AI Sec Watch

Attackers can use prompt injection (tricking an AI by hiding malicious instructions in its input) to create fake memories in ChatGPT's memory tool, causing the AI to refuse all future responses with a maintenance message that persists across chat sessions. This creates a denial of service attack (making a service unavailable to users) that lasts until the user manually fixes it.

Khoj, an application that creates personal AI agents, has a vulnerability in its Obsidian, Desktop, and Web clients where user inputs and AI responses are not properly cleaned (sanitized). This allows attackers to inject malicious code through prompt injection (tricking the AI by hiding instructions in its input) via untrusted documents, which can trigger XSS (cross-site scripting, where malicious code runs in a user's browser when they view a webpage).

The OpenAI ChatGPT app for macOS before July 5, 2024 had two security problems: it disabled the sandbox (a security boundary that limits what an app can access) and stored conversations in cleartext (unencrypted plain text) in a location that other apps could read. This meant user conversations were exposed to other programs on the same computer.

The EU AI Act Code of Practice is a voluntary set of guidelines published in July 2025 to help general-purpose AI (GPAI, large AI models used across many applications) model providers comply with new EU AI regulations during the gap period before formal European standards take effect in 2027 or later. The Code, developed by the EU AI Office and many stakeholders, covers three areas: Transparency and Copyright (for all GPAI providers) and Safety and Security (for providers of GPAI models with systemic risk, meaning those that could cause widespread harm). Though not legally binding, the Commission and EU AI Board confirmed the Code adequately demonstrates compliance with the AI Act's requirements.

Gradio v4.36.1 contains a code injection vulnerability (CWE-94, improper control of code generation) in the /gradio/component_meta.py file that can be triggered by crafted input. The vulnerability supplier disputes the report, arguing it describes a user attacking their own system rather than a genuine security flaw.

Flowise version 1.4.3 has a reflected cross-site scripting vulnerability (XSS, a type of attack where malicious code is injected into a webpage) in its `/api/v1/credentials/id` endpoint that allows attackers to inject harmful JavaScript into user sessions, potentially stealing information or redirecting users to malicious websites. The vulnerability is especially dangerous because it can be exploited without authentication in the default configuration and can be combined with other attacks to read files from the Flowise server.

Flowise version 1.4.3 has a reflected cross-site scripting vulnerability (XSS, where an attacker injects malicious code into web pages shown to users) in its `/api/v1/chatflows-streaming/id` endpoint. If using default settings without authentication, an attacker can craft a malicious URL that runs JavaScript in a user's browser, potentially stealing information, showing fake popups, or redirecting users to other websites.

Flowise version 1.4.3 has a reflected cross-site scripting vulnerability (XSS, a type of attack where malicious code is injected into a webpage) in its `/api/v1/public-chatflows/id` endpoint. An attacker can craft a malicious URL that injects JavaScript code into a user's session, potentially stealing information, showing fake popups, or redirecting users to other websites. This vulnerability is especially dangerous because the vulnerability exists in an unauthenticated endpoint (one that doesn't require a login) and can potentially be combined with other attacks to read files from the server.

Flowise version 1.4.3 contains a reflected cross-site scripting vulnerability (XSS, a type of attack where malicious code is injected into a webpage to compromise user sessions) in its chatflow endpoint that allows attackers to steal information or redirect users to other sites if the default unauthenticated configuration is used. The vulnerability occurs because when a chatflow ID is not found, the invalid ID is displayed in the error page without proper protection, letting attackers inject arbitrary JavaScript code. This XSS flaw can potentially be combined with path injection attacks (exploiting how the system handles file paths) to read files from the Flowise server.