Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2025-58756 | MONAI: unsafe deserialization in CheckpointLoader allows RCE | monai | 8.8 |
| HIGH | CVE-2025-58755 | MONAI: path traversal allows arbitrary file write | monai | 8.8 |
| LOW | CVE-2025-59842 | JupyterLab: missing noopener enables reverse tabnabbing | jupyterlab | - |
| HIGH | CVE-2025-10156 | Picklescan: CRC bypass hides malicious pickle in ZIP | picklescan | 7.5 |
| HIGH | CVE-2025-10157 | PickleScan: subclass bypass enables malicious model RCE | picklescan | 8.3 |
| MEDIUM | CVE-2025-58446 | xgrammar: DoS via oversized JSON schema grammar parsing | xgrammar | - |
| MEDIUM | GHSA-q77w-mwjj-7mqx | picklescan: scanner bypass enables model RCE | picklescan | - |
| MEDIUM | GHSA-49gj-c84q-6qm9 | picklescan: scanner bypass enables RCE via ML model files | picklescan | - |
| MEDIUM | GHSA-9w88-8rmg-7g2p | picklescan: scan bypass allows silent RCE via ML models | picklescan | - |
| MEDIUM | GHSA-fqq6-7vqf-w3fg | picklescan: detection bypass allows undetected RCE in ML models | picklescan | - |
| MEDIUM | GHSA-3gf5-cxq9-w223 | picklescan: scanner bypass enables pickle RCE in ML models | picklescan | - |
| MEDIUM | GHSA-j343-8v2j-ff7w | picklescan: scanner bypass allows pickle-based RCE | picklescan | - |
| MEDIUM | GHSA-m869-42cg-3xwr | picklescan: scanner bypass enables RCE via ML models | picklescan | - |
| MEDIUM | GHSA-p9w7-82w4-7q8m | picklescan: detection bypass allows pickle RCE in ML pipelines | picklescan | - |
| MEDIUM | GHSA-xp4f-hrf8-rxw7 | picklescan: scanner bypass leads to undetected RCE | picklescan | - |
| MEDIUM | GHSA-4whj-rm5r-c2v8 | picklescan: scanner bypass enables PyTorch gadget RCE | picklescan | - |
| MEDIUM | GHSA-9xph-j2h6-g47v | picklescan: scanner bypass enables RCE via model files | picklescan | - |
| MEDIUM | GHSA-8r4j-24qv-fmq9 | picklescan: RCE bypass enables ML supply chain attack | picklescan | - |
| MEDIUM | GHSA-cj3c-v495-4xqh | picklescan: security bypass enables RCE in ML pipelines | picklescan | - |
| MEDIUM | GHSA-7cq8-mj8x-j263 | picklescan: detection bypass allows malicious pickle RCE | picklescan | - |