Framework
AI/ML frameworks sit at the bottom of every AI stack — virtually every production AI system depends transitively on PyTorch or TensorFlow at the training layer, and on LangChain, LlamaIndex, or a similar orchestrator at the application layer. That concentration means a single vulnerability often affects tens of thousands of downstream services. The CVE patterns are recognisable: unsafe deserialization in model loading (the long tail of pickle), template injection in LangChain's prompt-construction utilities, SSRF in LlamaIndex's data-loader connectors, and path traversal in MLflow's experiment storage. PyTorch itself has shipped several high-severity CVEs around its distributed RPC layer. Because these libraries upgrade frequently and downstream applications pin loosely, patching is a real operational problem. AI Threat Alert tracks framework-level CVEs prominently because a single advisory often means urgent work for hundreds of teams.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| LOW | CVE-2026-59215 | Open WebUI: IDOR leaks private channel/DM threads | open-webui | 3.1 |
| HIGH | CVE-2026-59224 | Open WebUI: terminal proxy allows user ID spoofing | open-webui | 8.0 |
| HIGH | CVE-2026-59221 | Open WebUI: encoded path traversal in terminal proxy | open-webui | 7.7 |
| MEDIUM | CVE-2026-59831 | GitHub CLI: command execution via malicious Codespace URI | 4.4 | |
| MEDIUM | CVE-2026-60086 | PraisonAI: injection filter bypass at HIGH threat level | praisonai | 5.3 |
| MEDIUM | CVE-2026-60089 | PraisonAI: config.toml path traversal overwrites files | praisonaiagents | 5.5 |
| MEDIUM | CVE-2026-61431 | PraisonAI: path traversal leaks arbitrary files | praisonai | 5.5 |
| MEDIUM | CVE-2026-61432 | PraisonAI: FastContext path traversal leaks host files | praisonaiagents | 5.7 |
| HIGH | CVE-2026-61434 | PraisonAI: allowlist bypass enables RCE via find -exec | praisonai | 8.8 |
| HIGH | CVE-2026-61437 | PraisonAI: unsafe dynamic import enables RCE | praisonaiagents | 7.8 |
| MEDIUM | CVE-2026-61441 | PraisonAI: IDOR lets members delete owner dependencies | 6.5 | |
| CRITICAL | CVE-2026-61444 | PraisonAI: code injection via f-string in deploy API | praisonai | 9.1 |
| MEDIUM | CVE-2026-49844 | Log4j API: NaN/Infinity breaks JSON log serialization | - | |
| MEDIUM | CVE-2026-34481 | Log4j: non-finite floats break JSON log ingestion | - | |
| HIGH | CVE-2026-61439 | PraisonAI: umbral de bloqueo mal configurado permite prompt injection | praisonai | 7.5 |
| CRITICAL | CVE-2026-60090 | PraisonAI: SQL/CQL injection via unvalidated vector dim | praisonai | 9.8 |
| MEDIUM | CVE-2026-60088 | PraisonAI: path traversal leaks files into LLM prompts | praisonai | 5.5 |
| HIGH | CVE-2026-61442 | PraisonAI Platform: workspace members bypass owner authz | 7.1 | |
| CRITICAL | CVE-2026-56271 | Flowise: hardcoded JWT secrets enable full auth bypass | Flowise | 9.8 |
| MEDIUM | CVE-2026-15531 | HashNeRF: torch.load deserialization allows local RCE | 5.3 |