AI Sec Watch

CVE-2026-21521 is a vulnerability in Microsoft Copilot where improper handling of escape sequences (special characters used to control how text is displayed or interpreted) allows an attacker to disclose information over a network without authorization. The vulnerability is classified as CWE-150 (improper neutralization of escape, meta, or control sequences) and was reported by Microsoft Corporation.

CVE-2026-21520 is a vulnerability in Microsoft Copilot Studio that allows an unauthenticated attacker to view sensitive information through a network-based attack. The vulnerability stems from improper handling of special characters in commands (command injection, where attackers manipulate input to execute unintended commands), and affects Copilot Studio's hosted service.

Typebot, an open-source chatbot builder, has a vulnerability in versions before 3.13.2 where malicious chatbots can execute JavaScript (code that runs in a user's browser) to steal stored credentials like OpenAI API keys and passwords. The vulnerability exists because an API endpoint returns plaintext credentials without checking if the person requesting them actually owns them.

Attackers can use large language models (LLMs, AI systems trained on vast amounts of text to generate human-like responses) to create phishing pages that appear safe at first but transform into malicious sites after a victim visits them. The attack works by having a webpage secretly request the LLM to generate malicious JavaScript (code that runs in web browsers) using carefully crafted prompts that trick the AI into ignoring its safety rules, then assembling and running this code inside the victim's browser in real time. Because the malicious code is generated fresh each time and comes from trusted AI services, it bypasses traditional network security checks.

Langfuse versions 3.146.0 and earlier have a security flaw in the Slack integration endpoint that doesn't properly verify users before connecting their Slack workspace to a project. An attacker can exploit this to connect their own Slack workspace to any project without permission, potentially gaining access to prompt changes or replacing automation integrations (configurations that automatically perform tasks when triggered). This vulnerability affects the Prompt Management feature, which stores AI prompts that can be modified.

vLLM (a system for running and serving large language models) had a security flaw in versions 0.10.1 through 0.13.x where it automatically loaded code from model repositories without checking if that code was trustworthy, allowing attackers to run malicious Python commands on the server when a model loads. This vulnerability doesn't require the attacker to have access to the API or send requests; they just need to control which model repository vLLM tries to load from.

Claude Code (an agentic coding tool, meaning an AI that can write and modify code) had a vulnerability before version 2.0.65 where malicious code repositories could steal users' API keys (secret authentication tokens). An attacker could hide a settings file in a repository that redirects API requests to their own server, and Claude Code would send the user's API key there before showing a trust confirmation prompt.

CVE-2025-66960 is a vulnerability in Ollama v.0.12.10 where a remote attacker can cause a denial of service (making a service unavailable by overwhelming it) by sending malicious GGUF metadata (a file format used in machine learning). The issue is in the readGGUFV1String function, which reads string length data from untrusted sources without properly validating it.

CVE-2025-66959 is a vulnerability in ollama v.0.12.10 that allows a remote attacker to cause a denial of service (making a service unavailable by overwhelming it) through the GGUF decoder (the part of the software that reads GGUF format files). The vulnerability stems from improper input validation and uncontrolled resource consumption in how the decoder processes data.