Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| LOW | CVE-2026-11329 | onnx-mlir: weak hash enables model cache poisoning | 3.6 | |
| HIGH | CVE-2026-47732 | twig/twig: sandbox bypass leaks render context | twig/twig | - |
| CRITICAL | CVE-2026-46440 | Flowise: plaintext auth brute-force, no rate limit | flowise | 9.1 |
| CRITICAL | CVE-2026-46441 | Flowise: mass assignment breaks multi-tenant isolation | flowise | 9.6 |
| CRITICAL | CVE-2026-46442 | Flowise: sandbox escape enables authenticated RCE | flowise | 9.9 |
| MEDIUM | CVE-2026-46443 | Flowise: stored credentials exposed via API filter bug | flowise | 6.5 |
| HIGH | CVE-2026-46444 | Flowise: missing authz on vector store CRUD ops | flowise | 8.8 |
| HIGH | CVE-2026-46475 | Flowise: mass-assignment enables workspace takeover | flowise | 8.8 |
| HIGH | CVE-2026-46476 | Flowise: mass assignment enables cross-workspace takeover | flowise | 8.8 |
| HIGH | CVE-2026-46477 | Flowise: mass-assignment cross-workspace dataset takeover | flowise | 8.8 |
| HIGH | CVE-2026-46478 | Flowise: mass-assignment allows cross-workspace data takeover | flowise | 8.8 |
| HIGH | CVE-2026-46479 | Flowise: mass assignment cross-workspace takeover | flowise | 8.8 |
| HIGH | CVE-2026-46480 | Flowise: mass-assignment allows cross-workspace takeover | flowise | 8.8 |
| HIGH | CVE-2026-32981 | Ray Dashboard: unauthenticated path traversal file read | ray | 7.5 |
| MEDIUM | CVE-2026-47155 | vLLM: revision pin bypass loads unreviewed artifacts | vllm | 6.5 |
| MEDIUM | CVE-2026-20258 | Splunk: stored XSS hijacks dashboards via HTML panel | 5.4 | |
| MEDIUM | CVE-2026-46642 | draw.io: stored XSS executes JS via crafted diagram file | 6.1 | |
| HIGH | CVE-2026-42558 | Xibo CMS: Stored XSS + iframe sandbox escape via DataSet | 7.6 | |
| HIGH | CVE-2026-11816 | Keras: path traversal allows arbitrary file write | keras | 8.1 |
| MEDIUM | CVE-2026-3341 | Langflow: SSRF exposes internal ML infrastructure | langflow | 5.4 |