Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-44560 | open-webui: RAG auth bypass exposes private files | open-webui | 6.5 |
| MEDIUM | CVE-2026-44564 | open-webui: auth bypass in collaborative doc editing | open-webui | 5.4 |
| MEDIUM | CVE-2026-44897 | mistune: XSS via unescaped heading id= attribute | mistune | 6.1 |
| HIGH | CVE-2026-44346 | BentoML: Dockerfile injection enables build-time RCE | bentoml | 8.8 |
| HIGH | CVE-2026-44345 | BentoML: unsanitized base_image allows Dockerfile RCE | bentoml | 8.8 |
| MEDIUM | CVE-2026-44571 | open-webui: auth bypass allows message tampering | open-webui | 6.5 |
| HIGH | CVE-2026-44569 | Open WebUI: IDOR enables cross-user message tampering | open-webui | 7.1 |
| HIGH | CVE-2026-44565 | open-webui: path traversal enables file write/delete | open-webui | 8.1 |
| HIGH | GHSA-6xcp-7mpr-m7wm | open-webui: CORS misconfiguration enables 1-click RCE | open-webui | 8.3 |
| HIGH | CVE-2026-44340 | PraisonAI: tar symlink bypass allows arbitrary file write | PraisonAI | 7.5 |
| HIGH | CVE-2026-44339 | praisonaiagents: tool bypass enables undeclared callable exec | PraisonAI | 8.6 |
| CRITICAL | CVE-2026-44336 | PraisonAI: MCP path traversal escalates to full RCE | PraisonAI | 9.6 |
| MEDIUM | CVE-2026-44337 | PraisonAI: SQL/CQL injection in knowledge-store backends | PraisonAI | 6.3 |
| HIGH | CVE-2026-44338 | PraisonAI: unauthenticated API triggers agent workflows | PraisonAI | 7.3 |
| UNKNOWN | CVE-2026-31252 | CosyVoice: RCE via unsafe torch.load() deserialization | - | |
| HIGH | CVE-2026-31253 | flash-attention: RCE via unsafe checkpoint deserialization | flash_attn | 7.3 |
| MEDIUM | CVE-2026-43979 | local-deep-research: HTML injection enables SSRF via WeasyPrint | local-deep-research | 5.0 |
| HIGH | CVE-2026-2393 | MLflow: SSRF in webhook URL enables cloud credential theft | mlflow | 7.1 |
| CRITICAL | CVE-2026-43995 | Flowise: SSRF in agent tools bypasses security wrapper | flowise | 9.8 |
| HIGH | CVE-2026-2614 | MLflow: path traversal allows unauthenticated file read | mlflow | 7.5 |