Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | GHSA-wx9m-wx4f-4cmg | mistralai 2.4.6: supply chain dropper executes on import | mistralai | 9.6 |
| HIGH | CVE-2026-4137 | MLflow: insecure tmp dir perms enable model artifact RCE | mlflow | 7.0 |
| CRITICAL | CVE-2026-2611 | MLflow: cross-origin bypass enables RCE via AI agent | mlflow | 9.6 |
| CRITICAL | CVE-2026-45758 | guardrails-ai: malicious 0.10.1 enables host compromise | guardrails-ai | 9.6 |
| MEDIUM | GHSA-2vx9-7wpg-88jq | n8n: path traversal bypasses file access restriction | n8n | 6.4 |
| CRITICAL | GHSA-3875-8gcx-7v46 | n8n: SSRF bypasses credential domain restrictions | n8n | 9.1 |
| HIGH | CVE-2026-45804 | diffusers: TOCTOU race bypasses trust_remote_code, RCE | diffusers | 7.5 |
| MEDIUM | GHSA-c2c9-mfw7-p8hw | Flowise: cross-workspace chatflow config disclosure | flowise | - |
| MEDIUM | CVE-2026-2734 | MLflow: missing authz exposes all model versions | mlflow | 6.5 |
| HIGH | CVE-2026-46517 | LMDeploy: hardcoded trust_remote_code enables RCE | lmdeploy | 7.8 |
| HIGH | CVE-2026-8596 | SageMaker SDK: cleartext HMAC key enables model artifact RCE | sagemaker | 7.2 |
| HIGH | CVE-2026-46432 | lmdeploy: hardcoded trust_remote_code enables RCE | lmdeploy | 7.8 |
| HIGH | CVE-2026-47101 | LiteLLM: RBAC bypass enables proxy admin escalation | litellm | 8.8 |
| CRITICAL | CVE-2026-46695 | Boxlite: read-only bypass enables host code execution | boxlite-cli | 10.0 |
| MEDIUM | CVE-2026-46678 | pydantic-ai: SSRF bypass exposes cloud IAM credentials | pydantic-ai-slim | 6.8 |
| MEDIUM | CVE-2018-25378 | Notebook Pro: DoS via oversized notebook name input | 6.2 | |
| HIGH | CVE-2026-24162 | NVIDIA Transformers4Rec: deserialization RCE | 7.8 | |
| MEDIUM | CVE-2026-44176 | Kirby CMS: auth bypass exposes restricted page drafts | getkirby/cms | - |
| HIGH | CVE-2026-44174 | Kirby: unsafe reflection allows privilege escalation | getkirby/cms | - |
| CRITICAL | CVE-2026-7524 | Langflow: RCE via symlink traversal in archive extraction | langflow | 9.8 |