AI Sec Watch

picklescan before version 0.0.23 has a vulnerability where an attacker can manipulate a ZIP archive (a compressed file format) by changing filenames in the ZIP header while keeping the original filename in the directory listing. This causes picklescan to crash with a BadZipFile error when trying to scan PyTorch model files (machine learning models), but PyTorch's more forgiving ZIP handler still loads the model anyway, allowing malicious code to bypass the security scanner.

The Aiomatic WordPress plugin (used to generate AI-written content and images) has a vulnerability in versions up to 2.3.8 that allows authenticated users with Contributor access or higher to upload any type of file to the server due to missing file type validation (checking what kind of file is being uploaded). This could potentially allow attackers to run malicious code on the affected website.

The Aiomatic WordPress plugin (used for AI-powered content writing) has a security flaw in versions up to 2.3.6 where it fails to check user permissions properly, allowing attackers with basic user accounts (Subscriber level and above) to perform dangerous actions like deleting posts, removing files, and clearing logs that they shouldn't be able to access. This vulnerability puts user data at risk of unauthorized modification or deletion.

A new policy paper called 'Superintelligence Strategy' proposes that advanced AI systems surpassing human capabilities in most areas pose national security risks requiring a three-part approach: deterrence (using threat of retaliation to prevent AI dominance races), nonproliferation (restricting advanced AI access to non-state actors like terrorist groups), and competitiveness (building AI strength domestically). The deterrence strategy, called Mutual Assured AI Malfunction (MAIM), mirrors nuclear strategy by threatening cyberattacks on destabilizing AI projects to prevent any single country from gaining dangerous AI superiority.

A vulnerability (CVE-2025-1953) was found in vLLM AIBrix 0.2.0 in the Prefix Caching component (a feature that speeds up AI model processing by reusing cached data) that produces insufficiently random values, potentially compromising security. The vulnerability is rated as low severity and difficult to exploit, but it affects the cryptographic security of the system.

A cross-site scripting (XSS, where an attacker injects malicious code into a webpage to trick users) vulnerability was found in the ChatGPT Open AI Images & Content for WooCommerce plugin, affecting versions up to 2.2.0. The vulnerability allows attackers to inject harmful scripts through reflected XSS (where malicious input is immediately reflected back to the user without proper filtering).

CVE-2025-25185 is a vulnerability in GPT Academic (version 3.91 and earlier) where the software does not properly handle soft links (special files that point to other files). An attacker can create a malicious soft link, upload it in a compressed tar.gz file, and when the server decompresses it, the soft link will point to sensitive files on the victim's server, allowing the attacker to read all server files.

The EU AI Act includes specific support measures for small and medium-sized enterprises (SMEs, defined as companies with fewer than 250 employees and under €50 million in annual revenue). These measures include regulatory sandboxes (controlled testing environments for AI products outside normal regulatory rules), reduced compliance fees scaled to company size, simplified documentation forms, free training, and dedicated support channels to help SMEs follow the AI Act's requirements.

ChatGPT Operator is an AI agent that can control web browsers to complete tasks, but it is vulnerable to prompt injection (tricking the AI by hiding malicious instructions in its input) that could allow attackers to steal data or perform unauthorized actions. OpenAI has implemented three defensive layers: user monitoring to watch what the agent does, inline confirmation requests within the chat asking the user to approve actions, and out-of-band confirmation requests that appear when the agent crosses website boundaries, though these mitigations are not foolproof.