CK
technique page in a new tab.
EPSS Cumulative Distribution
→ CDF curves comparing EPSS exploit-probability scores across
AI-related vs. all other software (2025 + 2026). Curves further to the
right indicate higher exploitation probability.
CISA KEV: AI-listed Vulnerabilities
Top 25 AI CVEs by Risk Priority
→ Composite priority score = 60% EPSS + 20% KEV + 20% CVSS, scaled to
0–100. Click any column header to re-sort. CVE links open the full
detail page.
| CVE | Risk Priority | CVSS | EPSS | Published |
|---|---|---|---|---|
| CVE-2025-3248KEV | 95 | 9.8 | 0.9181 | 2025-04-07 |
| CVE-2025-26319 | 73 | 9.8 | 0.8870 | 2025-03-04 |
| CVE-2025-8943 | 72 | 9.8 | 0.8815 | 2025-08-14 |
| CVE-2025-11749 | 71 | 9.8 | 0.8539 | 2025-11-05 |
| CVE-2025-59528 | 71 | 10.0 | 0.8494 | 2025-09-22 |
| CVE-2025-27520 | 68 | 9.8 | 0.8095 | 2025-04-04 |
| CVE-2026-33017KEV | 64 | 9.8 | 0.4124 | 2026-03-20 |
| CVE-2025-32375 | 60 | 9.8 | 0.6734 | 2025-04-09 |
| CVE-2025-2294 | 54 | 9.8 | 0.5685 | 2025-03-28 |
| CVE-2026-27966 | 41 | 9.8 | 0.3567 | 2026-02-26 |
| CVE-2026-23744 | 39 | 9.8 | 0.3224 | 2026-01-16 |
| CVE-2025-58434 | 32 | 9.8 | 0.2098 | 2025-09-12 |
| CVE-2025-1716 | 29 | 9.8 | 0.1625 | 2025-02-26 |
| CVE-2026-27483 | 28 | 8.8 | 0.1695 | 2026-02-24 |
| CVE-2026-23482 | 27 | 7.5 | 0.2046 | 2026-03-23 |
| CVE-2026-30824 | 27 | 9.8 | 0.1222 | 2026-03-07 |
| CVE-2026-33032 | 26 | 9.8 | 0.1005 | 2026-03-30 |
| CVE-2026-34156 | 26 | 9.9 | 0.1096 | 2026-03-31 |
| CVE-2026-35029 | 26 | 8.8 | 0.1330 | 2026-04-06 |
| CVE-2025-32711 | 25 | 9.3 | 0.0994 | 2025-06-11 |
| CVE-2026-21445 | 25 | 9.1 | 0.1104 | 2026-01-02 |
| CVE-2026-33057 | 25 | 9.8 | 0.0842 | 2026-03-20 |
| CVE-2025-1550 | 24 | 9.8 | 0.0797 | 2025-03-11 |
| CVE-2025-5126 | 24 | 8.8 | 0.1095 | 2025-05-24 |
| CVE-2025-1497 | 23 | 9.8 | 0.0557 | 2025-03-10 |
Sample CVE Deep-Dives
→ Three representative CVEs — one each from Agent Protocols,
Deep Learning Frameworks, and Enterprise AI Assistants — selected
as the highest-priority CVE in each category that has a complete
AI-generated security summary on file.
CVE-2024-12471
AI Agent Protocols and Integrations
CVE-2024-12471 affects the Post Saint: ChatGPT, GPT4, DALL-E, Stable Diffusion, Pexels, Dezgo AI Text & Image Generator plugin for WordPress, specifically in all versions up to and including 1.3.1. The vulnerability stems from a missing capability check and file type validation in the add_image_to_library AJAX action function, enabling arbitrary file uploads. It has been assigned a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-94 (Code Injection).
CVE-2025-1550
Deep Learning Frameworks
CVE-2025-1550 is a critical vulnerability (CVSS 9.8) in the Keras library's Model.load_model function, enabling arbitrary code execution even when safe_mode=True. The issue affects the loading of .keras archive files, where attackers can manually construct a malicious archive by altering the config.json file to specify arbitrary Python modules, functions, and arguments. These are loaded and executed during model deserialization, stemming from CWE-94 (code injection).
CVE-2025-26319
Enterprise AI Assistants
CVE-2025-26319 is an arbitrary file upload vulnerability affecting FlowiseAI Flowise version 2.2.6, specifically in the /api/v1/attachments endpoint. This flaw, linked to CWE-434 (Unrestricted Upload of File with Dangerous Type), allows attackers to upload malicious files without proper validation, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability was published on 2025-03-04.
Recommendations — Software Producers
Prioritise defence against the dominant weakness classes in AI-related software. Through 2026 these are OS command injection (CWE-78), command injection (CWE-77), server-side request forgery (CWE-918, newly prominent in 2026), path traversal (CWE-22), and cross-site scripting (CWE-79).
Avoid passing user-controlled or LLM-generated text directly to shell commands or HTTP fetchers. Use built-in libraries or APIs, parameterise subprocess invocations, and explicitly enumerate allowed hosts for any outbound HTTP. Add tool sandboxing, least- privilege token scoping, and signed tool manifests for any agentic component that delegates execution. Mandate human approval gates for sensitive actions and log every tool invocation.
Recommendations — Enterprises (Software Consumers)
Request penetration test results from AI-software vendors with explicit coverage of injection (CWE-77/78), SSRF (CWE-918), path traversal (CWE-22), XSS (CWE-79), and authorisation flaws (CWE-862, CWE-284). For self-hosted AI components, run independent fuzzing against tool interfaces and prompt-injection vectors.
Track the EPSS-driven Risk Priority of CVEs in your AI software stack (see the table above) and treat ransomware-linked KEVs as immediate- remediation. For agentic AI specifically, evaluate platforms providing tool discovery, real-time monitoring, and policy-based execution control as a layer over generic application security.
Future Work
Two analyses depend on annotation coverage that's still maturing: MITRE ATLAS technique mapping (the AI-specific adversarial framework) and OWASP Top 10 for LLMs 2025 categorisation. Once enough 2026 CVEs are processed by our QA tools we'll add tabs covering both. Threat-actor attribution for AI vulnerabilities remains sparse in public reporting and will be incorporated as data improves.