Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-35638 | OpenClaw: priv escalation via trusted-proxy scope bypass | OpenClaw | 8.8 |
| HIGH | CVE-2026-35632 | OpenClaw: symlink traversal enables RCE via agent config | OpenClaw | 7.1 |
| HIGH | CVE-2026-35637 | OpenClaw: auth bypass via premature cite expansion | OpenClaw | 7.3 |
| MEDIUM | CVE-2026-35644 | OpenClaw: credential exposure via gateway channel URLs | OpenClaw | 6.5 |
| HIGH | CVE-2026-35639 | OpenClaw: scope bypass enables admin RCE via device pairing | OpenClaw | 8.8 |
| MEDIUM | CVE-2026-35642 | OpenClaw: auth bypass injects restricted agent events | OpenClaw | 4.3 |
| LOW | CVE-2026-35648 | OpenClaw: policy bypass via stale queued node actions | OpenClaw | 3.7 |
| HIGH | CVE-2026-35650 | OpenClaw: env var override bypass enables code execution | OpenClaw | 7.5 |
| MEDIUM | CVE-2026-35659 | OpenClaw: DNS-SD metadata hijacks CLI routing | OpenClaw | 4.6 |
| MEDIUM | CVE-2026-35662 | OpenClaw: missing auth enables agent scope bypass | OpenClaw | 4.3 |
| HIGH | CVE-2026-35668 | OpenClaw: sandbox path traversal exposes agent secrets | OpenClaw | 7.7 |
| HIGH | CVE-2026-54320 | Daytona: email bypass grants unauthorized org Owner access | 8.4 | |
| MEDIUM | CVE-2025-71332 | Flowise: SQL injection exposes AI credential store | Flowise | 6.5 |
| HIGH | CVE-2025-71354 | picklescan: scanner bypass enables arbitrary code execution | picklescan | 8.1 |
| HIGH | CVE-2025-71361 | picklescan: scanner bypass allows RCE via pickle load | picklescan | 8.1 |
| MEDIUM | CVE-2026-56272 | Flowise: weak bcrypt enables 30x faster password cracking | Flowise | 4.1 |
| MEDIUM | CVE-2026-56269 | Flowise: hardcoded JWT secret leaks user/workspace IDs | Flowise | 4.6 |
| HIGH | CVE-2026-56270 | Flowise: auth bypass exposes OAuth secrets in cleartext | Flowise | 7.5 |
| HIGH | CVE-2026-56351 | n8n: SQL injection in DB nodes via identifier values | n8n | 8.2 |
| UNKNOWN | CVE-2026-50709 | Frappe Framework: Stored XSS in Notifications Events panel | - |