Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-7528 | Langflow: DoS via uncontrolled resource consumption | langflow | 7.5 |
| MEDIUM | CVE-2026-48545 | Gradio: cookie injection hijacks cross-Space sessions | gradio | 6.8 |
| MEDIUM | CVE-2026-3676 | IBM Db2 APM: DoS via query special element injection | 6.5 | |
| CRITICAL | CVE-2026-25879 | langroid: Prompt-to-SQL injection enables RCE on DB host | langroid | 9.8 |
| HIGH | CVE-2026-45368 | Kirby CMS: Stored XSS via javascript: URI scheme bypass | getkirby/cms | - |
| MEDIUM | CVE-2026-45334 | Kirby CMS: auth bypass leaks admin emails via content lock | getkirby/cms | - |
| CRITICAL | CVE-2026-31233 | guardrails-ai: RCE via malicious Hub package manifest | guardrails-ai | 9.8 |
| UNKNOWN | CVE-2026-9806 | CTI Transmute: stored XSS in notification panel | - | |
| HIGH | CVE-2026-46176 | Linux mlx5 RDMA: use-after-free in SRQ init path | 7.8 | |
| HIGH | CVE-2026-46181 | Linux kernel RDMA/mlx4: RCU race may crash ML training nodes | 7.8 | |
| HIGH | CVE-2026-41236 | Froxlor: symlink-following grants customer root SSH access | froxlor/froxlor | 8.8 |
| MEDIUM | CVE-2026-34507 | OpenClaw: policy bypass enables unauthorized admin command execution | openclaw | 5.4 |
| MEDIUM | GHSA-rf84-wr5g-m3rp | CAPM3: cross-namespace auth bypass exposes K8s secrets | github.com/metal3-io/cluster-api-provider-metal3 | 5.5 |
| MEDIUM | CVE-2026-47742 | Shopper: authz bypass lets any user mutate product data | shopper/framework | 6.5 |
| CRITICAL | CVE-2026-47744 | Shopper: RBAC bypass allows full admin takeover | shopper/framework | 9.9 |
| MEDIUM | CVE-2026-47745 | Shopper: auth bypass enables full checkout shutdown | shopper/framework | 6.5 |
| MEDIUM | CVE-2026-49384 | PyCharm: stored XSS via Jupyter Markdown cells | 6.1 | |
| CRITICAL | CVE-2026-47416 | praisonai-platform: member-to-owner privilege escalation | praisonai-platform | 9.6 |
| HIGH | CVE-2026-47409 | praisonai-platform: auth bypass enables owner lockout | praisonai-platform | 8.1 |
| HIGH | CVE-2026-47414 | praisonai-platform: IDOR cross-workspace label tampering | praisonai-platform | 7.6 |