Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | GHSA-grc3-2j34-p6gm | OpenClaw: action forwarding leaks Gateway credentials | openclaw | - |
| HIGH | GHSA-mhq8-78pj-5j79 | OpenClaw: safe-bin bypass exposes node-local files | openclaw | 7.1 |
| HIGH | CVE-2026-56210 | libaom: AV1 SVC bounds-check miss leaks heap, crashes | rhaiis/vllm-cpu-rhel9 | 7.1 |
| HIGH | CVE-2026-56209 | libaom: arbitrary address write in AV1 SVC codec | rhaiis/vllm-cpu-rhel9 | 7.1 |
| CRITICAL | CVE-2026-12481 | Keras: safe_mode=None bypass enables Lambda RCE | keras | 9.8 |
| HIGH | CVE-2025-71343 | picklescan: scanner bypass lets malicious pickle files evade detection | picklescan | 8.1 |
| HIGH | CVE-2025-71353 | picklescan: detection bypass allows pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71359 | picklescan: scan bypass lets malicious models RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71360 | picklescan: scanner bypass enables pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71362 | picklescan: scanner bypass enables RCE via numpy eval | picklescan | 8.1 |
| HIGH | CVE-2025-71364 | picklescan: scanner blind spot enables pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71366 | picklescan: scan bypass lets malicious pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71369 | picklescan misses malicious pickles via torch decoder | picklescan | 8.1 |
| HIGH | CVE-2025-71373 | picklescan: methodcaller bypass enables pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2025-71375 | picklescan: detection bypass enables pickle RCE | picklescan | 8.1 |
| HIGH | CVE-2026-12196 | HestiaCP: cronjob flaw lets low-priv users get root | - | |
| HIGH | CVE-2026-14534 | fickling: denylist gaps let malicious pickles execute | fickling | 8.8 |
| LOW | CVE-2026-14630 | AI-fundermentals: weak hash exposes chat session data | 3.1 | |
| MEDIUM | CVE-2026-14647 | ONNX: OOB read in shape inference parsing untrusted models | onnx | 4.3 |
| UNKNOWN | CVE-2020-25514 | Sourcecodester LMS: broken access control in admin panel | - |