The rapid rise of open-source applications and frameworks powered by large language models (LLMs) has introduced new and complex security risks. While recent studies have explored prompt injection, model misuse, and runtime vulnerabilities in isolated cases, the system-wide security risks of this ecosystem remain under-examined. In this paper, we present an empirical study of security advisories reported through GitHub for popular LLM-Powered Applications (LPAs) and their underlying Local Inference Frameworks (LIFs, such as llama.cpp and vLLM), aiming to surface system-wide security risks across the LLM software stack. We curate and analyze a dataset of 50 real-world vulnerabilities, classifying them by type, severity, and root cause. Our analysis reveals different risk profiles: LPAs tend to suffer from input-driven web vulnerabilities, while LIFs exhibit memory safety and dependency-related issues. We also identify common and unique characteristics of security vulnerabilities in LPAs and LIFs when compared to traditional open-source projects. Our findings highlight the urgent need for systematic security practices, better disclosure mechanisms, and lifecycle-aware defenses across the rapidly evolving LLM software stack.