Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| UNKNOWN | CVE-2026-33873 | Langflow: server-side RCE via LLM-generated code exec | langflow | - |
| UNKNOWN | CVE-2026-34046 | Langflow: IDOR exposes flows and plaintext API keys | langflow | - |
| MEDIUM | CVE-2026-33682 | Streamlit: SSRF leaks NTLMv2 creds via UNC path | Streamlit | 4.7 |
| HIGH | CVE-2026-33744 | BentoML: command injection in bentofile.yaml containerize | bentoml | 7.8 |
| MEDIUM | CVE-2026-27496 | n8n: uninitialized buffer leaks secrets via Task Runner | n8n | 6.5 |
| CRITICAL | CVE-2026-33660 | TensorFlow: type confusion NPD in tensor conversion | n8n | 10.0 |
| CRITICAL | CVE-2026-33663 | n8n: member role steals plaintext HTTP credentials | n8n | 10.0 |
| HIGH | CVE-2026-33665 | n8n: LDAP email match enables permanent account takeover | n8n | 8.2 |
| HIGH | CVE-2026-33696 | n8n: Prototype pollution enables RCE via workflow nodes | n8n | 8.8 |
| HIGH | CVE-2026-33713 | n8n: SQLi in Data Table node, full DB compromise | n8n | 8.8 |
| MEDIUM | CVE-2026-33720 | n8n: OAuth state forgery hijacks user credentials | n8n | 4.2 |
| MEDIUM | CVE-2026-33722 | n8n: secrets vault bypass exposes credentials to low-priv users | n8n | 5.3 |
| HIGH | CVE-2026-33724 | n8n: SSH MitM enables malicious workflow injection | n8n | 7.4 |
| CRITICAL | CVE-2026-33749 | n8n: stored XSS enables credential theft via workflow | n8n | 9.0 |
| MEDIUM | CVE-2026-33751 | n8n: LDAP injection enables auth bypass in workflows | n8n | 4.8 |
| HIGH | CVE-2026-34070 | langchain-core: path traversal exposes host secrets via prompt config | langchain-core | 7.5 |
| LOW | CVE-2026-29071 | Open WebUI: IDOR exposes AI memories and private files | open-webui | 3.1 |
| MEDIUM | CVE-2026-29070 | open-webui: missing authz allows cross-KB file deletion | open-webui | 5.4 |
| HIGH | CVE-2026-28788 | Open WebUI: BOLA enables RAG poisoning via file overwrite | open-webui | 7.1 |
| MEDIUM | CVE-2026-28786 | Open WebUI: path traversal leaks server filesystem path | open-webui | 4.3 |