Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | GHSA-rh39-9c67-59mh | PraisonAI: member role can delete all workspace resources | praisonai-platform | 8.1 |
| CRITICAL | GHSA-892r-p3jq-jp24 | PraisonAI AgentOS: unauth remote agent invocation (CVSS 9.8) | praisonai | 9.8 |
| CRITICAL | GHSA-x8cv-xmq7-p8xp | praisonaiagents: unauth AgentTeam API allows agent takeover | praisonaiagents | 9.8 |
| HIGH | GHSA-rjvw-7vvw-549v | PraisonAI: DNS rebinding bypasses webhook SSRF guard | praisonai | 7.2 |
| CRITICAL | GHSA-fq2m-6wqh-x44g | praisonai: unauthenticated Jobs API enables remote agent RCE | praisonai | 9.8 |
| HIGH | GHSA-2rcg-mm5h-xchx | praisonaiagents: @file: path traversal reads arbitrary files | praisonaiagents | 7.5 |
| CRITICAL | GHSA-j4hj-7hfh-g2f4 | praisonai: silent auth bypass exposes agent exec endpoints | praisonai | 9.8 |
| HIGH | GHSA-vxgj-xg5c-p4h7 | praisonaiagents: SSRF DNS bypass exposes internal services | praisonaiagents | 8.5 |
| CRITICAL | GHSA-4869-x4pr-q22x | PraisonAI: Unauthenticated RCE via Jobs API auth bypass | praisonaiagents | 9.8 |
| HIGH | GHSA-p4pj-vh7h-6cqh | praisonai: unauthenticated path traversal leaks server files | praisonai | 7.5 |
| CRITICAL | GHSA-x227-pf99-vffg | praisonaiagents: unauthenticated MCP SSE server enables RCE | praisonaiagents | 9.8 |
| MEDIUM | GHSA-pv2j-rghr-v5r9 | praisonaiagents: sandbox escape via format-spec read | praisonaiagents | 6.5 |
| HIGH | GHSA-w6h2-fr4q-xvxv | PraisonAI: file tool shell injection enables RCE | praisonai | 8.8 |
| HIGH | GHSA-v847-hxxw-3pxg | PraisonAI: streaming bypass enables dangerous tool execution | praisonai | 7.8 |
| HIGH | GHSA-63v4-w882-g4x2 | PraisonAI: XSS bypasses human-in-the-loop tool approval | praisonai | 8.8 |
| HIGH | GHSA-fc26-m9pf-v56q | PraisonAI LinearBot: webhook auth bypass enables agent exec | praisonai | 8.6 |
| HIGH | GHSA-qvpf-j64c-jmhr | PraisonAI: auth bypass via Slack app_mention handler | praisonai | 8.3 |
| HIGH | GHSA-5qw8-f2g9-ff29 | PraisonAI: auth bypass exposes recipe API to unauthenticated callers | praisonai | 8.2 |
| HIGH | GHSA-22cj-m4wf-fv2c | PraisonAI: path traversal in agent tools exposes credentials | praisonai | 7.5 |
| MEDIUM | GHSA-35w5-pcw4-jx94 | praisonaiagents: unauth SSE endpoint enables event injection | praisonaiagents | 4.3 |