All posts

• Best AI Supply Chain Security Tools in 2026

  A practitioner's guide to the best AI supply chain security tools: model artifact scanners, MLOps pipeline hardening, AIBOM generators, and what the NSA's March 2026 guidance says you must address.

  June 12, 2026

• LangChain Security Vulnerabilities 2026: CVEs, Attack Chains, and What to Patch

  Four verified CVEs in LangChain and LangGraph expose API secrets, filesystem files, and conversation history. CVSS scores, attack paths, and patch versions for 2026.

  June 12, 2026

• How to Triage an ML-Stack CVE: A Practical Workflow

  A repeatable workflow for taking an ML-library CVE from 'a scanner flagged it' to a defensible decision — without panic-patching everything or trusting the CVSS number to do your thinking.

  May 22, 2026

• Hugging Face Transformers & Hub: Supply-Chain Risks and Real Advisories

  The Hugging Face ecosystem is the npm of machine learning — and it carries the same supply-chain exposure. A tour of verified Transformers CVEs and what they reveal about trusting models, configs, and the tooling meant to protect you.

  May 22, 2026

• PyTorch Security: Notable CVEs and How to Harden Your Loading Path

  PyTorch's most consequential CVEs cluster around one thing — loading a model file that runs code. A walk through the verified entries, what each actually requires to exploit, and the hardening that holds.

  May 22, 2026

• trust_remote_code and the ML Orchestration CVE Class

  A second family of ML supply-chain CVEs has nothing to do with model weights and everything to do with the glue: transformers' trust_remote_code, langchain expression surfaces, and template injection in orchestration libraries.

  May 9, 2026

• Unsafe Model Deserialization: The Pickle Problem Behind ML CVEs

  Loading a model file can execute arbitrary code. This is the single most repeated vulnerability class in the ML supply chain — the real CVEs, why the fixes keep arriving late, and what actually mitigates it.

  May 8, 2026

• ML CVE Database Vulnerabilities: What's Tracked and Missing

  How ML CVE database vulnerabilities are catalogued in NVD and MITRE, why the taxonomy breaks down for AI-specific flaws, and which real CVEs in TensorFlow, PyTorch, and MLflow demand attention.

  May 7, 2026

• Reading an ML Library CVE: What to Extract Beyond the CVSS Score

  ML library CVEs are usually scored against a generic threat model that doesn't match how the library is used in production AI systems. Here's what to actually evaluate.

  May 6, 2026

• What this site is for

  ML CVEs catalogs AI/ML incidents and vulnerabilities — dated, sourced, verifiable.

  May 2, 2026