Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-54010 | Open WebUI: IDOR allows cross-user file read and delete | open-webui | 8.3 |
| MEDIUM | CVE-2026-54009 | open-webui: cross-user file read via auth bypass | open-webui | 6.5 |
| MEDIUM | CVE-2026-54006 | open-webui: auth bypass allows cross-user calendar injection | open-webui | 4.3 |
| MEDIUM | GHSA-8jr5-v98p-w75m | vllm: EXIF/tRNS preprocessing gap enables adversarial input | vllm | 4.8 |
| MEDIUM | GHSA-664h-gpgq-h6xx | n8n: viewer role can start/cancel/delete eval workflow runs | n8n | 5.4 |
| UNKNOWN | CVE-2026-53875 | picklescan: scanner bypass enables PyTorch RCE | picklescan | - |
| CRITICAL | CVE-2025-71321 | picklescan: blocklist bypass allows arbitrary file write/RCE | picklescan | 9.8 |
| CRITICAL | CVE-2025-71320 | picklescan: deny-list bypass enables arbitrary RCE | picklescan | 9.8 |
| CRITICAL | CVE-2025-71323 | picklescan: ctypes bypass enables full RCE via pickle files | picklescan | 9.8 |
| CRITICAL | CVE-2025-71325 | picklescan: scanner bypass enables RCE via model files | picklescan | 9.8 |
| HIGH | CVE-2025-71322 | PickleScan: pty.spawn bypass enables RCE in model scans | PickleScan | 8.8 |
| CRITICAL | CVE-2026-3490 | picklescan: blocklist bypass enables full RCE | picklescan | 10.0 |
| HIGH | CVE-2026-53872 | picklescan: arbitrary file read bypasses RCE blocklist | picklescan | 7.5 |
| CRITICAL | CVE-2026-53874 | picklescan: scanner bypass enables pickle RCE | picklescan | 9.8 |
| CRITICAL | CVE-2026-53873 | picklescan: blocklist bypass allows arbitrary code exec | picklescan | 9.8 |
| CRITICAL | CVE-2026-35304 | Oracle Coherence: unauthenticated HTTPS takeover | coherence | 9.8 |
| CRITICAL | CVE-2026-35305 | Oracle Coherence: unauth data exfiltration via bundled libs | coherence | 9.3 |
| CRITICAL | CVE-2026-35306 | Oracle Coherence: unauthenticated data access via HTTP | coherence | 9.3 |
| CRITICAL | CVE-2026-35307 | Oracle Coherence: unauthenticated RCE, CVSS 10.0 | coherence | 10.0 |
| CRITICAL | CVE-2026-35308 | Oracle Coherence: unauthenticated RCE via third-party jars | coherence | 10.0 |