Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | GHSA-qqvm-66q4-vf5c | Flowise: SSRF bypass enables cloud credential theft | flowise-components | - |
| MEDIUM | GHSA-w6v6-49gh-mc9w | Flowise: path traversal allows arbitrary file write via vector store | flowise-components | - |
| MEDIUM | GHSA-2qqc-p94c-hxwh | Flowise: hardcoded session secret enables auth bypass | flowise | 5.6 |
| MEDIUM | GHSA-cc4f-hjpj-g9p8 | Flowise: hardcoded JWT defaults enable full auth bypass | flowise | 5.6 |
| CRITICAL | CVE-2026-40933 | Flowise: RCE via MCP stdio command injection | flowise-components | 9.9 |
| HIGH | GHSA-rg3h-x3jw-7jm5 | PraisonAI: SQL injection across 9 DB backends | praisonaiagents | 8.1 |
| CRITICAL | GHSA-9qhq-v63v-fv3j | PraisonAI: RCE via MCP command injection | praisonai | 9.8 |
| MEDIUM | GHSA-f7fh-qg34-x2xh | openclaw: CDP SSRF enables internal host pivot | openclaw | - |
| HIGH | GHSA-7jp6-r74r-995q | openclaw: auth bypass lets write-scope callers mutate admin config | openclaw | - |
| HIGH | GHSA-736r-jwj6-4w23 | openclaw: sandbox escape via host=node exec routing bypass | openclaw | - |
| HIGH | GHSA-82qx-6vj7-p8m2 | openclaw: trust bypass loads untrusted workspace plugins | openclaw | - |
| MEDIUM | GHSA-53vx-pmqw-863c | openclaw: Browser SSRF exposes internal services by default | openclaw | - |
| MEDIUM | GHSA-xq94-r468-qwgj | openclaw: DNS rebinding bypasses browser SSRF protection | openclaw | - |
| MEDIUM | GHSA-7wv4-cc7p-jhxc | openclaw: .env injection hijacks agent runtime config | openclaw | - |
| MEDIUM | GHSA-c9h3-5p7r-mrjh | openclaw: path traversal bypasses media sandbox | openclaw | - |
| MEDIUM | GHSA-49cg-279w-m73x | openclaw: auth bypass via empty approver list | openclaw | - |
| MEDIUM | GHSA-7g8c-cfr3-vqqr | openclaw: trust escalation via unsanitized agent hook events | openclaw | - |
| MEDIUM | GHSA-j6c7-3h5x-99g9 | openclaw: OS command injection via shell env-argv bypass | openclaw | - |
| MEDIUM | GHSA-5gjc-grvm-m88j | openclaw: auth bypass enables persistent memory config change | openclaw | - |
| MEDIUM | GHSA-jwrq-8g5x-5fhm | openclaw: auth context reuse enables privilege escalation | openclaw | - |