AI Sec Watch

A vulnerability in gemini-mcp-tool's execAsync method allows attackers to run arbitrary code (RCE, or remote code execution) on systems using this tool without needing to log in. The flaw occurs because the tool doesn't properly check user input before running system commands, letting attackers inject malicious commands.

CVE-2026-24307 is a vulnerability in Microsoft 365 Copilot where improper validation of input (failure to check that data matches what the system expects) allows an attacker to access and disclose information over a network without authorization. The vulnerability has a CVSS score of 4.0 (a moderate severity rating on a 0-10 scale).

CVE-2026-21521 is a vulnerability in Microsoft Copilot where improper handling of escape sequences (special characters used to control how text is displayed or interpreted) allows an attacker to disclose information over a network without authorization. The vulnerability is classified as CWE-150 (improper neutralization of escape, meta, or control sequences) and was reported by Microsoft Corporation.

CVE-2026-21520 is a vulnerability in Microsoft Copilot Studio that allows an unauthenticated attacker to view sensitive information through a network-based attack. The vulnerability stems from improper handling of special characters in commands (command injection, where attackers manipulate input to execute unintended commands), and affects Copilot Studio's hosted service.

Typebot, an open-source chatbot builder, has a vulnerability in versions before 3.13.2 where malicious chatbots can execute JavaScript (code that runs in a user's browser) to steal stored credentials like OpenAI API keys and passwords. The vulnerability exists because an API endpoint returns plaintext credentials without checking if the person requesting them actually owns them.

Attackers can use large language models (LLMs, AI systems trained on vast amounts of text to generate human-like responses) to create phishing pages that appear safe at first but transform into malicious sites after a victim visits them. The attack works by having a webpage secretly request the LLM to generate malicious JavaScript (code that runs in web browsers) using carefully crafted prompts that trick the AI into ignoring its safety rules, then assembling and running this code inside the victim's browser in real time. Because the malicious code is generated fresh each time and comes from trusted AI services, it bypasses traditional network security checks.

Langfuse versions 3.146.0 and earlier have a security flaw in the Slack integration endpoint that doesn't properly verify users before connecting their Slack workspace to a project. An attacker can exploit this to connect their own Slack workspace to any project without permission, potentially gaining access to prompt changes or replacing automation integrations (configurations that automatically perform tasks when triggered). This vulnerability affects the Prompt Management feature, which stores AI prompts that can be modified.

vLLM (a system for running and serving large language models) had a security flaw in versions 0.10.1 through 0.13.x where it automatically loaded code from model repositories without checking if that code was trustworthy, allowing attackers to run malicious Python commands on the server when a model loads. This vulnerability doesn't require the attacker to have access to the API or send requests; they just need to control which model repository vLLM tries to load from.

Claude Code (an agentic coding tool, meaning an AI that can write and modify code) had a vulnerability before version 2.0.65 where malicious code repositories could steal users' API keys (secret authentication tokens). An attacker could hide a settings file in a repository that redirects API requests to their own server, and Claude Code would send the user's API key there before showing a trust confirmation prompt.