Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-27482 | ray: Missing Auth allows unauthenticated access | ray | 5.9 |
| CRITICAL | CVE-2026-26030 | semantic-kernel: Code Injection enables RCE | semantic-kernel | 10.0 |
| HIGH | GHSA-97f8-7cmv-76j2 | picklescan: Allowlist Bypass evades input filtering | picklescan | - |
| HIGH | CVE-2026-0897 | keras: Resource Exhaustion enables DoS | keras | 7.6 |
| HIGH | CVE-2025-53000 | nbconvert: security flaw enables exploitation | - | |
| HIGH | CVE-2026-1777 | sagemaker: security flaw enables exploitation | sagemaker | 7.2 |
| MEDIUM | CVE-2026-1778 | sagemaker: security flaw enables exploitation | sagemaker | 5.9 |
| MEDIUM | CVE-2025-6208 | llama-index-core: DoS causes service disruption | llama-index-core | 5.3 |
| HIGH | CVE-2026-1117 | lollms: Access Control bypass enables privilege escalation | lollms | 8.2 |
| MEDIUM | GHSA-m7j5-r2p5-c39r | picklescan: Deserialization enables RCE | picklescan | - |
| HIGH | GHSA-9m3x-qqw2-h32h | picklescan: Deserialization enables RCE | picklescan | - |
| CRITICAL | CVE-2026-25481 | langroid: Code Injection enables RCE | langroid | - |
| LOW | CVE-2026-25211 | llama-stack: security flaw enables exploitation | llama-stack | 3.2 |
| CRITICAL | CVE-2026-25130 | cai-framework: Command Injection enables RCE | 9.7 | |
| MEDIUM | CVE-2026-21851 | monai: Path Traversal enables file access | monai | 5.3 |
| MEDIUM | GHSA-gpx9-96j6-pp87 | agentos-taskweaver: Protection Bypass circumvents security controls | agentos-taskweaver | 6.5 |
| HIGH | CVE-2026-22219 | chainlit: SSRF allows internal network access | chainlit | 7.7 |
| MEDIUM | CVE-2025-68492 | chainlit: IDOR enables unauthorized data access | chainlit | 4.2 |
| HIGH | CVE-2026-22033 | label-studio: XSS enables session hijacking | label-studio | - |
| HIGH | CVE-2026-22612 | fickling: Deserialization enables RCE | fickling | - |