Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-45387 | open-webui: system prompt leakage via model read API | open-webui | 4.3 |
| MEDIUM | CVE-2026-45385 | Open WebUI: IDOR lets members tamper with admin messages | open-webui | 4.3 |
| MEDIUM | CVE-2026-45351 | Open WebUI: admin system prompts exposed to all users | open-webui | 6.5 |
| HIGH | CVE-2026-45349 | open-webui: auth bypass exposes all user chat histories | open-webui | 7.1 |
| HIGH | CVE-2026-45338 | open-webui: SSRF via OAuth picture claim leaks internal data | open-webui | 7.7 |
| HIGH | CVE-2026-45331 | open-webui: SSRF bypass exposes cloud IAM credentials | open-webui | 8.5 |
| MEDIUM | CVE-2026-45317 | Open-WebUI: CSRF image URL leaks session cookies | open-webui | 4.6 |
| MEDIUM | CVE-2026-45318 | open-webui: Stored XSS via Office file preview bypass | open-webui | 5.4 |
| LOW | CVE-2026-45316 | Open WebUI: read users can modify note pin state | open-webui | 3.5 |
| HIGH | CVE-2026-45314 | Open WebUI: Stored XSS via webhook SVG profile image | open-webui | - |
| HIGH | CVE-2026-45315 | open-webui: stored XSS → JWT theft and admin takeover | open-webui | 8.7 |
| HIGH | CVE-2026-45303 | Open WebUI: XSS iframe allows auth token exfiltration | open-webui | 7.7 |
| HIGH | CVE-2026-45301 | open-webui: BOLA exposes all users' uploaded files | open-webui | 8.1 |
| MEDIUM | CVE-2026-45299 | open-webui: Stored SVG XSS enables admin JWT theft | open-webui | 5.4 |
| HIGH | CVE-2026-45665 | open-webui: Stored XSS enables Super Admin session hijack | open-webui | 8.1 |
| HIGH | CVE-2026-2652 | MLflow: auth bypass exposes Job API and trace injection | mlflow | 8.6 |
| HIGH | CVE-2026-45539 | Microsoft APM: symlink attack leaks host files in agent deps | apm | 7.4 |
| HIGH | CVE-2026-45548 | @budibase/server: SSRF in AI Extract bypasses IP blacklist | @budibase/server | 7.7 |
| HIGH | CVE-2026-8756 | Bert-VITS2: path traversal exposes ML training filesystem | 7.3 | |
| CRITICAL | CVE-2026-45829 | ChromaDB: pre-auth RCE via trust_remote_code injection | chromadb | 10.0 |