Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-44504 | Aegra: cross-tenant IDOR hijacks user thread data | aegra-api | - |
| CRITICAL | CVE-2025-14931 | smolagents: RCE via pickle deserialization in executor | smolagents | 10.0 |
| HIGH | CVE-2026-44513 | diffusers: trust_remote_code bypass enables silent RCE | diffusers | 8.8 |
| CRITICAL | CVE-2026-44007 | vm2: sandbox escape via nesting:true enables RCE | vm2 | 9.1 |
| MEDIUM | CVE-2026-40610 | BentoML: symlink traversal exfiltrates host secrets at build | bentoml | 5.5 |
| HIGH | CVE-2026-42271 | LiteLLM: RCE via MCP test endpoint command injection | litellm | 8.8 |
| MEDIUM | CVE-2026-44562 | open-webui: missing authz enables model hijacking | open-webui | 6.5 |
| MEDIUM | CVE-2026-44559 | open-webui: private channel member list exposed to any user | open-webui | 4.3 |
| MEDIUM | CVE-2026-44557 | open-webui: auth bypass exposes all knowledge base metadata | open-webui | 4.3 |
| HIGH | CVE-2026-44554 | open-webui: RAG poisoning via unauthorized KB overwrite | open-webui | 8.1 |
| MEDIUM | CVE-2026-44558 | open-webui: permission bypass exposes channels publicly | open-webui | 5.4 |
| HIGH | CVE-2026-44552 | open-webui: Redis cache poisoning enables cross-instance tool hijack | open-webui | 8.7 |
| HIGH | CVE-2026-44553 | open-webui: stale Socket.IO role allows cross-user note R/W | open-webui | 8.1 |
| MEDIUM | CVE-2026-44550 | open-webui: mass assignment enables cross-user folder injection | open-webui | 5.0 |
| CRITICAL | CVE-2026-44551 | open-webui: LDAP auth bypass — full account takeover | open-webui | 9.1 |
| HIGH | CVE-2026-44721 | open-webui: XSS in model descriptions steals session tokens | open-webui | 7.3 |
| MEDIUM | CVE-2026-44708 | mistune: math plugin XSS bypasses escape=True control | mistune | 6.1 |
| HIGH | CVE-2026-44843 | LangChain: deserialization poisons LLM chat history | langchain-core | 8.2 |
| HIGH | CVE-2026-44549 | open-webui: XSS via XLSX preview enables session hijack | open-webui | 7.3 |
| MEDIUM | CVE-2026-44568 | open-webui: XSS in pending overlay enables session hijack | open-webui | 4.8 |