AI Sec Watch

The AI industry is gradually accepting LLM (large language model) outputs as reliable without questioning them, similar to how NASA ignored warning signs before the Challenger disaster. This 'normalization of deviance' (accepting behavior that deviates from proper standards as normal) is particularly risky in agentic systems (AI systems that can take independent actions without human approval at each step), where unchecked LLM decisions could cause serious problems.

Anthropic Sandbox Runtime is a tool that restricts what processes can access on a computer's filesystem (file storage) and network without needing containers (isolated computing environments). Before version 0.0.16, a bug prevented the network sandbox from working correctly when no allowed domains were specified, which could let code inside the sandbox make network requests it shouldn't be able to make.

Version 0.14.10 of llama-index-core added a mock function calling LLM (a simulated language model that can pretend to execute functions), while related packages fixed typos and added new integrations like Airweave tool support for advanced search capabilities. This is a routine software release with feature additions and bug fixes.

NVIDIA Triton Server for Linux has a vulnerability where attackers can bypass input validation (improper validation of specified quantity in input) by sending malformed data. This flaw could allow an attacker to cause a denial of service attack (making a system unavailable to legitimate users).

NVIDIA Triton Inference Server has a vulnerability (CVE-2025-33201) where an attacker can send extremely large data payloads to bypass safety checks, potentially crashing the service and making it unavailable to legitimate users (a denial of service attack). The vulnerability stems from improper validation of unusual or exceptional input conditions.

MCP Server Kubernetes (a tool that lets software manage Kubernetes clusters, which are systems for running containerized applications) has a vulnerability in versions before 2.9.8 where the exec_in_pod tool accepts user commands without checking them first. When commands are provided as strings, they go directly to shell interpretation (sh -c, a command processor) without validation, allowing attackers to inject malicious shell commands either directly or through prompt injection (tricking an AI into running hidden instructions in its input).

Claude Code is an agentic coding tool (software that can write and run code automatically) that had a vulnerability before version 1.0.93 where errors in parsing shell commands (instructions to a computer's operating system) allowed attackers to bypass read-only protections and execute arbitrary code if they could add untrusted content to the tool's input. This vulnerability (command injection, or tricking the tool into running unintended commands) had a CVSS score (0-10 severity rating) of 8.7, marking it as high-risk.

A WordPress plugin called 'Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI' has a time-based SQL injection vulnerability (a security flaw where attackers can insert malicious database commands through user input) in its "getTermsForAjax" function in versions up to 3.40.1. Authenticated users with contributor-level access or higher can exploit this flaw to extract sensitive information from the website's database because the plugin doesn't properly validate user input before using it in database queries.

A WordPress plugin called AI Autotagger with OpenAI has a security flaw in versions up to 3.40.1 where it fails to properly check if users have permission to perform certain actions. This authorization bypass (a failure to verify that someone is allowed to do something) allows authenticated attackers with basic subscriber-level access to merge or delete taxonomy terms (categories and tags used to organize content) that they shouldn't be able to modify.