Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2024-36423 | Flowise: reflected XSS in chatflow API enables session hijack | flowise | 6.1 |
| MEDIUM | CVE-2024-37145 | Flowise: reflected XSS enables file read chain via chatflow | flowise | 6.1 |
| MEDIUM | CVE-2024-37146 | Flowise: reflected XSS enables credential theft | flowise | 6.1 |
| CRITICAL | CVE-2024-52803 | LlamaFactory: RCE via OS command injection in training | llamafactory | 9.8 |
| HIGH | CVE-2025-25185 | gpt_academic: symlink traversal exposes all server files | gpt_academic | 7.5 |
| HIGH | CVE-2025-30358 | Mesop: class pollution enables DoS and LLM jailbreak | 8.1 | |
| HIGH | CVE-2025-46567 | LLaMA-Factory: RCE via torch.load() unsafe deserialization | llamafactory | 7.8 |
| CRITICAL | CVE-2025-53002 | LLaMA-Factory: RCE via unsafe checkpoint deserialization | llamafactory | 9.8 |
| CRITICAL | CVE-2025-58434 | Flowise: auth bypass in reset flow allows full ATO | flowise | 9.8 |
| HIGH | CVE-2025-59527 | Flowise: unauthenticated SSRF exposes internal network | flowise | 7.5 |
| CRITICAL | CVE-2025-59528 | Flowise: Unauthenticated RCE via MCP config injection | flowise | 10.0 |
| HIGH | CVE-2025-61687 | Flowise: unrestricted file upload enables persistent RCE | flowise | 8.8 |
| HIGH | CVE-2025-61784 | LLaMA-Factory: SSRF+LFI in multimodal chat API | llamafactory | 8.1 |
| CRITICAL | CVE-2025-61913 | Flowise: path traversal in file tools leads to RCE | flowise | 9.9 |
| HIGH | CVE-2026-26286 | sillytavern: SSRF allows internal network access | 8.5 | |
| UNKNOWN | CVE-2024-4897 | lollms-webui: RCE via malicious GGUF model loading | - | |
| CRITICAL | CVE-2020-13092 | scikit-learn: RCE via malicious joblib model deserialization | scikit-learn | 9.8 |
| HIGH | CVE-2020-28975 | scikit-learn: DoS via crafted SVM model deserialization | scikit-learn | 7.5 |
| MEDIUM | CVE-2024-5206 | scikit-learn: TfidfVectorizer leaks training data tokens | scikit-learn | 4.7 |
| HIGH | CVE-2025-54412 | skops: OperatorFuncNode type confusion → RCE | skops | - |