Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | GHSA-q2gc-xjqw-qp89 | OpenClaw: eval approval bypass enables unintended code exec | openclaw | - |
| MEDIUM | CVE-2026-40087 | LangChain: template injection leaks object attributes | langchain-core | 5.3 |
| HIGH | CVE-2026-40113 | PraisonAI: arg injection injects env vars into Cloud Run | praisonai | 8.4 |
| CRITICAL | CVE-2026-40111 | PraisonAI: RCE via shell injection in memory hooks executor | praisonaiagents | - |
| MEDIUM | CVE-2026-40112 | PraisonAI: XSS via no-op HTML sanitizer in agent output | praisonai | 5.4 |
| HIGH | CVE-2026-40217 | LiteLLM: RCE via bytecode rewriting in guardrails API | litellm | 8.8 |
| CRITICAL | GHSA-vc46-vw85-3wvm | PraisonAI: RCE via malicious workflow YAML execution | PraisonAI | 9.8 |
| MEDIUM | GHSA-x783-xp3g-mqhp | PraisonAI: SQL injection via table_prefix exposes DB | PraisonAI | - |
| MEDIUM | GHSA-ffp3-3562-8cv3 | PraisonAI: tool approval bypass leaks env credentials | praisonaiagents | 5.5 |
| HIGH | GHSA-x462-jjpc-q4q4 | praisonaiagents: CORS bypass enables silent agent RCE | praisonaiagents | 8.1 |
| MEDIUM | CVE-2026-40159 | PraisonAI: MCP env inheritance exposes API keys | PraisonAI | 5.5 |
| CRITICAL | CVE-2026-40157 | PraisonAI: path traversal allows arbitrary file write via recipe unpack | PraisonAI | - |
| HIGH | CVE-2026-40156 | PraisonAI: auto tools.py load enables local RCE | praisonai | 7.8 |
| MEDIUM | CVE-2026-40148 | PraisonAI: decompression bomb causes disk exhaustion | PraisonAI | 6.5 |
| CRITICAL | CVE-2026-40154 | PraisonAI: supply chain RCE via unverified template exec | PraisonAI | 9.3 |
| HIGH | GHSA-qwgj-rrpj-75xm | PraisonAI: hardcoded approval bypass enables RCE | PraisonAI | 8.8 |
| HIGH | CVE-2026-40158 | PraisonAI: AST sandbox bypass enables host RCE | PraisonAI | 8.6 |
| HIGH | CVE-2026-40149 | PraisonAI: auth bypass disables agent safety controls | PraisonAI | 7.9 |
| MEDIUM | CVE-2026-40115 | PraisonAI: unbounded body read enables local DoS | PraisonAI | 6.2 |
| CRITICAL | CVE-2026-1115 | lollms: Stored XSS enables wormable account takeover | lollms | 9.6 |