Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-10129 | Langflow: SSRF protection bypass via redirect | langflow | 8.5 |
| CRITICAL | CVE-2026-10134 | Langflow: unauthenticated RCE via tool_code injection | langflow | 10.0 |
| CRITICAL | CVE-2026-10140 | Langflow: cross-tenant API credential leak via cache bug | langflow | 9.6 |
| MEDIUM | CVE-2026-10546 | Langflow: SSRF via DNS rebinding in URL component | langflow | 6.5 |
| CRITICAL | CVE-2026-10560 | Langflow: missing auth on build API leaks data, enables DoS | langflow | 9.1 |
| CRITICAL | CVE-2026-7663 | Langflow: auth bypass in MCP transport exposes projects | langflow | 9.8 |
| CRITICAL | CVE-2026-7803 | Langflow: malformed flow nodes enable RCE | langflow | 9.8 |
| CRITICAL | CVE-2026-7871 | Langflow: Redis-access deserialization enables full RCE | langflow | 9.8 |
| CRITICAL | CVE-2026-7873 | Langflow: authenticated RCE enables credential theft | langflow | 9.9 |
| CRITICAL | CVE-2026-7874 | Langflow: weak reversible KDF exposes all stored credentials | langflow | 9.1 |
| UNKNOWN | CVE-2025-71355 | Picklescan: NumPy gadget bypass enables pickle RCE | picklescan | - |
| CRITICAL | CVE-2026-56278 | Flowise: hardcoded default secret enables session forgery | Flowise | 9.1 |
| MEDIUM | CVE-2026-56350 | n8n: authenticated users can disable SSO enforcement via API | n8n | 6.3 |
| HIGH | CVE-2026-57516 | Ray: RCE via pickle/torch deserialization in WebDataset | ray | 8.8 |
| UNKNOWN | CVE-2026-8387 | ClearML: path traversal in zip extraction enables RCE | allegroai/clearml | - |
| HIGH | CVE-2026-4372 | transformers: config.json RCE bypasses trust_remote_code | transformers | 7.8 |
| HIGH | CVE-2026-49119 | Gradio: path traversal in FileExplorer leaks files | gradio | 7.5 |
| UNKNOWN | CVE-2026-8147 | MLflow: auth bypass allows cross-experiment trace access | mlflow/mlflow | - |
| HIGH | CVE-2026-50180 | langroid: SQL blocklist bypass leaks Postgres files | langroid | - |
| HIGH | CVE-2026-50181 | Langroid: path traversal escapes sandboxed file tools | langroid | 7.1 |