AI Sec Watch

Langfuse, an open source platform for managing large language models, had a vulnerability in versions 2.70.0 through 2.95.10 and 3.x through 3.124.0 where the server didn't properly check which organization a user belonged to, allowing any authenticated user to see names and email addresses of members in other organizations if they knew the target organization's ID. The vulnerability required the attacker to have a valid account on the same Langfuse instance and knowledge of the target organization's ID, and no customer data like traces, prompts, or evaluations were exposed.

A WordPress plugin called Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI has a SQL injection vulnerability (a security flaw where attackers can insert harmful database commands into the plugin's code) in versions up to 3.40.0. Attackers with Editor-level access or higher can exploit the 'post_types' parameter to extract sensitive information from the website's database because the plugin doesn't properly clean up user input before using it in database queries.

ATLAS Data v5.1.0 is an updated framework that documents security threats and defenses related to AI systems, now containing 16 tactics, 84 techniques, and 32 mitigations. The update adds new attack methods targeting AI, such as prompt injection (tricking an AI by hiding instructions in its input), deepfake generation, and data theft from AI services, along with new defensive measures like human oversight of AI agent actions and restricted permissions for AI tools. It also includes 42 real-world case studies showing how these attacks and defenses apply in practice.

A vulnerability in oobabooga text-generation-webui (CVE-2025-12488) allows attackers to execute arbitrary code (running any commands they want on a system) by exploiting the trust_remote_code parameter in the load endpoint. The flaw occurs because the software doesn't properly validate user input before using it to load a model, and no authentication is required to exploit it.

A vulnerability in oobabooga text-generation-webui allows attackers to run arbitrary code (unauthorized commands) on the system without needing to log in. The flaw occurs because the software doesn't properly check user input for the trust_remote_code parameter before using it to load a model, letting attackers execute code with the same permissions as the service.

A vulnerability in Ays Pro AI ChatBot with ChatGPT and Content Generator (version 2.6.6 and earlier) allows sensitive information to be exposed when data is sent. The flaw, called CWE-201 (insertion of sensitive information into sent data), means attackers could potentially retrieve embedded sensitive data from the plugin.

The Better Find and Replace plugin for WordPress (versions up to 1.7.7) has a security flaw where a function called rtafar_ajax() doesn't properly check user permissions, allowing low-level authenticated users (Subscriber-level access) to trigger OpenAI API key usage and consume quota, potentially costing money. This happens because the code is missing a capability check (a permission verification system that controls what users can do).

Under the EU AI Act, organizations that modify existing AI systems or general-purpose AI models (GPAI models, which are foundational AI systems designed to perform many different tasks) may become legally classified as "providers" and face significant compliance responsibilities. The article explains that modifications triggering higher compliance burdens typically involve high-risk AI systems or substantial changes to a GPAI model's capabilities or generality, such as fine-tuning (customizing a model for specific tasks). Proper assessment of whether a modification triggers provider status is critical, since misclassification can result in fines up to €15 million or 3% of global annual revenue.

Cursor, a code editor designed for programming with AI, has a logic bug in versions 1.7.23 and below that allows attackers to bypass cursorignore (a file that protects sensitive files from being read). An attacker who has already performed prompt injection (tricking an AI by hiding instructions in its input) or controls a malicious AI model could create a new cursorignore file to override existing protections and access protected files.