Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-53866 | OpenClaw: allowlist bypass allows unauthorized shell exec | openclaw | 8.1 |
| MEDIUM | CVE-2026-48775 | LangGraph SQLite: deserialization RCE at checkpoint load | langgraph | 6.8 |
| LOW | GHSA-m3q2-p4fw-w38m | Nuxt: NoScript XSS enables script execution in head | nuxt | - |
| UNKNOWN | CVE-2026-54305 | n8n: IDOR enables OAuth credential hijack in agent workflows | n8n | - |
| UNKNOWN | CVE-2026-54307 | n8n: credential hijack via partial authorization bypass | n8n | - |
| MEDIUM | CVE-2026-54314 | n8n: decompression bomb DoS via public webhook | n8n | - |
| MEDIUM | GHSA-jwm3-qcfw-c5pp | n8n: AST bypass leaks env vars in Python Task Runner | n8n | 5.0 |
| UNKNOWN | CVE-2026-54302 | n8n: stored XSS in Chat Trigger enables session hijack | n8n | - |
| MEDIUM | CVE-2026-54303 | n8n: reflected XSS in trigger nodes enables session hijack | n8n | - |
| UNKNOWN | CVE-2026-54312 | n8n: prototype pollution renders instance non-functional | n8n | - |
| CRITICAL | CVE-2026-46858 | Oracle APM: unauthenticated write/DoS via JVM Diagnostics | APM - Application Performance Management | 9.1 |
| MEDIUM | CVE-2026-48776 | LangGraph SDK: path traversal bypasses proxy-layer authz | langchain-ai | 4.2 |
| MEDIUM | CVE-2026-48782 | pydantic-ai: SSRF IPv6 bypass exposes cloud IAM creds | pydantic-ai | 6.8 |
| CRITICAL | CVE-2026-48797 | backpropagate: auth bypass exposes LLM training plane | backpropagate | - |
| HIGH | CVE-2026-9064 | 389-ds-base: LDAP DoS via unbounded control count | 7.5 | |
| MEDIUM | CVE-2026-54016 | Open WebUI: BOLA exposes private knowledge base files | open-webui | 4.3 |
| MEDIUM | CVE-2026-54015 | Open WebUI: IDOR exposes private prompt history | open-webui | 6.4 |
| HIGH | CVE-2026-54013 | Open WebUI: stored SVG XSS enables full account takeover | open-webui | 7.6 |
| HIGH | CVE-2026-54012 | Open WebUI: auth bypass enables cross-user file read/delete | open-webui | 7.1 |
| HIGH | CVE-2026-54011 | Open WebUI: Stored XSS via Mermaid loose mode in preview | open-webui | 8.7 |