Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-48067 | Filament: auth bypass via Livewire state tampering | 6.5 | |
| MEDIUM | CVE-2026-48500 | Filament: unauth file upload drains disk/inflates costs | filament/filament | 6.5 |
| HIGH | CVE-2026-48505 | Filament: MFA race condition enables recovery code reuse | 7.4 | |
| MEDIUM | CVE-2026-48167 | Filament: stored XSS in ImageColumn/ImageEntry | 6.4 | |
| MEDIUM | CVE-2026-48166 | Filament: timing side-channel exposes registered emails | 5.3 | |
| HIGH | CVE-2026-55409 | Filament: stored XSS in disabled RichEditor field | 7.6 | |
| HIGH | CVE-2026-56268 | Flowise: cross-workspace chatflow config disclosure | Flowise | 7.7 |
| CRITICAL | CVE-2026-56348 | n8n: SSRF bypasses allowlist, exfiltrates credentials | n8n | 9.1 |
| HIGH | CVE-2025-71341 | picklescan: scanner bypass enables undetected RCE via pickle | picklescan | 8.1 |
| HIGH | CVE-2025-71365 | picklescan: detection bypass enables RCE via numpy.f2py | picklescan | 8.1 |
| HIGH | CVE-2025-71370 | picklescan: scanner bypass enables arbitrary code execution | picklescan | 8.1 |
| HIGH | CVE-2025-71376 | picklescan: scanner bypass enables undetected RCE | picklescan | 8.1 |
| CRITICAL | CVE-2026-56315 | picklescan: stdlib bypass enables arbitrary RCE | picklescan | 9.8 |
| HIGH | CVE-2025-71337 | Flowise: account takeover via unverified email change | Flowise | 8.3 |
| UNKNOWN | CVE-2026-56275 | Flowise: SSRF bypasses security check in Execute Flow | Flowise | - |
| CRITICAL | CVE-2018-25117 | VestaCP: backdoored installer, not an AI/ML CVE | Control Panel (CP) | - |
| MEDIUM | CVE-2026-22176 | OpenClaw: cmd injection in Windows task script generation | OpenClaw | 6.1 |
| MEDIUM | CVE-2026-22178 | OpenClaw: ReDoS via Feishu mention metadata | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-22217 | OpenClaw: $SHELL env hijack enables arbitrary code execution | OpenClaw | 6.1 |
| CRITICAL | CVE-2026-26210 | KTransformers: pickle RCE via unauthenticated ZMQ socket | ktransformers | 9.8 |