Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-3198 | MLflow: auth bypass exposes gateway secrets and keys | mlflow | 6.5 |
| HIGH | CVE-2026-5422 | jupyter-server: path traversal exposes sibling dir files | jupyter | 8.1 |
| CRITICAL | CVE-2026-47117 | OpenMed: RCE via trust_remote_code model loading | openmed | 9.8 |
| LOW | CVE-2026-35202 | Pterodactyl: DB limit bypass via broken locking mechanism | - | |
| HIGH | CVE-2026-31942 | LibreChat: IDOR enables cross-user API key hijacking | 7.1 | |
| HIGH | CVE-2026-4035 | MLflow: AI Gateway leaks cloud credentials via env injection | mlflow | 7.7 |
| CRITICAL | CVE-2026-5241 | transformers: trust_remote_code bypass enables RCE via model load | transformers | 9.6 |
| HIGH | CVE-2026-6657 | jupyter-server: CORS bypass enables arbitrary code execution | 8.8 | |
| CRITICAL | CVE-2026-44182 | Enterprise Gateway: YAML injection → K8s cluster takeover | jupyter_enterprise_gateway | - |
| CRITICAL | CVE-2026-44181 | Enterprise Gateway: SSTI allows full K8s cluster compromise | jupyter_enterprise_gateway | - |
| CRITICAL | CVE-2026-44180 | Jupyter Enterprise Gateway: root privilege bypass in Kubernetes | jupyter_enterprise_gateway | 9.8 |
| HIGH | GHSA-f9rx-7wf7-jr36 | Froxlor: 2FA bypass via API grants full account access | froxlor/froxlor | 8.1 |
| HIGH | CVE-2026-41234 | Froxlor: DNS zone injection via unsanitized TXT record | froxlor/froxlor | 7.6 |
| LOW | CVE-2026-10783 | Gradio: weak hash exposes audio cache to local users | gradio | 2.5 |
| LOW | CVE-2026-10801 | ms-swift: weak hash enables image cache poisoning | ms-swift | 3.6 |
| MEDIUM | CVE-2026-10804 | Streamlit: weak hash enables cache integrity bypass | streamlit | 4.7 |
| LOW | CVE-2026-10803 | MLflow: weak dataset hash allows integrity bypass | mlflow | 3.6 |
| HIGH | CVE-2026-10814 | Milvus: weak hash allows RBAC grantee impersonation | milvus | 7.0 |
| MEDIUM | CVE-2026-8462 | OpenMeter: SQL injection leaks all-tenant metering data | github.com/openmeterio/openmeter | - |
| CRITICAL | CVE-2026-2586 | GlassFish: authenticated RCE via admin console | org.glassfish.jsftemplating:jsftemplating | 9.1 |