6 AI-related CVEs are on CISA's Known Exploited Vulnerabilities list. 0 have a confirmed ransomware campaign association. 1 added to KEV in 2025 · 4 added in 2026 · 1 added earlier.
Vulnerabilities in AI Software
Daily-updated analysis of CVEs affecting AI and machine-learning software — frameworks, libraries, LLM platforms, agent protocols, enterprise assistants, and supporting infrastructure. Compares vulnerabilities in AI software against all other software, with breakdowns by severity, vector, weakness, exploitability and priority.
Last updated: 28 May 2026 22:22 UTC
AI CVEs in 2025
853
1.7% of all CVEs published
AI CVEs in 2026 so far
1,004
148 days (4.9 months) of data
2026 annualised
2,476
↑ +190% vs. 2025
CISA KEV-listed
6
0 ransomware-linked
Quarterly Volume
→ Bar chart shows CVEs published per quarter (log scale) split into
AI-related vs. all other software. AI volume has been climbing through 2025
and 2026.
CVSS Distribution by Year
→ Box plot of CVSS base score distributions for AI-related vs. all
other software, in 2025 and 2026. The middle line is the median; the box
is the interquartile range.
AI Subcategory Share
→ Top 10 AI subcategories by all-time annotated CVE count. Model
Context Protocol (MCP) and similar agent integrations live under
“AI Agent Protocols and Integrations.”
CVSS Vector Profile
→ Distribution of four CVSS sub-vectors across AI-related vs. all
other software, 2025 + 2026 combined. Attack Vector (network
accessibility), Privileges Required, User Interaction,
and the highest of Confidentiality / Integrity / Availability
impact.
Top CWEs — 2025 vs 2026 Rank Shift
→ Top weaknesses in AI-related CVEs, comparing 2025 totals against
2026 (Q1+Q2 so far). Server-Side Request Forgery
(CWE-918)
has risen sharply in 2026 alongside the established command-injection and
cross-site scripting weaknesses.
MITRE ATT&CK Enterprise Techniques
→ Top techniques associated with AI-related vulnerabilities, ranked
by annotated CVE count. Click any bar to open the MITRE ATT&CK
technique page in a new tab.
EPSS Cumulative Distribution
→ CDF curves comparing EPSS exploit-probability scores across
AI-related vs. all other software (2025 + 2026). Curves further to the
right indicate higher exploitation probability.
CISA KEV: AI-listed Vulnerabilities
Top 25 AI CVEs by Risk Priority
→ Composite priority score = 60% EPSS + 20% KEV + 20% CVSS, scaled to
0–100. Click any column header to re-sort. CVE links open the full
detail page.
| CVE | Risk Priority | CVSS | EPSS | Published |
|---|---|---|---|---|
| CVE-2025-3248KEV | 95 | 9.8 | 0.9256 | 2025-04-07 |
| CVE-2025-26319 | 73 | 9.8 | 0.8870 | 2025-03-04 |
| CVE-2025-59528 | 72 | 10.0 | 0.8678 | 2025-09-22 |
| CVE-2025-8943 | 72 | 9.8 | 0.8815 | 2025-08-14 |
| CVE-2026-42208KEV | 72 | 9.8 | 0.5426 | 2026-05-08 |
| CVE-2025-11749 | 71 | 9.8 | 0.8539 | 2025-11-05 |
| CVE-2025-27520 | 65 | 9.8 | 0.7576 | 2025-04-04 |
| CVE-2025-2294 | 61 | 9.8 | 0.6966 | 2025-03-28 |
| CVE-2025-32375 | 59 | 9.8 | 0.6524 | 2025-04-09 |
| CVE-2024-12471 | 55 | 8.8 | 0.6266 | 2025-01-07 |
| CVE-2026-33017KEV UPD | 54 | 9.8 | 0.2398 | 2026-03-20 |
| CVE-2024-6842 | 42 | 0.0 | 0.7023 | 2025-03-20 |
| CVE-2026-27966 | 42 | 9.8 | 0.3778 | 2026-02-26 |
| CVE-2025-58434 | 39 | 9.8 | 0.3236 | 2025-09-12 |
| CVE-2026-34156 | 39 | 9.9 | 0.3141 | 2026-03-31 |
| CVE-2026-23744 | 38 | 9.8 | 0.3037 | 2026-01-16 |
| CVE-2024-13059 | 36 | 0.0 | 0.6022 | 2025-02-10 |
| CVE-2026-30824 | 33 | 9.8 | 0.2159 | 2026-03-07 |
| CVE-2026-27483 | 32 | 8.8 | 0.2329 | 2026-02-24 |
| CVE-2026-35029 | 32 | 8.8 | 0.2426 | 2026-04-06 |
| CVE-2023-7337 | 31 | 7.5 | 0.2643 | 2026-03-04 |
| CVE-2025-1716 | 29 | 9.8 | 0.1625 | 2025-02-26 |
| CVE-2026-33032 | 28 | 9.8 | 0.1325 | 2026-03-30 |
| CVE-2025-6514 | 27 | 9.6 | 0.1217 | 2025-07-09 |
| CVE-2026-33057 | 27 | 9.8 | 0.1290 | 2026-03-20 |
Sample CVE Deep-Dives
→ Three representative CVEs — one each from Agent Protocols,
Deep Learning Frameworks, and Enterprise AI Assistants — selected
as the highest-priority CVE in each category that has a complete
AI-generated security summary on file.
CVE-2025-59528
AI Agent Protocols and Integrations
CVE-2025-59528 is a critical remote code execution vulnerability affecting Flowise version 3.0.5, an open-source drag-and-drop user interface for building customized large language model (LLM) flows. The issue resides in the CustomMCP node, which allows users to input configuration settings for connecting to an external MCP server via the mcpServerConfig string. During parsing in the convertToValidJSONString function, this user input is directly passed to the JavaScript Function() constructor, leading to unsanitized code execution without security validation. With a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) and mapped to CWE-94 (Improper Control of Generation of Code), the flaw enables arbitrary JavaScript execution within the Node.js runtime.
CVE-2025-1550
Deep Learning Frameworks
CVE-2025-1550 is a critical vulnerability (CVSS 9.8) in the Keras library's Model.load_model function, enabling arbitrary code execution even when safe_mode=True. The issue affects the loading of .keras archive files, where attackers can manually construct a malicious archive by altering the config.json file to specify arbitrary Python modules, functions, and arguments. These are loaded and executed during model deserialization, stemming from CWE-94 (code injection).
CVE-2025-26319
Enterprise AI Assistants
CVE-2025-26319 is an arbitrary file upload vulnerability affecting FlowiseAI Flowise version 2.2.6, specifically in the /api/v1/attachments endpoint. This flaw, linked to CWE-434 (Unrestricted Upload of File with Dangerous Type), allows attackers to upload malicious files without proper validation, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The vulnerability was published on 2025-03-04.
Recommendations — Software Producers
Prioritise defence against the dominant weakness classes in AI-related software. Through 2026 these are OS command injection (CWE-78), command injection (CWE-77), server-side request forgery (CWE-918, newly prominent in 2026), path traversal (CWE-22), and cross-site scripting (CWE-79).
Avoid passing user-controlled or LLM-generated text directly to shell commands or HTTP fetchers. Use built-in libraries or APIs, parameterise subprocess invocations, and explicitly enumerate allowed hosts for any outbound HTTP. Add tool sandboxing, least- privilege token scoping, and signed tool manifests for any agentic component that delegates execution. Mandate human approval gates for sensitive actions and log every tool invocation.
Recommendations — Enterprises (Software Consumers)
Request penetration test results from AI-software vendors with explicit coverage of injection (CWE-77/CWE-78), SSRF (CWE-918), path traversal (CWE-22), XSS (CWE-79), and authorisation flaws (CWE-862, CWE-284). For self-hosted AI components, run independent fuzzing against tool interfaces and prompt-injection vectors.
Track the EPSS-driven Risk Priority of CVEs in your AI software stack (see the table above) and treat ransomware-linked KEVs as immediate- remediation. For agentic AI specifically, evaluate platforms providing tool discovery, real-time monitoring, and policy-based execution control as a layer over generic application security.
Future Work
Two analyses depend on annotation coverage that's still maturing: MITRE ATLAS technique mapping (the AI-specific adversarial framework) and OWASP Top 10 for LLMs 2025 categorisation. Once enough 2026 CVEs are processed by our QA tools we'll add tabs covering both. Threat-actor attribution for AI vulnerabilities remains sparse in public reporting and will be incorporated as data improves.