Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-34753 | vLLM: SSRF in batch API exposes cloud metadata endpoints | vllm | 5.4 |
| MEDIUM | CVE-2026-34052 | ltiauthenticator: OAuth nonce leak causes server DoS | jupyterhub-ltiauthenticator | 5.9 |
| MEDIUM | CVE-2026-33709 | JupyterHub: open redirect enables post-login phishing | jupyterhub | - |
| HIGH | CVE-2026-33175 | oauthenticator: auth bypass enables JupyterHub account takeover | 8.8 | |
| MEDIUM | GHSA-mvv8-v4jj-g47j | Directus: cleartext storage exposes AI API keys | 6.5 | |
| CRITICAL | CVE-2026-35216 | Budibase: Unauthenticated RCE as root via webhook | 9.1 | |
| HIGH | CVE-2026-34940 | KubeAI: RCE via shell injection in Ollama startup probe | 8.8 | |
| MEDIUM | CVE-2026-35492 | kedro-datasets: path traversal enables arbitrary file write | kedro-datasets | 6.5 |
| HIGH | CVE-2026-35021 | Claude Code CLI: shell injection enables RCE | 7.8 | |
| CRITICAL | CVE-2026-35022 | Claude Code: OS command injection, credential theft | 9.8 | |
| CRITICAL | CVE-2026-35615 | PraisonAI: path traversal exposes full filesystem via agent tools | PraisonAI | - |
| HIGH | CVE-2026-39308 | PraisonAI: recipe registry path traversal file write | PraisonAI | 7.1 |
| HIGH | CVE-2026-39306 | PraisonAI: recipe path traversal allows arbitrary file write | PraisonAI | 7.3 |
| CRITICAL | CVE-2026-39305 | PraisonAI: path traversal enables arbitrary file write/RCE | PraisonAI | 9.0 |
| HIGH | CVE-2026-39307 | PraisonAI: Zip Slip enables arbitrary file write / RCE | PraisonAI | 8.1 |
| MEDIUM | CVE-2026-1839 | HuggingFace Transformers: RCE via malicious checkpoint load | transformers | 6.5 |
| MEDIUM | CVE-2026-33865 | MLflow: stored XSS via MLmodel YAML artifact upload | mlflow | - |
| MEDIUM | CVE-2026-33866 | MLflow: auth bypass exposes model artifacts across experiments | mlflow | 4.3 |
| HIGH | CVE-2026-35485 | text-generation-webui: unauthenticated path traversal file read | gradio | 7.5 |
| MEDIUM | GHSA-jj6q-rrrf-h66h | openclaw: timing side-channel leaks shared-secret length | openclaw | - |