All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
CVE-2024-48530 is a vulnerability in eSoft Planner version 3.24.08271-USA that allows attackers to cause a DoS (denial of service, where a system becomes unavailable to legitimate users) through a specially crafted POST request (a type of web request) sent to the Instructor Appointment Availability module. The vulnerability stems from CWE-770, which means the software fails to limit resource allocation, allowing attackers to exhaust system resources.
CVE-2024-52445 is a deserialization of untrusted data vulnerability (a flaw where a program processes data from an untrusted source without checking it, potentially allowing an attacker to manipulate the program) in the Modeltheme QRMenu Restaurant QR Menu Lite plugin that affects versions up to 1.0.3. This vulnerability allows object injection (an attack where malicious data tricks the program into creating unintended objects).
A vulnerability in the Linux kernel's panthor graphics driver allows userspace to make memory mappings writable after creation through mprotect(), and to create copy-on-write mappings that can cause system crashes. The issue occurs because the driver doesn't properly restrict VM_MAYWRITE (a flag controlling whether memory can be made writable later) and doesn't require VM_SHARED (a flag indicating shared memory semantics) when mapping GPU flush registers.
The European AI Office posted a job opening for a Lead Scientific Advisor for AI, responsible for ensuring scientific rigor in testing and evaluating general-purpose AI (large AI models trained on broad data that can handle many tasks) models and leading the office's scientific approach to AI safety. The position required EU citizenship, at least 15 years of professional experience, and fluency in EU languages, with an application deadline of December 13, 2024.
Autolab, a service that manages programming courses and automatically grades assignments, has an HTML injection vulnerability (a flaw where untrusted data is inserted as HTML, potentially allowing attackers to inject malicious code) in version 3.0.1 that affects instructors and course assistants viewing grade submissions. The vulnerability allows attackers to execute cross-site scripting (XSS, where malicious scripts run in a user's browser without their knowledge).
MarkUs (a web application for student assignment submission and grading) has a vulnerability in versions before 2.4.8 that allows authenticated instructors to write files anywhere on the web server, potentially leading to remote code execution (the ability to run commands on a system from a distance). This happens because the file upload methods don't properly restrict where files can be saved.
MarkUs, a web application for submitting and grading student assignments, has a path traversal vulnerability (a security flaw that lets attackers access files outside the intended directory) in versions before 2.4.8. Authenticated instructors can download any file on the server, depending on file permissions. The vulnerability affects how the application limits access to files.
CVE-2024-24446 is a vulnerability in OpenAirInterface CN5G AMF (a network component that manages connections in 5G systems) up to version 2.0.0 where an uninitialized pointer dereference (using a memory address that hasn't been properly set up) allows attackers to crash the system by sending a specially crafted message. This vulnerability can cause a Denial of Service (DoS, making the system unavailable to legitimate users).
CVE-2024-24426 is a vulnerability in OpenAirInterface Magma v1.8.0 and OAI EPC Federation v1.2.0 where attackers can trigger reachable assertions (checks that crash the program if they fail) in the NGAP_FIND_PROTOCOLIE_BY_ID function by sending a specially crafted NGAP packet (a message used in cellular networks), causing a Denial of Service attack (making the service unavailable to legitimate users). The vulnerability has not yet received an official CVSS severity rating from NIST.
OpenAirInterface CN (a 5G network software) versions 2.0.0 and earlier contain a stack-based buffer overflow (a memory safety bug where data overflows allocated memory space) in a function that handles network messages, allowing remote attackers to crash the system or potentially run unauthorized code by sending specially crafted network packets. The vulnerability affects the N2 interface (the connection between radio access networks and the core network).
CVE-2024-24449 is a vulnerability in OpenAirInterface CN5G AMF (a 5G network component) up to version 2.0.0 where an uninitialized pointer dereference (using a pointer variable that hasn't been set to a valid memory address) in the NasPdu::NasPdu component can be exploited. An attacker can send a specially crafted InitialUEMessage to cause a Denial of Service (DoS, making the service unavailable to legitimate users).
A WordPress plugin called Sage AI (which provides chatbots, GPT-4 article generation, and image creation features) has a vulnerability (CVE-2024-52384) that allows unrestricted uploading of dangerous file types, enabling attackers to upload web shells (malicious scripts that give attackers control of a web server). This vulnerability affects all versions up to and including version 2.4.9.
CVE-2024-52383 is a missing authorization vulnerability (a flaw where the software fails to check if a user has permission to perform an action) in the KCT Ai Auto Tool Content Writing Assistant plugin for WordPress, affecting versions up to 2.1.2. This vulnerability allows attackers to exploit incorrectly configured access control (permission settings) to gain unauthorized access.
CVE-2024-21799 is a path traversal vulnerability (a bug where an attacker can access files outside intended directories) in Intel Extension for Transformers software versions before 1.5 that allows authenticated users (those with login access) to escalate their privileges through local access. The vulnerability has a CVSS score (severity rating) of 6.9, rated as medium severity.
Element is a messaging app web client that had a bug in versions before 1.11.85 where it didn't properly validate thumbnails (small preview images) for attachments, stickers, and images. This allowed attackers to add fake thumbnails that would trigger unwanted file downloads when users clicked on them.
This document provides an overview of how different European Union countries are implementing the EU AI Act, which is legislation regulating artificial intelligence systems. Most countries show unclear or partial progress in establishing the required authorities (government bodies responsible for oversight and enforcement), with some nations like Denmark and Finland having made more concrete arrangements for coordinating market surveillance (monitoring that AI systems follow the rules) and serving as single points of contact.
A Linux kernel vulnerability (CVE-2024-50182) affected memfd_secret(), a system call that creates secret memory regions hidden from the kernel's direct map (a lookup table for physical memory). On some ARM64 systems, the function appeared to work but silently failed to actually hide the memory, defeating its security purpose. The fix makes memfd_secret() return an error code (-ENOSYS) on systems that cannot properly remove memory from the direct map, rather than silently failing.
Fix: Clear the VM_MAYWRITE flag and require VM_SHARED when handling DRM_PANTHOR_USER_FLUSH_ID_MMIO_OFFSET mappings. The patch restricts both userspace's ability to change permissions via mprotect() and prevents unsupported copy-on-write semantics for this memory region.
NVD/CVE DatabaseFix: Update to version 3.0.2, which patches the vulnerability. Alternatively, manually edit line 589 in the file `gradesheet.js.erb` to treat feedback as plain text rather than HTML code.
NVD/CVE DatabaseFix: Upgrade to MarkUs v2.4.8 or later. The source states: 'MarkUs v2.4.8 has addressed this issue' and notes that 'no known workarounds are available at the application level aside from upgrading.'
NVD/CVE DatabaseFix: Upgrade to MarkUs v2.4.8 or later. The source states: 'MarkUs v2.4.8 has addressed this issue' and notes that 'No known workarounds are available at the application level aside from upgrading.'
NVD/CVE DatabaseThis is the official 2025 release of the OWASP Top 10 for Large Language Model Applications, which is a ranked list of the most critical security risks affecting AI systems. The document provides guidance on the biggest threats that developers should be aware of when building or using LLM-based applications (software built around large language models, which are AI systems trained on vast amounts of text).
Fix: Update Intel Extension for Transformers to version 1.5 or later.
NVD/CVE DatabaseFix: Update Element Web and Desktop to version 1.11.85 or later. The fix is confirmed in element-web 1.11.85.
NVD/CVE DatabaseN/A -- The provided content is a GitHub navigation menu and marketing material, not a substantive article about the OWASP Top 10 for LLM Applications. No technical information, vulnerabilities, or security issues are described in the source text.
N/A -- The provided content is a navigation menu and header from a GitHub webpage about enterprise features and developer tools. It does not contain substantive information about the OWASP Top 10 for Large Language Model Applications or any AI/LLM security issues.
Fix: Return -ENOSYS from memfd_secret() syscall if !can_set_direct_map(). The patch disables the syscall on ARM64 systems with certain configuration options disabled (CONFIG_RODATA_FULL_DEFAULT_ENABLED=n, CONFIG_DEBUG_PAGEALLOC=n, and CONFIG_KFENCE=n) where the operation cannot work correctly.
NVD/CVE Database