All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Universal Adversarial Perturbations (UAPs, tiny modifications to images that fool AI models across many different inputs) are security threats to deep learning systems, but existing methods make attacks obvious because they either look wrong to humans or cause suspicious misclassifications. This paper presents Stealthy-UAP, a framework that makes UAPs harder to detect by targeting only semantically related classes (so misclassifications seem plausible) and optimizing perturbations to match how humans actually perceive images.
The llm-openrouter tool, version 0.6, added a new 'refresh' command that lets users update their list of available AI models without waiting for the cached (temporarily stored) list to expire. This feature was created so users could access newly available models on OpenRouter immediately.
A vulnerability (CVE-2026-6662) was found in ericc-ch copilot-api versions up to 0.7.0 in the CORS function (a security feature that controls which websites can access an API from a web browser) of the token endpoint. The flaw allows a permissive cross-domain policy with untrusted domains, meaning attackers from other websites could potentially access the API remotely, and the exploit has been publicly disclosed.
Elon Musk did not attend a voluntary interview with French cybercrime prosecutors investigating his social media platform X and AI chatbot Grok over alleged child abuse images. The French legal authorities noted his absence, though Musk had previously criticized them on X.
Attackers are using Microsoft Teams' external access feature to impersonate IT helpdesk staff and convince employees to grant remote control access, exploiting the fact that collaboration platforms enable real-time, convincing interactions. Unlike traditional phishing, this technique leverages social engineering within trusted communication channels to bypass standard malware detections by obtaining user-approved access. The attack reflects an evolution of social engineering tactics that takes advantage of cross-tenant communication capabilities (features allowing external users to contact employees across different organizations) and the growing role of collaboration tools in workplace communication.
Researchers discovered a critical vulnerability in Anthropic's Model Context Protocol (MCP, a system that allows AI models to interact with external tools and data) that allows attackers to run arbitrary commands on systems using vulnerable implementations. The flaw affects over 7,000 publicly accessible servers and has been found in popular AI projects like LangChain and LiteLLM, but Anthropic has declined to fix the underlying architectural issue, leaving developers responsible for protecting against it.
Researchers at Capsule Security discovered prompt injection vulnerabilities (attacks where malicious instructions are hidden in normal-looking inputs) in both Microsoft Copilot Studio and Salesforce Agentforce that allow attackers to trick AI agents into stealing data. In Microsoft's case, attackers can inject malicious commands into SharePoint forms to extract sensitive customer data and send it via email, while in Salesforce's case, they can embed harmful instructions in public lead forms to exfiltrate CRM data at scale.
A vulnerability (CVE-2026-6608) was found in lm-sys fastchat up to version 0.2.36 in the add_text function of the Arena Side-by-Side View Handler component, which allows incorrect control flow (improper program execution logic) that can be exploited remotely. The root cause was partially fixed in commit 34eca62 for one file, but three other files containing the same issue were not corrected.
A vulnerability was found in lm-sys fastchat (a tool for running AI models) up to version 0.2.36 that allows attackers to consume excessive resources by exploiting the api_generate function in the Worker API Endpoint (the part of the software that handles requests from other programs). The attack can be done remotely over the internet, the vulnerability details have been publicly disclosed, and it may already be exploited.
A security flaw called CVE-2026-6600 was found in Langflow (an AI tool) up to version 1.8.3 that allows cross-site scripting (XSS, where attackers inject malicious code into web pages to trick users). The vulnerability is in a React component (a reusable piece of code in the user interface) that handles message editing, and it can be exploited remotely by someone with login access.
A vulnerability exists in Langflow (an AI application framework) versions up to 1.8.3 in the Model Context Protocol Configuration API, where attackers can manipulate the X-Forwarded-For header (a field that identifies the client's IP address) to perform injection attacks (inserting malicious code into the system). This vulnerability can be exploited remotely, the exploit code is publicly available, and the vendor has not responded to disclosure attempts.
A vulnerability (CVE-2026-6598) was found in langflow-ai langflow versions up to 1.8.3 where the create_project/encrypt_auth_settings function improperly stores sensitive authentication settings in cleartext (unencrypted plain text) on disk instead of protecting them. An attacker can exploit this remotely, and the vulnerability details have been publicly disclosed.
A vulnerability (CVE-2026-6597) was found in langflow-ai langflow version 1.8.3 and earlier, where a function called remove_api_keys/has_api_terms fails to properly protect stored credentials (API keys and authentication information), allowing attackers to access them remotely. The vendor was notified but did not respond, and the exploit details have been publicly released.
This research proposes RIBSC, a security system for VANETs (vehicular ad hoc networks, where vehicles communicate wirelessly with each other and roadside infrastructure) that protects privacy during vehicle-to-road communication. The system uses signcryption (a technique that simultaneously encrypts and digitally signs messages) combined with a session key distribution mechanism and traceable pseudonyms to prevent privacy breaches while allowing authorities to identify vehicles involved in illegal activities.
Cyber Threat Attribution (CTA) is the process of identifying who carried out a cyberattack by analyzing evidence from the attack. This paper introduces ThreatMAMBA, an AI framework that improves CTA by building knowledge graphs from threat intelligence data (IOCs, or indicators of compromise that identify malicious activity; TTPs, or tactics and techniques used by attackers; and temporal relationships) and using machine learning to identify attackers even in the early stages of ongoing attacks. The system showed significant improvements in accuracy at different stages of attack development, suggesting it can provide reliable attribution information quickly during real incidents.
This paper addresses privacy and security concerns in collaborative data analysis by proposing a new method for computing Jaccard Coefficient (a mathematical measure comparing similarity between two sets). The proposed protocol protects sensitive information like intersection and union cardinalities (counts of shared and combined elements) while maintaining high accuracy and computational efficiency, and can be enhanced further using cloud-assisted encryption to improve performance by 25.5% to 30.4%.
Fix: The source recommends several mitigations: block public IP access to sensitive services, monitor MCP tool invocations, run MCP-enabled services in a sandbox (an isolated test environment), treat external MCP configuration input as untrusted, and only install MCP servers from verified sources. Additionally, some vendors have issued patches for their specific products (LiteLLM, Bisheng, and DocsGPT are noted as patched).
The Hacker NewsCISOs (chief information security officers, the top security leaders at companies) are expanding their roles beyond traditional cybersecurity to become broader business risk strategists who manage strategic, operational, and financial risks across their entire organizations. This shift reflects the fact that nearly all business operations are now digital, making any cyber risk a material business risk, and has accelerated since the rise of generative AI (AI systems like ChatGPT that can create new content) and agentic AI (AI systems that can take independent actions). Research shows that most CISOs now share responsibility for enterprise risk management with other executives and are expected to unify regulatory requirements, company risk tolerance, and security controls into a single operating model.
Frontier AI models (advanced AI systems with sophisticated reasoning abilities) can now autonomously discover software vulnerabilities and plan complex attack chains much faster than before, posing a major security threat. Open source software faces particularly high risk because these AI models can analyze publicly available source code to find bugs, whereas they struggle with compiled code (the executable, non-readable version). As these powerful AI models become widely available, attackers with minimal expertise may launch attacks at unprecedented speed and scale across the entire software ecosystem.
Fix: For Microsoft Copilot Studio: "Microsoft has meanwhile published a patch that has fixed the problem" and "no further measures are required on the part of users." For Salesforce Agentforce: The source text does not describe an explicit patch or mitigation from Salesforce. The source states that "Salesforce acknowledged the prompt injection problem" but classified the data exfiltration issue as "configuration-specific" and pointed to "optional human-in-the-loop controls." General recommendations mentioned include: "input validation, least-privilege access, as well as strict control" and treating "all external inputs as untrusted" while setting up "filters that separate data from instructions."
CSO OnlineClaude Mythos is an AI security model being tested by select organizations, but security researchers at VulnCheck question its real-world impact. Out of 75 CVEs (publicly disclosed software vulnerabilities) mentioning Anthropic, only one has been directly tied to Project Glasswing (the initiative behind Claude Mythos), though more results are expected later in 2026.
Tech workers in China are being asked by their employers to train AI agents (software programs that can autonomously perform tasks) to automate their own jobs, sparked by tools like Colleague Skill that can extract a worker's skills and habits from workplace chat histories and files to create an AI replica. While some workers find the technology interesting, many feel uncomfortable and alienated by the process, viewing it as reducing their complex work to replaceable modules and raising concerns about job security and worker dignity.
Fix: Install the patch identified by commit c9e84b89c91d45191dc24466888de526fa04cf33. Note that commit ff66426 patched the api_generate function in base_model_worker.py but missed other entry points (other places in the code where the same issue occurs).
NVD/CVE Database