Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | GHSA-5jv7-2mjm-h6qj | praisonai: shell allowlist bypass enables OS command injection | praisonai | 8.8 |
| HIGH | GHSA-h2w2-v7j6-xqm4 | praisonai: tool approval bypass executes denied actions | praisonai | 8.8 |
| CRITICAL | GHSA-j4f3-55x4-r6q2 | praisonai: MCP HTTP server unauthenticated tool invocation | praisonai | 9.8 |
| CRITICAL | GHSA-9752-mhqh-h34f | praisonai npm: AgentOS missing auth enables agent abuse | praisonai | 9.4 |
| CRITICAL | GHSA-p69m-4f92-2v84 | praisonai: sandbox escape in codeMode → full host RCE | praisonai | 9.8 |
| HIGH | GHSA-vjv9-7m7j-h833 | praisonai (npm): allowlist bypass enables RCE | praisonai | 8.8 |
| HIGH | GHSA-gqmf-56h7-rrpf | praisonai: network-isolated sandbox bypass exposes host network | praisonai | 7.6 |
| HIGH | GHSA-4qq2-2j2x-x62c | praisonai: MCP auth bypass exposes agent tools | praisonai | 8.2 |
| UNKNOWN | CVE-2026-54003 | Kirby CMS: admin takeover via reverse proxy header bypass | getkirby/cms | - |
| HIGH | CVE-2026-49276 | Kirby CMS: XSS via writer field malicious links | getkirby/cms | - |
| MEDIUM | CVE-2026-49274 | Kirby CMS: missing auth exposes restricted page titles | getkirby/cms | - |
| MEDIUM | CVE-2026-22551 | @theia/ai-chat: prompt injection exfiltrates workspace secrets | @theia/ai-ide | - |
| HIGH | CVE-2026-44688 | Eclipse Theia: indirect prompt injection → RCE + exfil | @theia/ai-ide | - |
| HIGH | CVE-2026-46580 | Eclipse Theia: workspace prompt injection enables RCE/exfil | @theia/ai-editor | - |
| HIGH | GHSA-fq4x-789w-jg5h | agenticmail: email prompt injection → bypassPermissions RCE | @agenticmail/openclaw | - |
| HIGH | CVE-2026-56075 | PraisonAI: RCE via hardcoded approval_mode bypass | PraisonAI | 8.8 |
| HIGH | CVE-2026-56078 | PraisonAI: path traversal → arbitrary file read/write/RCE | PraisonAI | 8.8 |
| MEDIUM | CVE-2026-56077 | PraisonAI: agent ID collision leaks system prompts | PraisonAI | 6.5 |
| HIGH | CVE-2026-56076 | PraisonAI: CORS bypass enables arbitrary agent execution | PraisonAI | 8.1 |
| CRITICAL | CVE-2026-12048 | pgAdmin 4: Stored XSS enables full browser session hijack | 9.3 |