Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-12706 | FFmpeg RASC: UAF in decoder crashes AI inference containers | rhoai/odh-vllm-gaudi-rhel9 | 6.5 |
| MEDIUM | GHSA-vmhf-c436-hxj4 | JupyterLab: XSS via malicious PyPI extension URL | jupyterlab | - |
| MEDIUM | CVE-2026-55414 | nl-portal: GraphQL SSRF exposes Objecten-API auth token | nl.nl-portal:form | 5.3 |
| HIGH | CVE-2026-54528 | jupyterlab-git: excluded_paths bypass exposes secrets | jupyterlab-git | 7.1 |
| UNKNOWN | CVE-2026-54527 | jupyterlab-git: stored XSS escalates to full RCE | @jupyterlab/git | - |
| HIGH | CVE-2026-54499 | Stanza: pickle fallback bypass enables model RCE | torch | 7.5 |
| HIGH | CVE-2026-53489 | containerd: symlink follow leaks host files via kubectl logs | github.com/containerd/containerd/v2 | - |
| MEDIUM | CVE-2026-50195 | containerd: checkpoint import poisons node image cache | github.com/containerd/containerd/v2 | - |
| LOW | CVE-2026-49215 | Symfony LiveComponent: CSRF bypass via safelisted header | symfony/ux-live-component | - |
| LOW | CVE-2026-49212 | symfony/ux-live: HMAC replay bypasses prop integrity | symfony/ux-live-component | - |
| CRITICAL | CVE-2026-55447 | Langflow: TAR symlink traversal enables full RCE | langflow | 9.6 |
| HIGH | CVE-2026-55446 | Langflow: pre-auth DoS via malformed multipart boundary | langflow | 7.5 |
| MEDIUM | CVE-2026-55423 | Langflow: logout fails to clear session tokens | langflow | 6.1 |
| CRITICAL | CVE-2026-55255 | Langflow: IDOR allows cross-user flow execution | langflow | 9.9 |
| HIGH | GHSA-6vxv-wg6j-5qwp | Gogs: XSS via outdated Jupyter renderer, account takeover | gogs.io/gogs | - |
| MEDIUM | CVE-2026-56304 | picklescan: FileHandler bypass creates filesystem artifacts | picklescan | 6.5 |
| CRITICAL | CVE-2024-58351 | Flowise: RCE and sandbox escape via overrideConfig | Flowise | 9.8 |
| MEDIUM | CVE-2025-71331 | Flowise: XSS enables session hijacking in AI agent UI | Flowise | 6.1 |
| MEDIUM | CVE-2026-56276 | Flowise: mass assignment enables credential hash override | Flowise | - |
| HIGH | CVE-2026-12795 | litellm: auth bypass in SSO debug exposes LLM proxy | litellm | 7.3 |