Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-31221 | pytorch-lightning: RCE via insecure checkpoint deserialization | pytorch-lightning | 7.8 |
| HIGH | CVE-2026-31224 | snorkel: RCE via unsafe model deserialization | snorkel | 8.8 |
| CRITICAL | CVE-2026-42074 | openclaude: sandbox bypass allows host-level RCE | openclaude | - |
| CRITICAL | CVE-2026-31238 | Ludwig: RCE via unsafe pickle deserialization in model serve | ludwig | 9.8 |
| CRITICAL | CVE-2026-31239 | mamba: RCE via unsafe torch.load() on model load | mamba-ssm | 9.8 |
| CRITICAL | CVE-2026-31229 | ART: torch.load() RCE via insecure deserialization | 9.8 | |
| LOW | CVE-2026-8026 | Flowise: info disclosure via login API response handler | flowise | 3.7 |
| HIGH | CVE-2026-45134 | LangSmith: prompt deserialization enables SSRF + data leak | langchain | 7.1 |
| HIGH | GHSA-7g73-99r4-m4mj | Flowise: credential data leak via filtered API endpoint | flowise | - |
| CRITICAL | GHSA-9rvc-vf7m-pgm2 | Flowise: auth RCE via NodeVM sandbox escape | flowise | - |
| HIGH | GHSA-hp26-q66v-q2w7 | Flowise: mass assignment breaks multi-tenant isolation | flowise | - |
| HIGH | GHSA-m99r-2hxc-cp3q | Flowise MCP: 3-path blocklist bypass enables server RCE | flowise-components | - |
| HIGH | GHSA-php6-83fg-gw3g | Flowise: brute-force auth grants full agent platform access | flowise | 7.5 |
| HIGH | CVE-2026-42863 | Flowise: Mass Assignment enables cross-workspace takeover | flowise | - |
| HIGH | CVE-2026-42862 | Flowise: mass assignment breaks tenant isolation | flowise | - |
| HIGH | CVE-2026-42861 | Flowise: mass assignment breaks multi-tenant isolation | flowise | - |
| MEDIUM | CVE-2026-44899 | mistune: CSS injection enables phishing UI overlay | mistune | 4.7 |
| MEDIUM | CVE-2026-44898 | mistune: XSS in TOC render via unescaped heading ID | mistune | 6.1 |
| HIGH | GHSA-wxrr-jp8m-qq7f | Flowise: mass assignment enables cross-workspace IDOR | flowise | - |
| HIGH | GHSA-mq53-pc65-wjc4 | Flowise: mass assignment breaks workspace isolation | flowise | - |