Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-41269 | Flowise: unrestricted file upload enables persistent RCE | flowise | 8.8 |
| HIGH | CVE-2026-41270 | Flowise: SSRF bypass exposes cloud metadata services | flowise | 8.3 |
| HIGH | CVE-2026-41271 | Flowise: SSRF via prompt template injection in API Chain | flowise | 8.3 |
| HIGH | CVE-2026-41272 | Flowise: SSRF bypass via DNS rebinding exposes internal networks | flowise | 7.1 |
| HIGH | CVE-2026-41273 | Flowise: auth bypass exposes OAuth 2.0 tokens | flowise | 8.2 |
| HIGH | CVE-2026-41275 | Flowise: HTTP password reset link allows MITM takeover | flowise | 7.5 |
| CRITICAL | CVE-2026-41276 | Flowise: auth bypass enables full account takeover via reset | flowise | 9.8 |
| HIGH | CVE-2026-41277 | Flowise: mass assignment enables cross-workspace IDOR | flowise | 8.8 |
| HIGH | CVE-2026-41278 | Flowise: credential exposure in public chatflow API | flowise | 7.5 |
| CRITICAL | CVE-2026-41274 | Flowise: Cypher injection via GraphCypherQAChain node | flowise | 9.8 |
| HIGH | CVE-2026-41486 | Ray: Parquet RCE via Arrow extension deserialization | ray | - |
| CRITICAL | GHSA-wpqr-6v78-jr5g | Gemini CLI: RCE via malicious workspace in CI/CD | @google/gemini-cli | 10.0 |
| HIGH | CVE-2026-40068 | Claude Code: git worktree trust bypass executes hooks | @anthropic-ai/claude-code | - |
| MEDIUM | CVE-2026-41481 | LangChain: SSRF redirect bypass exposes internal endpoints | langchain | 6.5 |
| LOW | CVE-2026-41488 | langchain-openai: SSRF via DNS rebinding in image token counter | langchain | 3.1 |
| MEDIUM | GHSA-7jm2-g593-4qrc | openclaw: config guard bypass, persistent settings mutation | openclaw | - |
| LOW | GHSA-57r2-h2wj-g887 | openclaw: trust-label bypass amplifies prompt injection | openclaw | - |
| MEDIUM | GHSA-2xcp-x87w-q377 | openclaw: session key auth bypass in webhook routing | openclaw | - |
| MEDIUM | CVE-2026-7141 | vllm: uninitialized KV cache memory leaks inference data | vllm | 5.6 |
| UNKNOWN | CVE-2026-41686 | @anthropic-ai/sdk: insecure file perms expose agent memory | @anthropic-ai/sdk | - |