Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| UNKNOWN | CVE-2020-35276 | EgavilanMedia ECM: SQLi bypasses admin login panel | - | |
| UNKNOWN | CVE-2021-42950 | Zepl Notebooks: RCE via malicious notebook code | - | |
| UNKNOWN | CVE-2022-23321 | XMPie UStore: persistent XSS in admin user panel | - | |
| UNKNOWN | CVE-2022-28568 | Doctor's Appointment System: file upload leads to RCE | - | |
| UNKNOWN | CVE-2021-42952 | Zepl Notebooks: sandbox escape exposes cloud metadata | - | |
| CRITICAL | CVE-2022-44194 | Netgear R7000P: buffer overflow via DNS params | 9.8 | |
| CRITICAL | CVE-2025-45949 | PHPGurukul: session hijack via password change flow | 9.8 | |
| LOW | CVE-2026-14742 | LangGraph: weak hash in task cache risks poisoning | langgraph | 3.1 |
| LOW | CVE-2026-14738 | exo: weak hash algorithm in vision feature cache key | 3.7 | |
| MEDIUM | CVE-2026-59152 | LangSmith SDK: arbitrary file read via TracingMiddleware | langsmith-sdk | 5.0 |
| UNKNOWN | CVE-2026-55615 | Langroid: unvalidated LLM Cypher enables graph RCE | langroid | - |
| HIGH | CVE-2026-54771 | Langroid: auth bypass invokes disabled tools via raw JSON | langroid | 8.1 |
| CRITICAL | CVE-2026-54769 | Langroid: prompt injection to RCE via broken eval() sandbox | langroid | 10.0 |
| UNKNOWN | CVE-2026-54760 | Langroid: SQLChatAgent regex bypass exposes pg_read_file | langroid | - |
| CRITICAL | GHSA-vjc7-jrh9-9j86 | 9Router: no-auth API leaks keys, chats, provider control | 9router | 10.0 |
| MEDIUM | CVE-2026-55433 | Coder: missing ActionUpdate check allows devcontainer wipe | github.com/coder/coder/v2 | 5.4 |
| MEDIUM | CVE-2026-44512 | onnx: crafted model triggers SIGSEGV in version_converter | onnx | 5.5 |
| HIGH | CVE-2026-26193 | Open WebUI: stored XSS via chat 'embeds' iframe escape | open-webui | 7.3 |
| HIGH | CVE-2026-26192 | Open WebUI: stored XSS via citation iFrame → admin RCE | open-webui | 7.3 |
| HIGH | CVE-2025-46719 | Open WebUI: chat XSS steals tokens, admin RCE | open-webui | - |