Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-54158 | SiYuan: XSS→RCE via workspace sync in Electron app | github.com/siyuan-note/siyuan/kernel | 9.9 |
| HIGH | CVE-2025-71340 | picklescan: scanner bypass enables RCE via pickle supply chain | picklescan | 8.1 |
| CRITICAL | CVE-2025-71327 | Flowise: auth bypass grants full API access | Flowise | 9.1 |
| HIGH | CVE-2025-71324 | Flowise: path traversal leaks database unauthenticated | Flowise | 7.5 |
| HIGH | CVE-2025-71328 | Flowise: unverified password change enables account takeover | Flowise | 8.3 |
| CRITICAL | CVE-2025-71338 | Flowise: unauthenticated file write enables RCE | Flowise | 10.0 |
| CRITICAL | CVE-2025-71334 | Flowise: path traversal → RCE via missing UUID validation | Flowise | 9.8 |
| HIGH | CVE-2025-71335 | Flowise: password change fails to revoke sessions | Flowise | 8.1 |
| CRITICAL | CVE-2025-71336 | Flowise: unauthenticated RCE via Custom MCP endpoint | Flowise | 9.8 |
| CRITICAL | CVE-2025-71333 | Flowise: unauth file upload + path traversal enables RCE | Flowise | - |
| UNKNOWN | CVE-2026-6658 | nbconvert: stored XSS via unescaped Mermaid diagrams | - | |
| CRITICAL | GHSA-98x5-vq43-vc5p | semantic-router: unpinned litellm dep pulls malware wheel | litellm | - |
| CRITICAL | CVE-2026-2651 | MLflow: auth bypass on artifact uploads enables RCE | mlflow/mlflow | 9.0 |
| HIGH | CVE-2026-13484 | MLflow: missing authz in label schema CRUD API | 8.8 | |
| MEDIUM | CVE-2026-13581 | Edimax router: OS command injection via web form | 6.3 | |
| UNKNOWN | CVE-2026-12243 | NLTK: path traversal enables arbitrary file read | - | |
| HIGH | CVE-2026-23536 | Feast: unauth path traversal leaks any file | rhoai/odh-workbench-jupyter-datascience-cpu-py312-rhel9 | 7.5 |
| HIGH | CVE-2026-58116 | LLaMA-Factory: RCE via malicious model path | llama-factory | 8.8 |
| MEDIUM | CVE-2026-41863 | Spring AI: path traversal via LLM-chosen filenames | org.springframework.ai:spring-ai-anthropic | 6.5 |
| HIGH | CVE-2026-10564 | Langflow: SSRF via RSS/SearXNG exposes cloud IAM creds | langflow | 8.2 |