AI Sec Watch

Anthropic's filesystem MCP server (a tool that lets AI assistants like Claude access your computer's files) had a path validation vulnerability where it only checked if a file path started with an allowed directory name, rather than confirming it was actually in that directory. This meant if you allowed access to /mnt/finance/data, the AI could also access sibling files like /mnt/finance/data-archived because the path string starts the same way.

ChatGPT Codex, a cloud-based AI tool that answers code questions and writes software, is vulnerable to prompt injection (tricking an AI by hiding instructions in its input) attacks that can turn it into a botnet (a network of compromised computers controlled remotely). An attacker can exploit the "Common Dependencies Allowlist" feature, which allows Codex internet access to certain approved servers, by hosting malicious code on Azure and injecting fake instructions into GitHub issues to hijack Codex and steal sensitive data or run malware.

1Panel is a web management tool that controls websites, files, containers (isolated software environments), databases, and AI models on Linux servers. In versions 2.0.5 and earlier, the tool's HTTPS connection (encrypted communication) between its core system and agent components doesn't fully verify certificates (digital identification documents), allowing attackers to gain unauthorized access and execute arbitrary commands on the server.

Cursor, a code editor that uses AI to help with programming, has a vulnerability in versions below 1.3 where Mermaid (a diagram rendering tool) can embed images that leak sensitive information to an attacker's server. An attacker could exploit this by using prompt injection (tricking the AI by hiding instructions in its input) through malicious data like websites, uploaded images, or source code, potentially stealing data when the images are fetched.

Cursor is a code editor designed for programming with AI that has a vulnerability in versions below 1.3. If a user changes Cursor's default settings to use an allowlist (a list of approved commands), an attacker can bypass this protection by using backticks (`) or $(cmd) syntax to run arbitrary commands (unrestricted code execution) without permission, especially when combined with indirect prompt injection (tricking the AI through hidden instructions in input).

CVE-2025-45150 is a vulnerability in LangChain-ChatGLM-Webui (a tool that combines language models with a web interface) caused by insecure permissions (CWE-732, which means access controls are set incorrectly on important resources). Attackers can exploit this flaw by sending specially crafted requests to view and download sensitive files they shouldn't be able to access.

The modelscope/ms-swift library up to version 2.6.1 has a critical vulnerability where it unsafely deserializes (reconstructs objects from saved data) untrusted files using pickle.load(), a Python function that can run arbitrary code during deserialization. Attackers can exploit this by tricking users into loading a malicious checkpoint file during model training, executing code on their machine while keeping the training process running normally so the user doesn't notice the attack.

A researcher discovered that ChatGPT's 'safe URL' feature, which is supposed to prevent data theft, can be bypassed using prompt injection (tricking an AI by hiding malicious instructions in its input). By exploiting this bypass, an attacker can trick ChatGPT into sending sensitive information like your chat history and memories to a server they control, especially if you ask ChatGPT to process untrusted content like PDFs or websites.

A WordPress plugin called 'Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery' has a stored cross-site scripting vulnerability (XSS, a security flaw where attackers inject malicious code into a website that runs when others visit it) in its comment feature through version 26.1.0. Because the plugin doesn't properly clean and validate user input, unauthenticated attackers can inject harmful scripts that will execute for anyone viewing the affected pages.