All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Federal Reserve Chairman Jerome Powell and Treasury Secretary Scott Bessent met with major U.S. bank CEOs to discuss cyber risks from Anthropic's Mythos model, a new AI system with advanced capabilities for both offensive and defensive hacking. Anthropic released the model in limited capacity through Project Glasswing, a cybersecurity initiative involving major tech companies, and briefed government agencies on its cyber applications because of concerns that hackers could exploit its capabilities.
ChatGPT's voice mode runs on an older, weaker model (GPT-4o era with a knowledge cutoff of April 2024) compared to other OpenAI products, even though talking to an AI might seem like it should use the smartest version. The article explains that OpenAI's highest-tier models perform much better on tasks like coding because those domains have clear, measurable success criteria (like whether unit tests pass) that make them easier to improve through reinforcement learning (training that rewards correct behaviors), and because business customers value these capabilities more.
A SQL injection vulnerability (a type of attack where malicious SQL code is inserted through user input) was discovered in the instructorClasses.php file of itsourcecode Online Student Enrollment System v1.0. The vulnerability occurs because the 'classId' parameter from user input is directly added into a SQL query without being cleaned or checked first, allowing attackers to manipulate database queries.
CoreWeave, a cloud infrastructure company that operates data centers with thousands of Nvidia graphics processing units (GPUs, specialized chips that speed up AI computations), announced a multi-year deal to provide computing power for Anthropic's Claude AI models. This deal means nine of the top ten AI model providers now use CoreWeave's platform, reflecting growing demand for the specialized infrastructure needed to run large AI systems at scale.
Filmmaker Daniel Roher created a documentary called "The AI Doc: Or How I Became an Apocaloptimist" to explore whether AI will improve or harm humanity, after questioning whether it was wise to have a child in an AI-driven world. The film features interviews with 40 people including major AI company leaders, and examines how people tend to view AI in extreme terms, either as a cure-all solution or as an existential threat. The filmmakers learned that even top AI scientists struggle to explain what AI actually is in simple terms, and they focused on making content that would remain relevant over time rather than chasing headline-driven narratives.
LiteLLM (a library for working with multiple AI models) versions through April 8, 2026 contain a vulnerability that allows remote attackers to execute arbitrary code (run commands they shouldn't be able to run) through bytecode rewriting (modifying compiled code) at a specific web endpoint called /guardrails/test_custom_code. This is a serious security flaw because attackers on the internet could potentially take control of systems running vulnerable versions.
Sam Altman, CEO of OpenAI, experienced a brief firing and reinstatement that led to significant organizational changes, raising questions about his leadership of a major AI company. The New Yorker published an investigation examining Altman's tenure and whether he is the appropriate person to lead such a transformative technology.
Microsoft is removing Copilot buttons (shortcuts to access its AI assistant) from several Windows 11 apps, including Notepad and Snipping Tool, replacing them with alternative menus like "writing tools." The underlying AI features remain available, but the company is reducing the number of ways users can directly access Copilot across its applications.
CMMC 2.0 (Cybersecurity Maturity Model Certification 2.0) requires federal contractors to prove they protect controlled unclassified information (CUI, sensitive government data) through documented safeguards that work consistently under assessment, shifting from simple self-attestation to verified accountability. A major challenge is that organizations struggle to identify all systems and data subject to CMMC requirements, and manual processes for administrative controls (like access reviews and training records) create inconsistencies and scattered evidence across email and spreadsheets. The source argues that automation through workflow engines can standardize and consistently execute compliance controls while generating verifiable evidence automatically.
A path traversal vulnerability (a weakness that lets attackers access files outside their intended directory) was found in the chatgpt-on-wechat CowAgent software version 2.0.4 and earlier, specifically in the memory API endpoint where it processes a filename argument. This flaw can be exploited remotely by attackers, and proof-of-concept code has already been published online.
Alibaba is investing $290 million in ShengShu, a startup developing world models (AI systems trained on videos and physical scenarios rather than just text) to better understand and replicate the real world. This shift reflects growing recognition that large language models (LLMs, which are AI trained mainly on text data) have limitations, and companies are now focusing on AI that can work with robots and other systems that need to understand physical reality.
OpenAI sent a memo to investors criticizing Anthropic, its main rival in the AI market, saying Anthropic is limited by compute constraints (the computing power needed to train and run AI models). OpenAI claims it will have significantly more computing capacity than Anthropic by 2030, giving it a competitive advantage in developing more capable AI models and lowering costs. Both companies are competing intensely in the large language model (LLM, an AI trained on vast amounts of text to generate human-like responses) market and preparing for potential public stock offerings.
This is a guide from OpenAI about using ChatGPT to help operations teams organize and streamline their work. ChatGPT acts like an automated assistant that takes messy information from many sources (notes, messages, trackers) and turns it into clear summaries, decision lists, and standardized documents, so teams spend less time gathering information and more time executing tasks.
Claude Mythos is a new AI model developed by Anthropic that can autonomously discover zero-day vulnerabilities (previously unknown security flaws) and create working exploits (tools that take advantage of those flaws) in major software like operating systems and web browsers. Although currently restricted to responsible organizations like Microsoft and Google, the source warns that similar capabilities will likely become publicly available within 12-18 months, leading to a surge in discovered vulnerabilities and requiring security teams to adopt new AI-focused strategies to defend against attacks.
Fix: The source explicitly recommends that security teams and vendors adopt the following strategies across three phases: (1) Short term: vendors should "invest in making sure that patching their products is as seamless and painless as possible, to support end-users dealing with the onslaught of new CVEs"; (2) Medium-to-long term: "plan to invest efforts into an AI-focused AppSec program (application security program), which will ensure you find the AI vulnerabilities before threat actors have a chance to exploit them."
Wiz Research BlogAnthropic has released a preview version of an AI model called Mythos that can apparently identify and exploit zero-days (previously unknown security vulnerabilities that hackers don't yet know about). The company says it has built in certain controls to try to prevent misuse of this powerful tool.
OpenAI has restricted the release of its new cybersecurity tool to select partners only due to security concerns, joining Anthropic in limiting AI model access over safety fears. The article also reports that Florida is investigating OpenAI's potential involvement in helping plan a mass shooting through ChatGPT, raising questions about AI's role in real-world harms.
Claude, an AI assistant, discovered a critical remote code execution (RCE, where an attacker can run commands on a system they don't own) vulnerability in Apache ActiveMQ that had gone undetected for 13 years. The bug allows attackers to trick ActiveMQ's management API into loading a malicious file from the internet and executing arbitrary commands, especially if default login credentials are still in use. Claude identified the complete exploit chain in about 10 minutes, a task that would have taken a human researcher roughly a week.
Fix: CVE-2026-34197 has been addressed in newer ActiveMQ Classic releases (version 6.2.3 and 5.19.4). Users must upgrade to these patched versions to be protected.
CSO OnlineAI browser extensions are a major security blind spot in enterprises because they operate inside browsers with direct access to user data, passwords, and cookies while bypassing traditional security monitoring tools like DLP (data loss prevention, which blocks sensitive information from leaving a network) and SaaS logs. The report shows AI extensions are significantly riskier than regular extensions: they are 60% more likely to have CVEs (known software vulnerabilities), 3 times more likely to access cookies, and 6 times more likely to increase their permissions over time, yet 99% of enterprise users have at least one extension installed with little organizational visibility into which ones exist or what they can access.
N/A -- The provided content does not contain substantive information about a specific AI or LLM security issue. It appears to be metadata and navigation elements from Bruce Schneier's security blog, listing essay titles and tags rather than discussing an actual technical problem or vulnerability.
Fix: Use automated workflows and workflow engines to execute CMMC-related controls. Specifically, "Workflow engines can schedule tasks, route them to responsible owners, enforce approvals and capture outcomes in standardized formats" so that "evidence collection becomes a byproduct of normal operations instead of a separate, reactive effort." Automation enables recurring access reviews to run on a schedule rather than manual reminders, and standardizes control application across teams and regions so deviations are visible in logs.
CSO OnlineUS Treasury Secretary Scott Bessent summoned major American bank leaders to a meeting in Washington to discuss cybersecurity risks from Anthropic's new Claude Mythos AI model. Federal Reserve Chair Jerome Powell attended the meeting, which was called after Anthropic released the model and warned it poses unprecedented cybersecurity threats.
Fix: Upgrading to version 2.0.5 mitigates this issue. The patch identifier is 174ee0cafc9e8e9d97a23c305418251485b8aa89.
NVD/CVE Database