AI & ML software vulnerabilities
Known CVEs, active exploitation and end-of-life across the AI/ML software stack · 19 tools · 55 tracked CVEs · updated June 2026
The tools behind AI — model servers, training frameworks, orchestration, vector databases and LLM gateways — are software with dependencies, and they get CVEs like anything else (including critical RCE and unsafe-deserialization flaws). This is the independently-verified picture: vulnerabilities, exploitation and support status across the AI/ML stack, from the same sources as the rest of IsItPatched (NVD · CISA KEV · EPSS · endoflife.date).
| Product | Type | Score | Critical | High | CVEs | Exploited |
|---|---|---|---|---|---|---|
| LiteLLMLiteLLM | AI / LLM Gateway | 0 | 4 | 15 | 22 | ⚡ 3 |
| Claude CodeAnthropic | AI / Coding assistant | 14 | 11 | 9 | 23 | – |
| JupyterLabProject Jupyter | AI / ML | 32 | 2 | 4 | 8 | – |
| MilvusZilliz | AI / ML | 82 | 1 | – | 2 | – |
| OpenClawOpenClaw | AI / LLM Gateway | — | – | – | – | – |
| Microsoft 365 CopilotMicrosoft | AI / LLM Gateway | — | – | – | – | – |
| vLLMvLLM | AI / ML | — | – | – | – | – |
| OllamaOllama | AI / ML | — | – | – | – | – |
| NVIDIA Triton Inference ServerNVIDIA | AI / ML | — | – | – | – | – |
| LangChainLangChain | AI / ML | — | – | – | – | – |
| LlamaIndexLlamaIndex | AI / ML | — | – | – | – | – |
| TensorFlowGoogle | AI / ML | — | – | – | – | – |
| KerasKeras | AI / ML | — | – | – | – | – |
| Hugging Face TransformersHugging Face | AI / ML | — | – | – | – | – |
| RayAnyscale | AI / ML | — | – | – | – | – |
| MLflowMLflow | AI / ML | — | – | – | – | – |
| GradioGradio | AI / ML | — | – | – | – | – |
| StreamlitSnowflake | AI / ML | — | – | – | – | – |
| KubeflowKubeflow | AI / ML | — | – | – | – | – |
Open any product for its full CVE history, the safe version to upgrade to, and a per-version verdict. Scores are scoped to the latest supported release.
Software vulnerabilities vs agentic risk — secure both
This page is the software-composition layer: known vulnerabilities in the AI/ML tools you run. The other half of AI security is agentic runtime risk — how autonomous agents behave (goal hijack, tool misuse, the Lethal Trifecta). They’re complementary:
- Agentic AI security — score your agents against the OWASP Agentic Top 10 with AIVSS.
- AI/ML supply-chain security — provenance, unsafe deserialization and ML-library CVEs.
- Scan your ML stack — upload an SBOM or dependency manifest for a per-component verdict.
- Monitor these tools — get an email alert when a new vulnerability or exploit lands.
Frequently asked questions
Does AI/ML software have security vulnerabilities like other software?
Yes. AI and ML tools — model-serving runtimes, training frameworks, orchestration layers, vector databases and LLM gateways — are software with dependencies, and they accrue CVEs like anything else. Some have had critical remote-code-execution and unsafe-deserialization flaws. This page tracks the known, published vulnerabilities across the AI/ML stack.
Which AI/ML tools does IsItPatched track?
As of June 2026 we track 19 AI/ML products — including model servers (vLLM, Triton, Ollama), frameworks (TensorFlow, Keras, Transformers), orchestration (LangChain, LlamaIndex, Ray, MLflow, Kubeflow), apps (Gradio, Streamlit, JupyterLab) and vector/data layers (Milvus) — with 55 tracked CVEs between them.
How is this different from agentic AI security?
This page covers the software-composition layer: known CVEs, active exploitation and end-of-life in the AI/ML tools you run. Agentic AI security covers the runtime behaviour of autonomous agents (goal hijack, tool misuse, the Lethal Trifecta) — scored with AIVSS on our agentic edition. They are complementary: secure the software, and secure the agent behaviour.
How do I check my own AI/ML stack?
Scan your dependency manifest or SBOM with the IsItPatched SBOM scanner for a per-component verdict, monitor specific tools in My Stack for alerts, or open any product below for its full vulnerability history and the safe version to upgrade to.
Independently sourced from public vulnerability data (NVD, CISA KEV, EPSS, endoflife.date). This is the known software-vulnerability picture for these tools — not an assessment of model safety, bias or data governance. See our disclaimer and methodology.