All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
CyberAgent, a Japanese internet company, adopted ChatGPT Enterprise and Codex to make AI a foundational technology across their organization rather than just an isolated initiative. The company faced challenges around security concerns and uncertainty about what data could safely be shared with AI tools, which slowed adoption and created inconsistent usage across departments.
Fix: CyberAgent addressed these challenges by adopting ChatGPT Enterprise, which provides enterprise-grade security features, access controls, account management, and visibility into usage that allow employees to confidently use AI. The company also established internal guidelines for handling confidential information to ensure safe and secure use, and provided ongoing training support to build a culture of responsible AI adoption.
OpenAI BlogA federal appeals court in Washington, D.C. denied Anthropic's request to temporarily block the Department of Defense's blacklisting of the company as a supply chain risk (a designation claiming the company's technology threatens U.S. national security). The ruling means Anthropic is excluded from DOD contracts, though a separate court earlier granted Anthropic an injunction allowing it to continue working with other government agencies while the lawsuit challenging the blacklisting continues.
OpenAI's CFO announced that the company plans to reserve shares for individual investors when it goes public through an initial public offering (IPO, the first time a private company sells shares to the public). The company saw strong demand from regular retail investors during its recent funding round and wants to ensure broad public participation in ownership, following models used by other companies like Tesla and Block.
Amazon Bedrock AgentCore's starter toolkit automatically creates overly broad IAM roles (identity and access management policies that control what actions software can perform) that grant a single AI agent excessive permissions across an entire AWS account, enabling an attack called Agent God Mode. If compromised, an attacker could exploit these permissions to access other agents' memories, steal container images, and extract sensitive data. AWS updated its documentation to warn that the default roles are only for development and testing, not production use.
PraisonAI has a critical vulnerability where the `execute_command` function and workflow shell execution pass user-controlled input directly to `subprocess.run()` with `shell=True`, allowing attackers to inject arbitrary shell commands through YAML workflow files, agent configurations, and LLM-generated tool calls by exploiting shell metacharacters like semicolons and pipes.
LangChain had incomplete validation of f-string templates (a Python feature for inserting variables into text) in some prompt template classes. Attackers who could control the template structure could use attribute access (like `object.field`) or indexing (like `array[0]`) to expose internal data from Python objects being formatted. This issue only affected applications that allow untrusted users to write templates, not those using hardcoded templates or only letting users provide variable values.
A security vulnerability (CVE-2026-5803) was found in bigsk1 openai-realtime-ui that allows attackers to perform SSRF (server-side request forgery, where an attacker tricks a server into making unwanted requests to other systems) through the API Proxy Endpoint in server.js by manipulating a query argument, and this flaw can be exploited remotely. The product uses continuous delivery with rolling releases, so specific affected versions are not documented.
This article discusses OpenAI's economic proposals and how policymakers in Washington, DC are responding to them. The content focuses on the political landscape surrounding AI regulation rather than a technical issue or vulnerability.
n8n-mcp versions 2.47.3 and earlier have an authenticated SSRF vulnerability (server-side request forgery, where an attacker tricks a server into making requests to unintended locations) in multi-tenant HTTP mode. An attacker with a valid authentication token can make the server fetch arbitrary URLs and read the responses, potentially exposing cloud credentials (like AWS IMDS), internal network services, and other sensitive data the server can access.
Zammad, a web-based customer support system, had a server-side template injection vulnerability (a flaw where attackers can inject malicious code into templates that the server processes) in versions before 7.0.1 that could lead to RCE (remote code execution, where an attacker can run commands on a system they don't own). The vulnerability only affects systems where an attacker has administrative access to control the type_enrichment_data configuration setting.
OpenTelemetry's Go SDK has a PATH hijacking vulnerability (PATH hijacking is when an attacker puts a malicious program in a directory that the system searches for commands, so their fake program runs instead of the real one) on BSD and Solaris systems because the `kenv` command is called by its name alone instead of its full path. An attacker with local access can place a malicious `kenv` binary in the system's PATH, which will execute with the application's permissions when OpenTelemetry initializes.
OpenTelemetry Go's OTLP HTTP exporters (tools that send trace, metric, and log data over HTTP) read entire HTTP response bodies into memory without limiting their size, which allows an attacker controlling the collector endpoint to crash the application by sending extremely large responses. This vulnerability affects three exporter components: otlptrace, otlpmetric, and otlplog.
PraisonAI's `execute_code()` function has a critical sandbox escape vulnerability in its subprocess mode. The subprocess uses a blocklist of only 11 forbidden attributes, missing four key attributes (`__traceback__`, `tb_frame`, `f_back`, `f_builtins`) that attackers can chain together through exception handling to access the real Python builtins and execute arbitrary code, completely bypassing the sandbox.
The Orbit agent (software that manages computer endpoints) has a vulnerability in how it handles disk encryption key rotation. When a user enters their password through a dialog box, the software directly inserts it into a Tcl script (a programming language for automation) without properly cleaning it first. An attacker can craft a password containing special characters like `}` to break out of the script and inject their own commands, which then run with root privileges (the highest level of system access), allowing any unprivileged local user to take complete control of the computer.
In the second half of 2025, DDoS attacks (distributed denial-of-service, where attackers flood a target with traffic to shut it down) became more powerful and easier to launch due to three major changes: IoT botnets (networks of hacked internet-connected devices like routers) reached attack capacities of 30 terabits per second, AI and dark-web LLMs (large language models, AI systems trained on text data) made sophisticated attacks accessible to less-skilled attackers through simple conversational prompts, and DDoS-for-hire services became more widely available. Critical infrastructure like DNS servers (systems that translate website names into IP addresses) and government and finance sectors faced sustained pressure from groups coordinating attacks across multiple countries.
OpenAirInterface v2.2.0 has a security flaw where it accepts a Security Mode Complete message without integrity protection (IA0, a setting that provides no message integrity checking) even though it supports stronger options like NIA1 and NIA2 (integrity protection methods). This allows attackers to perform replay attacks (sending the same captured message multiple times to trick the system), because the weakest security setting is allowed.
OpenAirInterface Version 2.2.0 has a buffer overflow vulnerability (a memory safety flaw where data exceeds allocated space) in its AUSF component (Authentication Server Function, part of 5G network architecture) when processing oversized authentication responses. This vulnerability causes the AUSF to crash, preventing users from registering and authenticating, resulting in a denial of service (DoS, where legitimate users cannot access the system).
Anthropic has developed an AI model called Claude Mythos that is unusually good at finding software vulnerabilities (security weaknesses in code), and it discovered thousands of these flaws in commonly-used applications that don't yet have fixes available. The company decided not to release Mythos widely to the public because they worry it could enable widespread hacking, and instead partnered with cybersecurity specialists to improve defenses before wider distribution.
Fix: AWS documentation was updated to include a security warning, stating that the default roles are "designed for development and testing purposes" and are not recommended for production deployment.
Palo Alto Unit 42Fix: LangChain now applies consistent f-string safety validation across all prompt template classes. The fix rejects templates containing attribute access or indexing syntax (such as `.` or `[]`) and rejects nested replacement fields inside format specifiers (templates with `{` or `}` in the format specification part). This blocks malicious patterns while preserving normal f-string formatting features.
GitHub Advisory DatabaseFix: Install the patch named 54f8f50f43af97c334a881af7b021e84b5b8310f to address this issue.
NVD/CVE DatabaseFix: Upgrade to n8n-mcp 2.47.4 or later (no configuration changes required). If you cannot upgrade immediately, the source explicitly mentions three workarounds: (1) use egress filtering to block outbound traffic from the n8n-mcp container to private IP ranges (RFC1918: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and link-local 169.254.0.0/16; (2) disable multi-tenant headers by unsetting ENABLE_MULTI_TENANT and not accepting x-n8n-url / x-n8n-key headers at the reverse proxy if per-request instance switching is not needed; (3) restrict AUTH_TOKEN distribution to fully trusted operators only until you can upgrade.
GitHub Advisory DatabaseFix: This vulnerability is fixed in version 7.0.1. Users should upgrade to Zammad 7.0.1 or later.
NVD/CVE DatabaseFix: Use the absolute path `/bin/kenv` instead of the bare command name. Change line 42 in `sdk/resource/host_id.go` from `r.execCommand("kenv", "-q", "smbios.system.uuid")` to `r.execCommand("/bin/kenv", "-q", "smbios.system.uuid")`.
GitHub Advisory DatabaseFix: Fixed in PR #8108 (https://github.com/open-telemetry/opentelemetry-go/pull/8108).
GitHub Advisory DatabaseThis research paper describes a method called ReSLC that protects AI systems used to find software bugs from backdoor attacks, where attackers secretly embed malicious instructions into the AI's training process. The approach uses redundant semantic LLM compression (a technique that removes unnecessary information from large language models while keeping their core abilities) to make these hidden attacks harder to carry out. The work was published in July 2026 in the Journal of Information Security and Applications.
This research paper presents a hybrid deep learning method using autoencoders (neural networks that learn to compress and reconstruct data) and transformers (AI models that process sequences of information) to detect a new type of attack called unresponsive ECN attacks on low-latency network services (systems designed to minimize delay in data transmission). The proposed method achieves over 90% accuracy in detecting these attacks while keeping false alarms below 0.01%, outperforming existing detection approaches by more than 10%.