Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-35309 | Oracle Coherence: unauthenticated RCE via HTTP (CVSS 9.8) | coherence | 9.8 |
| CRITICAL | CVE-2026-35310 | Oracle Coherence: unauthenticated HTTP full takeover | coherence | 9.8 |
| CRITICAL | CVE-2026-55450 | Langflow: unauthenticated upload → DoS + path disclosure | langflow | 9.3 |
| MEDIUM | CVE-2026-54022 | open-webui: Yjs auth bypass exposes all user notes | open-webui | 5.3 |
| MEDIUM | CVE-2026-54019 | open-webui: RAG ACL bypass exposes private KB chunks | open-webui | 6.5 |
| HIGH | CVE-2026-54018 | open-webui: SSRF via redirect bypass in Playwright loader | open-webui | 7.7 |
| HIGH | CVE-2026-54017 | open-webui: double-encoded path traversal in terminal proxy | open-webui | 7.7 |
| HIGH | CVE-2026-55405 | langchain4j: SQL injection in vector store filters | dev.langchain4j:langchain4j-pgvector | 7.6 |
| MEDIUM | CVE-2026-54386 | marimo: reflected XSS enables JS injection in notebooks | marimo | 6.1 |
| CRITICAL | CVE-2026-44727 | jupyter-server: stored XSS yields kernel RCE | notebook | 9.0 |
| MEDIUM | GHSA-2fjj-qqg8-fg7x | praisonai-platform: cross-tenant IDOR poisons project stats | praisonai-platform | 4.3 |
| CRITICAL | GHSA-cwj8-7gp2-ggcw | praisonai-platform: hardcoded JWT secret enables full auth bypass | praisonai-platform | 9.8 |
| HIGH | GHSA-6jcq-6546-qrrw | PraisonAI: sandbox escape via silent Landlock fallback | praisonaiagents | 8.8 |
| HIGH | GHSA-4pcv-mg8v-vrgf | praisonaiagents: SSRF + prompt injection, IAM cred exposure | praisonaiagents | 8.8 |
| CRITICAL | GHSA-f38v-77qj-h4jq | praisonai-platform: hardcoded JWT secret enables full auth bypass | praisonai-platform | 9.8 |
| HIGH | GHSA-7qw2-w5rc-37x2 | PraisonAI: workflow policy bypass enables shell RCE | praisonaiagents | 7.8 |
| HIGH | GHSA-f44v-7qgw-9gh9 | PraisonAI: path traversal enables arbitrary write/delete | praisonai | 8.1 |
| HIGH | GHSA-gcq3-mfvh-3x25 | PraisonAI: workspace bypass allows arbitrary file read/write | praisonai | 7.3 |
| CRITICAL | GHSA-p75f-6fp4-p57w | PraisonAI: unauthenticated RCE via MCP connect endpoint | praisonai | 9.8 |
| HIGH | GHSA-x92v-rpx6-p6cw | PraisonAI: webhook auth bypass enables agent prompt injection | praisonai | 8.6 |