AI Sec Watch

The WP Import – Ultimate CSV XML Importer plugin for WordPress has a security flaw in versions up to 7.33 where the showsetting() function is missing an authorization check (a verification that the person accessing it has permission). This allows authenticated attackers with Author-level access or higher to extract sensitive information, including OpenAI API keys (secret credentials used to access the OpenAI service) that are configured through the plugin's admin interface.

CVE-2025-33202 is a stack overflow vulnerability (a memory safety bug where a program writes too much data into a reserved area of memory) in NVIDIA's Triton Inference Server for Linux and Windows. An attacker could exploit this by sending extremely large data payloads, potentially crashing the service and making it unavailable to users (denial of service).

CVE-2025-62453 is a vulnerability in GitHub Copilot and Visual Studio Code where improper validation of generative AI output (not properly checking what the AI generates) allows an authorized attacker to bypass a security feature on their local computer. The vulnerability is classified as a protection mechanism failure (CWE-693, a flaw in how security controls are designed).

A path traversal vulnerability (CWE-22, where an attacker manipulates file paths to access files outside their intended directory) was discovered in Visual Studio Code's CoPilot Chat Extension that allows an authorized attacker to bypass a security feature on their local computer. The vulnerability is tracked as CVE-2025-62449 and was reported by Microsoft Corporation.

CVE-2025-62222 is a command injection vulnerability (where an attacker tricks software into running unintended commands) in the Visual Studio Code CoPilot Chat Extension that allows an unauthorized attacker to execute code over a network. The vulnerability stems from improper neutralization of special elements in commands and inadequate input validation (checking that data is safe before using it).

This research paper argues that the real problem with machine learning classifiers isn't that robustness (resistance to adversarial attacks, where small malicious changes trick the AI) and accuracy are fundamentally opposed, but rather that continuous functions (smooth mathematical functions without jumps or breaks) cannot achieve both properties simultaneously. The authors propose that effective robust and accurate classifiers should use discontinuous functions (functions with breaks or sudden changes) instead, and show that understanding this continuity property is crucial for building, analyzing, and testing modern machine learning models.

Milvus, an open-source vector database (a specialized database that stores and searches data based on similarity patterns, used in AI applications), has a critical vulnerability in older versions that allows attackers to skip authentication and gain full admin control over the database without needing a password. This means attackers could read, change, or delete any data and perform administrative tasks like managing databases.

This release notes document describes version updates across multiple llama-index (a framework for building AI applications with language models) components, including fixes for bugs like a ReActOutputParser (a tool that interprets AI agent outputs) getting stuck, improved support for multiple AI model providers like OpenAI and Google Gemini, and updates to various integrations with external services. The updates span from core functionality fixes to documentation improvements and SDK compatibility updates across dozens of sub-packages.

Langfuse, an open source platform for managing large language models, had a vulnerability in versions 2.70.0 through 2.95.10 and 3.x through 3.124.0 where the server didn't properly check which organization a user belonged to, allowing any authenticated user to see names and email addresses of members in other organizations if they knew the target organization's ID. The vulnerability required the attacker to have a valid account on the same Langfuse instance and knowledge of the target organization's ID, and no customer data like traces, prompts, or evaluations were exposed.