Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-41680 | marked: infinite recursion DoS crashes Node.js via OOM | marked | 7.5 |
| UNKNOWN | CVE-2026-42232 | n8n: XML Node prototype pollution → RCE | n8n | - |
| UNKNOWN | CVE-2026-42235 | n8n: stored XSS via MCP OAuth steals agent sessions | n8n | - |
| UNKNOWN | CVE-2026-42226 | n8n: IDOR exposes cross-user API key exfiltration | n8n | - |
| UNKNOWN | CVE-2026-42234 | n8n: Python sandbox escape enables container RCE | n8n | - |
| UNKNOWN | CVE-2026-42236 | n8n: unauthenticated MCP endpoint causes memory DoS | n8n | - |
| UNKNOWN | CVE-2026-42228 | n8n: WebSocket auth bypass hijacks AI agent workflows | n8n | - |
| UNKNOWN | CVE-2026-42233 | n8n: SQL injection in Oracle node allows data exfiltration | n8n | - |
| HIGH | CVE-2026-40171 | Jupyter Notebook: stored XSS enables full account takeover | @jupyterlab/help-extension | - |
| MEDIUM | CVE-2026-3340 | IBM Langflow: SSRF enables internal network enumeration | langflow | 6.5 |
| MEDIUM | CVE-2026-3346 | Langflow Desktop: stored XSS enables credential theft | langflow | 6.4 |
| MEDIUM | CVE-2026-4502 | Langflow: path traversal enables arbitrary file write | langflow | 6.5 |
| HIGH | CVE-2026-4503 | Langflow Desktop: IDOR leaks user images unauthenticated | langflow | 7.5 |
| MEDIUM | CVE-2026-3345 | Langflow: path traversal allows arbitrary file read | langflow | 6.5 |
| HIGH | CVE-2026-6542 | Langflow: IDOR exposes cross-tenant flow data and deletion | langflow | 8.1 |
| HIGH | CVE-2026-6543 | Langflow: RCE exposes API keys and DB credentials | langflow | 8.8 |
| MEDIUM | CVE-2026-7669 | SGLang: deserialization in tokenizer loader enables RCE | sglang | 5.6 |
| MEDIUM | CVE-2026-7687 | Langflow: command injection in code parser enables RCE | langflow | 6.3 |
| MEDIUM | CVE-2026-7700 | Langflow: eval() code injection → remote code execution | langflow | 6.3 |
| HIGH | GHSA-r6xh-pqhr-v4xh | openclaw: MCP owner-context spoofing, privilege escalation | openclaw | - |