Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-48121 | LangGraph MongoDB: NoSQL injection leaks tenant checkpoints | @langchain/langgraph-checkpoint-mongodb | 6.7 |
| HIGH | CVE-2026-45831 | ChromaDB: RBAC bypass enables cross-tenant data access | chromadb | 8.8 |
| HIGH | CVE-2026-45832 | ChromaDB: V1 auth bypass exposes all tenant collections | chromadb | 8.8 |
| HIGH | CVE-2026-45833 | ChromaDB: RCE via trust_remote_code in collection update | chromadb | 8.8 |
| UNKNOWN | CVE-2026-8828 | ChromaDB: tenant isolation bypass exposes all tenant data | chromadb | - |
| MEDIUM | CVE-2026-48148 | Budibase: SSRF via VectorDB host exposes cloud metadata | @budibase/server | - |
| MEDIUM | CVE-2026-47345 | typo3/html-sanitizer: XSS bypass via namespace encoding | typo3/html-sanitizer | - |
| HIGH | CVE-2026-53821 | OpenClaw: auth bypass grants admin RPC via WebSocket | OpenClaw | 8.8 |
| HIGH | CVE-2026-53828 | OpenClaw: auth bypass enables owner command execution | OpenClaw | 8.8 |
| MEDIUM | CVE-2026-53827 | OpenClaw: SSRF leaks Gateway credentials via model metadata | OpenClaw | 6.5 |
| HIGH | CVE-2026-53832 | OpenClaw: identity header spoof grants operator access | OpenClaw | 7.7 |
| HIGH | CVE-2026-53833 | OpenClaw: auth bypass allows agent config mutation | openclaw | 7.7 |
| MEDIUM | CVE-2026-53839 | OpenClaw: hostname prefix bypass leaks auth tokens | OpenClaw | 6.5 |
| CRITICAL | CVE-2026-53838 | OpenClaw: approval scope bypass via reconnection state | OpenClaw | 9.8 |
| MEDIUM | GHSA-gr75-jv2w-4656 | LangChain: path traversal exposes files outside sandbox | langchain-anthropic | 5.1 |
| HIGH | CVE-2026-54293 | NLTK: path traversal leaks arbitrary local files | nltk | 7.5 |
| MEDIUM | GHSA-534h-c3cw-v3h9 | Nuxt: local unauth IPC leaks .env secrets on shared hosts | nuxt | 5.5 |
| HIGH | CVE-2026-53721 | Nuxt: auth bypass via URL case-sensitivity mismatch | nuxt | - |
| MEDIUM | GHSA-c9cv-mq2m-ppp3 | Nuxt: open redirect + XSS in navigation API (SSR+client) | nuxt | - |
| MEDIUM | CVE-2026-48520 | Langflow: unauth file read via Shareable Playground | langflow | 6.1 |