Medium
CVE-2026-34760
vLLM is an inference and serving engine for large language models (LLMs). From version 0.5.5 to before version 0.18.0, Librosa defaults to using numpy.mean for mono downmixing (to_mono), while the in…
Tag: NumPy
All CVEs associated with "NumPy". Page 1/1 • 19 CVEs.
About “NumPy”
A curated feed of “NumPy”-related CVEs appears below. We currently track 19 CVEs for this tag (all time). In the last 365 days, 3 were published. Average CVSS is 6.4 (all time; 7.9 over 365d), and 42% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-20 - Improper Input Validation, CWE-94 - Improper Control of Generation of Code ('Code Injection'), CWE-122 - Heap-based Buffer Overflow.
In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
Support & lifecycle: numpy
This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.
| Cycle | Release | Latest | EOL | LTS |
|---|---|---|---|---|
| 2.4 | 2.4.6 | |||
| 2.3 | 2.3.5 | |||
| 2.2 | 2.2.6 | |||
| 2.1 | 2.1.3 | Soon | ||
| 2.0 | 2.0.2 | Soon | ||
| 1.26 | 1.26.4 | Expired | ||
| 1.25 | 1.25.2 | Expired | ||
| 1.24 | 1.24.4 | Expired | ||
| 1.23 | 1.23.5 | Expired | ||
| 1.22 | 1.22.4 | Expired | ||
| 1.21 | 1.21.6 | Expired | ||
| 1.20 | 1.20.3 | Expired | ||
| 1.19 | 1.19.5 | Expired | ||
| 1.18 | 1.18.5 | Expired | ||
| 1.17 | 1.17.5 | Expired | ||
| 1.16 | 1.16.6 | Expired | ||
| 1.15 | 1.15.4 | Expired | ||
| 1.14 | 1.14.6 | Expired |
Maintained Soon (≤ 180 days) Expired
Subscribe lifecycle: RSS · RSS (expired) · ICS
Subscribe CVEs: RSS for “NumPy” · RSS (High+Critical only)
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2026-04-02
2026-02-26
High
CVE-2026-27952
Agenta is an open-source LLMOps platform. In Agenta-API prior to version 0.48.1, a Python sandbox escape vulnerability existed in Agenta's custom code evaluator. Agenta used RestrictedPython as a san…
2025-11-21
Critical
CVE-2025-62608
MLX is an array framework for machine learning on Apple silicon. Prior to version 0.29.4, there is a heap buffer overflow in mlx::core::load() when parsing malicious NumPy .npy files. Attacker-contro…
2025-04-03
Low
CVE-2025-3145
A vulnerability, which was classified as problematic, has been found in MindSpore 2.5.0. Affected by this issue is the function mindspore.numpy.fft.rfft2. The manipulation leads to memory corruption.…
Low
CVE-2025-3144
A vulnerability classified as problematic was found in MindSpore 2.5.0. Affected by this vulnerability is the function mindspore.numpy.fft.hfftn. The manipulation leads to memory corruption. It is po…
2025-03-20
High
CVE-2024-11039
A pickle deserialization vulnerability exists in the Latex English error correction plug-in function of binary-husky/gpt_academic versions up to and including 3.83. This vulnerability allows attacker…
2024-05-17
High
CVE-2024-34997
joblib v1.4.2 was discovered to contain a deserialization vulnerability via the component joblib.numpy_pickle::NumpyArrayWrapper().read_array(). NOTE: this is disputed by the supplier because NumpyAr…
2024-05-03
High
CVE-2024-34072
sagemaker-python-sdk is a library for training and deploying machine learning models on Amazon SageMaker. The sagemaker.base_deserializers.NumpyDeserializer module before v2.218.0 allows potentially…
2022-11-18
Medium
CVE-2022-41890
TensorFlow is an open source platform for machine learning. If `BCast::ToShape` is given input larger than an `int32`, it will crash, despite being supposed to handle up to an `int64`. An example can…
Medium
CVE-2022-41884
TensorFlow is an open source platform for machine learning. If a numpy array is created with a shape such that one element is zero and the others sum to a large number, an error will be raised. We ha…
2022-05-21
High
CVE-2022-29216
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, TensorFlow's `saved_model_cli` tool is vulnerable to a code injection. This can be used t…
2021-12-17
Medium
CVE-2021-41496
Buffer overflow in the array_from_pyobj function of fortranobject.c in NumPy < 1.19, which allows attackers to conduct a Denial of Service attacks by carefully constructing an array with negative val…
Medium
CVE-2021-41495
Null Pointer Dereference vulnerability exists in numpy.sort in NumPy < and 1.19 in the PyArray_DescrNew function due to missing return-value validation, which allows attackers to conduct DoS attack…
Medium
CVE-2021-34141
An incomplete string comparison in the numpy.core component in NumPy before 1.22.0 allows attackers to trigger slightly incorrect copying by constructing specific string objects. NOTE: the vendor sta…
Medium
CVE-2021-33430
A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_NewFromDescr_int function of ctors.c when specifying arrays of large dimensions (over 32) from Python code, which could let a mali…
2019-01-16
Critical
CVE-2019-6446
An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by…
2018-01-08
Medium
CVE-2014-1859
(1) core/tests/test_memmap.py, (2) core/tests/test_multiarray.py, (3) f2py/f2py2e.py, and (4) lib/tests/test_io.py in NumPy before 1.8.1 allow local users to write to arbitrary files via a symlink at…
Medium
CVE-2014-1858
__init__.py in f2py in NumPy before 1.8.1 allows local users to write to arbitrary files via a symlink attack on a temporary file.
2017-08-15
High
CVE-2017-12852
The numpy.pad function in Numpy 1.13.1 and older versions is missing input validation. An empty list or ndarray will stick into an infinite loop, which can allow attackers to cause a DoS attack.