AI Sec Watch

In Aidex versions before 1.7, a logged-in attacker could exploit an open registry to run unauthorized commands on the system through prompt injection attacks (tricking the AI by hiding malicious instructions in user input) via the chat message endpoint. This allowed them to execute operating system commands, access databases, and invoke framework functions.

MaxKB (Max Knowledge Base) is an open source system that answers questions using a large language model and RAG (retrieval-augmented generation, where an AI pulls in external documents to answer questions). A reverse shell vulnerability (a security flaw that lets attackers gain control of a system remotely) exists in its function library module and can be exploited by privileged users to create unauthorized access.

BentoML is a Python library for building AI model serving systems, but versions before 1.4.8 had a vulnerability in its runner server that allowed attackers to execute arbitrary code (unauthorized commands) by sending specially crafted requests with specific headers and parameters, potentially giving them full access to the server and its data.

Spammers used OpenAI's GPT-4o-mini model to generate unique spam messages for each target website, allowing them to bypass spam-detection filters (systems that block unwanted messages) across over 80,000 sites in four months. The spam campaign, called AkiraBot, automated message delivery through website contact forms and chat widgets to promote search optimization services. OpenAI revoked the spammers' account in February after the activity was discovered.

CVE-2025-26644 is a vulnerability in Windows Hello (a biometric authentication system) where its recognition mechanism fails to properly detect or handle adversarial input perturbations (slight changes designed to fool AI systems). This weakness allows a local attacker to spoof someone's identity without authorization.

Cursor (a code editor designed for AI-assisted programming) had a bug in versions 0.45.0 through 0.48.6 where the Cursor Agent (an AI component that can automatically modify files) could be tricked into writing to files outside the workspace the user opened, either through direct user requests or hidden instructions in context. However, the risk was low because exploitation required deliberate prompting and any changes were visible to the user for review.

Langflow versions before 1.3.0 have a code injection vulnerability (a flaw where attackers can insert and run malicious code) in the /api/v1/validate/code endpoint that allows unauthenticated attackers (those without login credentials) to execute arbitrary code by sending specially crafted HTTP requests (formatted messages to the server). This vulnerability is actively being exploited in the wild.

GitHub Copilot can be customized using instructions from a .github/copilot-instructions.md file in your repository, but security researchers at Pillar Security have identified risks with such custom instruction files (similar to risks found in other AI tools like Cursor). GitHub has responded by updating their Web UI to highlight invisible Unicode characters (characters hidden in text that don't display visibly), referencing both the Pillar Security research and concerns about ASCII smuggling (hiding malicious code in plain-text files using character tricks).

BentoML v1.4.2 contains a Remote Code Execution (RCE) vulnerability caused by insecure deserialization (unsafe handling of data conversion from storage format back into code objects), which allows unauthenticated users to execute arbitrary code on the server through an unsafe code segment in serde.py. This is a critical security flaw in a Python library used for building AI model serving systems.