AI Threat Alert
AI Component
Framework
AI/ML frameworks (LangChain, PyTorch, TensorFlow, etc.) are the foundational libraries for building AI applications. Vulnerabilities here have wide blast radius due to high adoption.
1244
Total CVEs
63
Pages
Page 62 of 63
Current
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-1462 | Keras: safe_mode bypass allows RCE via model deserialization | keras | 8.8 |
| HIGH | CVE-2026-30617 | LangChain-ChatChat: RCE via unauthenticated MCP interface | 8.6 | |
| LOW | GHSA-r7w7-9xr2-qq2r | langchain-openai: SSRF DNS rebinding, blind network probe | langchain-openai | 3.1 |
| MEDIUM | GHSA-fv5p-p927-qmxr | langchain-text-splitters: SSRF bypass exposes cloud metadata | langchain-text-splitters | 6.5 |
| HIGH | GHSA-w8hx-hqjv-vjcq | Paperclip: RCE via workspace runtime command injection | @paperclipai/server | 7.3 |
| HIGH | GHSA-f6hc-c5jr-878p | Flowise: auth bypass enables account takeover via null token | flowise | - |
| HIGH | GHSA-28g4-38q8-3cwc | Flowise: Cypher injection allows full Neo4j DB wipe | flowise-components | - |
| HIGH | GHSA-x5w6-38gp-mrqh | Flowise: HTTP reset link exposes tokens to MITM takeover | flowise | - |
| HIGH | GHSA-6f7g-v4pp-r667 | Flowise: OAuth token theft via unauthenticated endpoint | flowise | - |
| HIGH | GHSA-6r77-hqx7-7vw8 | FlowiseAI: SSRF via prompt injection in API Chain | flowise-components | 7.1 |
| HIGH | GHSA-2x8m-83vc-6wv4 | Flowise: SSRF bypass exposes internal services | flowise-components | 7.1 |
| HIGH | GHSA-xhmj-rg95-44hv | Flowise: SSRF bypass exposes cloud IAM credentials | flowise-components | 7.1 |
| HIGH | GHSA-rh7v-6w34-w2rr | Flowise: MIME bypass enables persistent Node.js web shell RCE | flowise | 7.1 |
| HIGH | GHSA-cvrr-qhgw-2mm6 | Flowise: unauthenticated RCE via FILE-STORAGE bypass | flowise-components | 7.7 |
| HIGH | GHSA-4jpm-cgx2-8h37 | Flowise: unauth API exposes plaintext API keys and tokens | flowise | - |
| HIGH | GHSA-48m6-ch88-55mj | Flowise: Mass Assignment allows cross-tenant org takeover | flowise | 8.1 |
| CRITICAL | GHSA-9wc7-mj3f-74xv | Flowise CSVAgent: RCE via Python code injection | flowise-components | - |
| HIGH | GHSA-f228-chmx-v6j6 | Flowise: prompt injection RCE via AirtableAgent | flowise-components | 8.3 |
| MEDIUM | GHSA-9hrv-gvrv-6gf2 | Flowise: SSRF bypass enables cloud metadata access | flowise-components | - |
| MEDIUM | GHSA-qqvm-66q4-vf5c | Flowise: SSRF bypass enables cloud credential theft | flowise-components | - |