Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2023-6020 | Ray: unauthenticated LFI exposes entire filesystem | ray | 9.3 |
| CRITICAL | CVE-2023-6019 | Ray: unauthenticated RCE via dashboard command injection | ray | 9.8 |
| MEDIUM | CVE-2024-52524 | Giskard: ReDoS in text perturbation causes DoS | giskard | - |
| CRITICAL | CVE-2023-32785 | LangChain: prompt injection → SQL RCE (CVSS 9.8) | langchain | 9.8 |
| MEDIUM | CVE-2024-2965 | langchain-community: DoS via recursive sitemap loop | langchain | 4.2 |
| MEDIUM | CVE-2024-6581 | Lollms: SVG upload XSS enables session hijack and RCE | lollms | 6.5 |
| MEDIUM | CVE-2024-6985 | lollms: path traversal allows arbitrary directory read | lollms | 4.4 |
| LOW | CVE-2024-6971 | lollms: path traversal in RAG database functions | lollms | 3.4 |
| MEDIUM | GHSA-26jh-r8g2-6fpr | Gradio: Dropdown validation bypass enables arbitrary input | gradio | 5.3 |
| MEDIUM | CVE-2024-7041 | open-webui: IDOR enables cross-user memory tampering | open-webui | 6.5 |
| MEDIUM | CVE-2024-7037 | open-webui: path traversal → arbitrary file write/RCE | open-webui | 6.5 |
| LOW | CVE-2024-7038 | open-webui: filesystem enumeration via admin error messages | open-webui | 2.7 |
| MEDIUM | CVE-2018-21030 | Jupyter Notebook: XSS via missing CSP on served files | notebook | 5.3 |
| HIGH | CVE-2021-39160 | nbgitpuller: RCE via OS command injection in git URLs | 8.8 | |
| HIGH | CVE-2021-41134 | nbdime: stored XSS in Jupyter notebook diff viewer | 8.7 | |
| MEDIUM | CVE-2022-36551 | Label Studio: SSRF + file read, self-reg bypass | label-studio | 6.5 |
| HIGH | CVE-2018-8768 | Jupyter Notebook: XSS via malicious .ipynb file | notebook | 7.8 |
| HIGH | CVE-2025-15381 | MLflow: broken access control exposes experiment traces | mlflow | 8.1 |
| MEDIUM | CVE-2026-4963 | smolagents: code injection via incomplete sandbox fix | smolagents | 6.3 |
| HIGH | CVE-2026-27893 | vLLM: trust_remote_code bypass enables RCE | vllm | 8.8 |