All posts
-
TensorFlow Security Vulnerabilities in 2026: CVEs, Keras Deserialization, and Supply Chain Risk
A practitioner breakdown of the top tensorflow security vulnerabilities 2026 — CVE-2025-49655 (CVSS 9.8), CVE-2025-12058 (SSRF/file access), DoS flaws in 2.18.0, and CI/CD supply chain compromise.
-
Best AI Supply Chain Security Tools in 2026
A practitioner's guide to the best AI supply chain security tools: model artifact scanners, MLOps pipeline hardening, AIBOM generators, and what the NSA's
-
LangChain Security Vulnerabilities 2026: CVEs, Attack Chains, and What to Patch
Four verified CVEs in LangChain and LangGraph expose API secrets, filesystem files, and conversation history. CVSS scores, attack paths, and patch
-
How to Triage an ML-Stack CVE: A Practical Workflow
A repeatable workflow for taking an ML-library CVE from 'a scanner flagged it' to a defensible decision — without panic-patching everything or trusting
-
Hugging Face Transformers & Hub: Supply-Chain Risks and Real Advisories
The Hugging Face ecosystem is the npm of machine learning — and it carries the same supply-chain exposure. A tour of verified Transformers CVEs and what
-
PyTorch Security: Notable CVEs and How to Harden Your Loading Path
PyTorch's most consequential CVEs cluster around one thing — loading a model file that runs code. A walk through the verified entries, what each actually
-
trust_remote_code and the ML Orchestration CVE Class
A second family of ML supply-chain CVEs has nothing to do with model weights and everything to do with the glue: transformers' trust_remote_code
-
Unsafe Model Deserialization: The Pickle Problem Behind ML CVEs
Loading a model file can execute arbitrary code. This is the single most repeated vulnerability class in the ML supply chain — the real CVEs, why the
-
ML CVE Database Vulnerabilities: What's Tracked and Missing
How ML CVE database vulnerabilities are catalogued in NVD and MITRE, why the taxonomy breaks down for AI-specific flaws, and which real CVEs in
-
Reading an ML Library CVE: What to Extract Beyond the CVSS Score
ML library CVEs are usually scored against a generic threat model that doesn't match how the library is used in production AI systems.