All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
TorchServe (a tool for running machine learning models in production) has a security flaw where its allowed_urls check (a restriction on which websites models can be downloaded from) can be bypassed using special characters like ".." in the URL. Once a model file is downloaded through this bypass, it can be used again without the security check, effectively removing the protection.
Fix: The issue has been fixed by validating the URL without characters such as ".." before downloading (see PR #3082). TorchServe release 0.11.0 includes the fix. Users are advised to upgrade.
NVD/CVE DatabaseKhoj, an application that creates personal AI agents, has a vulnerability in its Obsidian, Desktop, and Web clients where user inputs and AI responses are not properly cleaned (sanitized). This allows attackers to inject malicious code through prompt injection (tricking the AI by hiding instructions in its input) via untrusted documents, which can trigger XSS (cross-site scripting, where malicious code runs in a user's browser when they view a webpage).
The EU AI Act Code of Practice is a voluntary set of guidelines published in July 2025 to help general-purpose AI (GPAI, large AI models used across many applications) model providers comply with new EU AI regulations during the gap period before formal European standards take effect in 2027 or later. The Code, developed by the EU AI Office and many stakeholders, covers three areas: Transparency and Copyright (for all GPAI providers) and Safety and Security (for providers of GPAI models with systemic risk, meaning those that could cause widespread harm). Though not legally binding, the Commission and EU AI Board confirmed the Code adequately demonstrates compliance with the AI Act's requirements.
Gradio v4.36.1 contains a code injection vulnerability (CWE-94, improper control of code generation) in the /gradio/component_meta.py file that can be triggered by crafted input. The vulnerability supplier disputes the report, arguing it describes a user attacking their own system rather than a genuine security flaw.
Flowise version 1.4.3 has a reflected cross-site scripting vulnerability (XSS, a type of attack where malicious code is injected into a webpage) in its `/api/v1/credentials/id` endpoint that allows attackers to inject harmful JavaScript into user sessions, potentially stealing information or redirecting users to malicious websites. The vulnerability is especially dangerous because it can be exploited without authentication in the default configuration and can be combined with other attacks to read files from the Flowise server.
Flowise version 1.4.3 has a reflected cross-site scripting vulnerability (XSS, where an attacker injects malicious code into web pages shown to users) in its `/api/v1/chatflows-streaming/id` endpoint. If using default settings without authentication, an attacker can craft a malicious URL that runs JavaScript in a user's browser, potentially stealing information, showing fake popups, or redirecting users to other websites.
Flowise version 1.4.3 has a reflected cross-site scripting vulnerability (XSS, a type of attack where malicious code is injected into a webpage) in its `/api/v1/public-chatflows/id` endpoint. An attacker can craft a malicious URL that injects JavaScript code into a user's session, potentially stealing information, showing fake popups, or redirecting users to other websites. This vulnerability is especially dangerous because the vulnerability exists in an unauthenticated endpoint (one that doesn't require a login) and can potentially be combined with other attacks to read files from the server.
Flowise version 1.4.3 contains a reflected cross-site scripting vulnerability (XSS, a type of attack where malicious code is injected into a webpage to compromise user sessions) in its chatflow endpoint that allows attackers to steal information or redirect users to other sites if the default unauthenticated configuration is used. The vulnerability occurs because when a chatflow ID is not found, the invalid ID is displayed in the error page without proper protection, letting attackers inject arbitrary JavaScript code. This XSS flaw can potentially be combined with path injection attacks (exploiting how the system handles file paths) to read files from the Flowise server.
Flowise version 1.4.3 has a CORS misconfiguration (a security setting that controls which websites can access the application), which allows any website to connect to it and steal user information. Attackers could potentially combine this flaw with another vulnerability to read files directly from the Flowise server without needing to log in.
Flowise version 1.4.3 has a vulnerability in its `/api/v1/openai-assistants-file` endpoint that allows arbitrary file read attacks (reading files on a system without permission) because the `fileName` parameter is not properly sanitized (cleaned of malicious input). This is caused by improper input validation, which is a common security weakness in software.
CVE-2023-47803 is a path traversal vulnerability (a flaw where attackers bypass directory restrictions to access files they shouldn't) found in the Language Settings feature of certain Synology camera models. The vulnerability allows remote attackers to read non-sensitive files through unspecified methods, affecting BC500 and TC500 camera models running firmware versions before 1.0.7-0298.
CVE-2024-5826 is a remote code execution vulnerability in the vanna-ai/vanna library's `vanna.ask` function, caused by prompt injection (tricking an AI by hiding instructions in its input) without code sandboxing. An attacker can manipulate the code executed by the `exec` function to gain full control of the app's backend server.
A CSRF vulnerability (cross-site request forgery, where an attacker tricks a user's browser into making unwanted requests on their behalf) exists in the 'Servers Configurations' function of parisneo/lollms-webui versions 9.6 and later, affecting services like XTTS and vLLM that lack CSRF protection. Attackers can exploit this to deceive users into installing unwanted packages without their knowledge or consent.
Gradio (a popular framework for building AI interfaces) has a vulnerability called an open redirect, which means attackers can trick the application into sending users to fake websites by exploiting improper URL validation. This can be used for phishing attacks (tricking people into revealing passwords), XSS (cross-site scripting, where attackers inject malicious code into web pages), and other exploits.
A vulnerability in the Linux kernel's TLS (Transport Layer Security, the protocol that encrypts internet traffic) initialization code allowed a NULL dereference (trying to access memory that doesn't exist) because of missing synchronization between CPU cores. When two processors performed operations in an unexpected order, one processor could try to use an uninitialized pointer, crashing the system or causing security issues in functions like tls_setsockopt and tls_getsockopt.
A vulnerability in the Linux kernel's BPF (Berkeley Packet Filter, a system that lets programs run safely in the kernel) subsystem allows unprivileged users to leak kernel pointers (memory addresses used internally by the kernel). The bug occurs in atomic fetch operations (operations that read and modify memory atomically) on the stack, where a spilled pointer (a pointer stored on the stack) can be improperly converted into a regular number and exported, revealing sensitive kernel memory.
Versions 0.0.15 through 0.0.20 of langchain-experimental contain a vulnerability where the code uses 'eval' (a function that runs Python code from text) on database values, allowing attackers to execute arbitrary code if they can control the input prompt and the server uses VectorSQLDatabaseChain (a component that connects language models to SQL databases). An attacker with low privileges could exploit this to break out of the application and access files or make unauthorized network connections.
Fix: Update langchain-experimental to version 0.0.21 or later.
NVD/CVE DatabaseAttackers can use prompt injection (tricking an AI by hiding malicious instructions in its input) to create fake memories in ChatGPT's memory tool, causing the AI to refuse all future responses with a maintenance message that persists across chat sessions. This creates a denial of service attack (making a service unavailable to users) that lasts until the user manually fixes it.
Fix: Users can recover by opening the memory tool, locating and removing suspicious memories created by the attacker. Additionally, users can entirely disable the memory feature to prevent this type of attack.
Embrace The RedFix: This vulnerability is fixed in version 1.13.0. Users should update to this version or later.
NVD/CVE DatabaseThe OpenAI ChatGPT app for macOS before July 5, 2024 had two security problems: it disabled the sandbox (a security boundary that limits what an app can access) and stored conversations in cleartext (unencrypted plain text) in a location that other apps could read. This meant user conversations were exposed to other programs on the same computer.
NextChat, a user interface for ChatGPT and Gemini, has a Server-Side Request Forgery vulnerability (SSRF, a flaw that lets attackers trick the server into making requests to unintended destinations) in its WebDav API endpoint because the `endpoint` parameter is not validated. An attacker could use this to make unauthorized HTTPS requests from the vulnerable server or inject malicious JavaScript code into users' browsers.
Fix: This vulnerability has been patched in version 2.12.4. Users should update to this version or later.
NVD/CVE DatabaseFix: Update Synology Camera Firmware to version 1.0.7-0298 or later for affected BC500 and TC500 models.
NVD/CVE DatabaseFix: The fix uses rcu_assign_pointer() (a special pointer assignment function that includes memory synchronization) moved to after ctx->sk_proto is fully initialized. This ensures that the pointer is visible to other CPU cores only after it has been properly set up, preventing the reordering problem that caused the NULL dereference.
NVD/CVE DatabaseFix: The source recommends: "One minimally intrusive option to fix the leak is for the BPF_FETCH case to initially check the BPF_READ case via check_mem_access() with -1 as register, followed by the actual load case with non-negative load_reg to propagate stack bounds to registers." In other words, the kernel should perform two checks in sequence when handling atomic fetch operations: first a read check using a placeholder value (-1), then a second check with the actual register value to properly handle stack data propagation.
NVD/CVE Database