Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-12797 | litellm: auth bypass in banned keywords enterprise hook | litellm | 6.3 |
| HIGH | CVE-2025-71348 | picklescan: scanner bypass enables supply chain RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71378 | picklescan: detection bypass enables RCE via pickle files | picklescan | 8.1 |
| HIGH | CVE-2025-71357 | picklescan: detection bypass enables RCE via malicious models | picklescan | 8.1 |
| HIGH | CVE-2025-71351 | picklescan: scanner bypass enables RCE via pickle files | picklescan | - |
| MEDIUM | CVE-2026-56393 | Craft CMS: stored XSS hijacks admin panel sessions | 4.8 | |
| MEDIUM | CVE-2026-12821 | Flowise: path traversal in S3 loader exposes documents | Flowise | 6.3 |
| MEDIUM | CVE-2026-12822 | Langflow: code injection via Bundle URL Loader (PoC) | langflow | 5.3 |
| CRITICAL | CVE-2026-10561 | Langflow: auth bypass + unauthenticated RCE (CVSS 10) | langflow | 10.0 |
| HIGH | CVE-2026-9029 | Grafana: stored XSS in geomap bypasses CVE-2023-0507 fix | 7.3 | |
| UNKNOWN | CVE-2026-12479 | Keras: path traversal via layer names allows arbitrary file write | keras-team/keras | - |
| HIGH | CVE-2026-56104 | Chainlit: session hijacking via WebSocket restoration | chainlit | 8.2 |
| CRITICAL | CVE-2026-7664 | Langflow: auth bypass in MCP endpoint, CVSS 9.8 | Langflow OSS | 9.8 |
| MEDIUM | CVE-2026-55443 | LangChain: path traversal exposes files outside agent root | langchain | 5.5 |
| CRITICAL | CVE-2026-54352 | Budibase: zip symlink bypass exposes all server secrets | @budibase/server | 9.6 |
| HIGH | CVE-2026-52798 | Gogs: Stored XSS via .ipynb Markdown re-render bypass | gogs.io/gogs | 8.9 |
| HIGH | CVE-2026-54232 | vLLM: dependency confusion RCE backdoors container images | vllm | 8.8 |
| HIGH | CVE-2025-71339 | picklescan: scanner bypass enables arbitrary code execution | picklescan | 8.1 |
| HIGH | CVE-2025-71344 | picklescan: scanner bypass enables undetected pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71358 | picklescan: scanner bypass enables RCE via pickle | picklescan | 8.1 |