All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Salesforce is acquiring Fin (formerly Intercom), an AI customer service platform, for $3.6 billion to strengthen its agentic AI (autonomous artificial intelligence agents that can independently handle tasks) offerings. Fin's main product is an AI agent powered by a proprietary model called Apex that can resolve customer inquiries across multiple channels including chat, email, WhatsApp, and Slack. This acquisition reflects how software companies are competing to invest in more autonomous AI technologies as businesses increasingly demand agentic solutions.
A vulnerability in Angular's Service Worker allows sensitive credentials (like authorization tokens or session cookies) to leak to untrusted websites when the Service Worker follows cross-origin redirects (requests sent to a different domain). The Service Worker fails to remove these sensitive headers when redirecting to another origin, exposing them to attackers.
Angular's `HttpTransferCache` uses a weak 32-bit hash function to cache HTTP responses during server-side rendering (SSR, where a web server generates HTML before sending it to the browser), making it vulnerable to hash collisions (when two different inputs produce the same output). An attacker can craft a malicious link that causes a sensitive response (like user profile data) to be overwritten with attacker-controlled data, leading to state poisoning (corrupting the application's data) or information leakage.
Angular's `formatNumber` function (used by DecimalPipe, PercentPipe, and CurrencyPipe for formatting numbers in templates) has a vulnerability where it doesn't limit how large the `digitsInfo` parameter (which specifies decimal places, like '1.2-4') can be. An attacker who can control this parameter can force the function into an unbounded loop that crashes the server with an out-of-memory error in server-side applications, or freezes the user's browser in client-side applications.
LiteLLM, a widely-used open-source AI gateway (a system that routes AI requests to multiple providers), has a critical vulnerability chain (CVSS score of 9.9, meaning extremely severe) that lets low-privilege users gain full admin control and run code on the server. The three bugs work together: an authorization bypass (CVE-2026-47101) that lets users create keys with unlimited access, a privilege escalation (CVE-2026-47102) that promotes users to admin, and a sandbox escape (CVE-2026-40217) that executes arbitrary code. This compromise exposes all provider API keys, encrypted credentials, and all prompts and responses passing through the gateway, plus allows attackers to alter AI responses in transit.
A critical flaw in Microsoft 365 Copilot Enterprise Search could let attackers steal emails, calendar details, and multi-factor authentication codes with a single click on a malicious link. Researchers discovered that three chained bugs, including parameter-to-prompt injection (tricking the AI by hiding instructions in a URL parameter), a timing flaw in how responses are filtered, and a Content Security Policy allowlist for Bing, allowed attackers to extract sensitive data without the user entering any passwords or clicking again.
Skydio is the largest US drone manufacturer that makes autonomous drones (aircraft that can operate with minimal human control) and sells them to critical industries like utilities, public safety, and militaries for inspecting infrastructure and gathering information. The drone market has shifted dramatically since China-made competitors like DJI were banned from the US, leaving Skydio as a primary alternative for enterprise customers who previously relied on cheaper foreign drones.
SearchLeak is a critical vulnerability in Microsoft 365 Copilot Enterprise that allowed attackers to steal sensitive data like emails, passwords, and documents through a single malicious link. The attack worked by chaining three separate flaws together: parameter-to-prompt injection (tricking the AI by hiding instructions in a URL parameter), an HTML rendering race condition (exploiting a moment when HTML isn't yet protected), and a server-side request forgery in Bing (making Bing unknowingly help retrieve stolen data). Microsoft fixed this vulnerability and assigned it CVE-2026-42824 with a critical severity rating.
Langflow, an open-source platform for building AI applications, has a path traversal vulnerability (CVE-2026-5027, rated 8.8 CVSS, a measure of how severe a vulnerability is) that allows attackers to write files to any location on a system and potentially execute remote code. The flaw is particularly dangerous because Langflow has login disabled by default, letting unauthenticated users exploit it with a single request, and attackers are actively using public exploit code to attack the approximately 7,000 internet-exposed instances.
A vulnerability in HKUDS AI-Trader allowed attackers to access sensitive information through the research export feature by manipulating the /api/research/agents.csv file, and this flaw could be exploited remotely without needing physical access to the system. The vulnerability affects versions up to commit 74caf996f78dcc0c657df8365c8544678a16e215, and the exploit details have been made publicly available.
Fix: Update to one of the patched versions: 22.0.1, 21.2.17, or 20.3.25.
GitHub Advisory DatabaseFix: Update Angular to patched versions 22.0.1, 21.2.17, or 20.3.25, which now use SHA-256 (a cryptographically secure hashing algorithm) instead of the weak 32-bit hash. If you cannot upgrade immediately, either disable transfer caching for sensitive endpoints by adding `transferCache: false` to individual `HttpClient` requests, or disable HTTP transfer caching globally using `provideClientHydration(withNoHttpTransferCache())` in your app configuration.
GitHub Advisory DatabaseFix: Update to one of these patched versions: Angular 22.0.0-rc.2, 21.2.15, 20.3.22, or 19.2.23.
GitHub Advisory DatabaseFix: Upgrade to LiteLLM v1.83.14-stable or later. This release, published May 2, includes the complete fix set for all three CVEs in the vulnerability chain.
The Hacker NewsThe U.S. government ordered Anthropic to restrict exports of its Fable and Mythos AI models (advanced models designed to find security vulnerabilities), citing national security concerns, which prompted Anthropic to suspend worldwide access to these models. Dozens of prominent cybersecurity experts published an open letter arguing this ban is dangerous because it removes powerful security tools from defenders while adversaries continue advancing, and they claim the vulnerability that justified the ban can be replicated in other widely available AI models like OpenAI's GPT-5.5 and Claude Opus 4.8.
Fix: Microsoft mitigated the flaw on its backend, so customers have nothing to worry about. No customer action was required.
The Hacker NewsAnthropic's AI models were taken offline due to disagreements between the company and US government officials over export controls, with personality clashes between key leaders cited as a contributing factor. The government is concerned about jailbreaks (methods to bypass safety restrictions on AI models), and one proposed solution is to make Anthropic's models resistant to jailbreaking, though officials acknowledge this may be impossible to achieve perfectly.
Fix: The source mentions that Anthropic has worked on Constitutional Classifiers (a method to detect and prevent unsafe outputs) and claims no universal jailbreak has been found against Claude Mythos. However, no explicit fix, patch, or confirmed mitigation is presented as a resolved solution in the text.
Simon Willison's WeblogNewCore, an Israeli cybersecurity startup, has emerged from stealth mode with $66 million in funding to build an identity platform designed for the era of agentic AI (AI systems that can take autonomous actions). The platform uses Secure Split Key (SSK), a technique that prevents a specific class of attacks on SAML (Security Assertion Markup Language, a system for managing authentication) infrastructure, and includes features like hardware-bound credentials and continuous identity discovery to protect human, machine, and AI agent identities.
Fix: Microsoft addressed SearchLeak at the beginning of the month. With Microsoft having fixed CVE-2026-42824, there's no user action required to mitigate this threat.
BleepingComputerNewCore, a new cybersecurity startup, has raised $66 million to help companies manage AI agents as workplace participants by giving them digital identities with proper authentication and access controls. As companies increasingly deploy AI agents alongside human employees, NewCore argues that traditional identity platforms (systems that verify who users are and what they can access) are outdated and designed only for humans, not software workers. NewCore's platform treats AI agents as first-class identities with their own permissions and access controls, using a 'split-key' architecture (dividing credentials between the customer and the platform to prevent a single point of failure) to secure them.
Fix: NewCore's platform addresses this through several built-in features explicitly described in the source: a 'split-key' architecture that divides critical identity credentials between the customer and the platform to eliminate a single point of compromise; an 'Agentic Skill' integration package for coding assistants like Claude Code, OpenAI's Codex, and Cursor that allows AI tools to access enterprise systems as managed identities rather than through manually distributed credentials; and a mobile app that lets employees grant, review, and revoke access for AI agents, providing human oversight as companies deploy more autonomous systems.
TechCrunch (Security)Fix: Update Langflow to version 1.9.0 or later (current version is 1.10.0). The vulnerability affects versions up to 1.8.4, and the fix was released on April 15.
CSO OnlineAnthropic stopped all access to its Fable 5 and Mythos 5 AI models after receiving an export control directive (a government order restricting who can use certain technology) that prevents foreign nationals from using these systems. The shutdown was triggered by US regulations that treat advanced AI as technology that needs restricted access.
Researchers discovered that attackers can exploit AI agent guardrails (safety systems that check AI behavior) by inserting malicious content into documents, causing the security mechanisms to enter extended thinking loops that dramatically slow down or crash shared AI systems. This reasoning-extension DoS (denial-of-service, a type of attack that makes systems unavailable) attack targets the safety layer itself rather than trying to jailbreak the AI model, and it works across multiple AI frameworks and different LLM families. Unlike traditional attacks that try to produce unsafe outputs, this technique compromises availability by exhausting computational resources, with some systems experiencing slowdowns of up to 148 times normal speed.
AI agents (software systems that can read data, process external content, and take actions) now commonly have all three dangerous capabilities together, making them vulnerable to prompt injection (tricky instructions hidden in data that trick the AI into doing harmful things). Security experts like Meta recommend the 'Rule of Two,' which limits agents to only two of these three capabilities per session and requires human approval if all three are needed, but this framework has limitations and doesn't fully solve the problem.
Fix: Meta's security team published the 'Rule of Two' framework, which recommends agents satisfy no more than two of the three trifecta properties (access to private data, exposure to untrusted content, ability to communicate externally) in a single session, with human-in-the-loop approval required if all three are necessary. Simon Willison endorsed this framework as 'the best practical advice for building secure LLM-powered agent systems today.'
CSO OnlineSovereign cloud (cloud infrastructure located in a specific country or region to comply with data residency laws) alone does not guarantee the control that enterprises expect over their AI workloads, despite regulatory pressure in Europe and increasing scrutiny in the US. The real control point lies in identity governance (managing who can access what resources and under what circumstances) and related infrastructure layers like encryption key management, access logging, and workload identity management, not just where data is physically stored.
AI agents operate at machine speed across multiple systems, making traditional security models that grant access once at login insufficient for protecting modern infrastructure. CrowdStrike's Continuous Identity approach continuously evaluates identity, device, threat, and business context to grant, adjust, or revoke access in real time, with specific features for AI agents including verification based on SPIFFE standards (an identity framework), removal of standing privileges (permissions that remain active indefinitely), and immediate revocation when risk conditions change.
Fix: CrowdStrike provides Continuous Identity for AI Agents through Falcon Next-Gen Identity Security, which eliminates standing privileges and verifies trust for every agent action in real time using SPIFFE identity standards and the Shared Signals Framework. The system evaluates each action against the human user's and agent's entitlements and current security and business context, ensures agents cannot exceed the permissions of their human operator, preserves human identity and permissions when agents delegate to sub-agents, and immediately revokes access if context changes (such as new vulnerabilities or HR status changes). Additionally, CrowdStrike Falcon AI Detection and Response (AIDR) continuously inspects prompts and intent to detect permission misuse, triggering Continuous Identity to revoke access before damage occurs.
CrowdStrike BlogFix: Apply patch 91a31aac1b0f4dbc6b8bef9f6eff0b7912e0bc65. The vendor confirms the fix requires authentication (proof of identity) and the research_exports capability (a specific permission) to access research export endpoints.
NVD/CVE DatabaseCisco Catalyst SD-WAN Manager has a path traversal vulnerability (a flaw where attackers can access files outside intended directories) that allows authenticated remote attackers to create or overwrite files on affected systems. This vulnerability is actively being exploited by attackers.
Fix: Apply mitigations according to Cisco vendor instructions and follow CISA's BOD 26-04 guidance for prioritizing security updates. If mitigations are unavailable for cloud services, discontinue use of the product. Stakeholders must evaluate each system's internet exposure and ensure compliance with BOD 26-04 patching guidelines by the due date of 2026-06-29.
CISA Known Exploited Vulnerabilities