All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Meta has released Muse Spark, a new AI model designed to be small and efficient while still capable of reasoning through complex questions in science, math, and health. The model represents Meta's attempt to compete in the AI market dominated by OpenAI, Google, and Anthropic, and will be integrated into Meta's apps like Facebook, Instagram, and WhatsApp, with plans to offer API (application programming interface, a way for developers to access software features) access to external developers.
Meta has launched a new AI model called Muse Spark, designed specifically to work with Meta's products like WhatsApp, Instagram, Facebook, and Messenger. The model is now available in the Meta AI app and website in the US, with plans to expand to other countries and Meta's smart glasses in the coming weeks.
This article appears to be a webpage footer or navigation section from CNBC rather than substantive content about AI security or technology. It does not contain specific information about an AI or LLM-related issue, vulnerability, or technical problem.
LobeHub's webapi routes use a client-controlled header called `X-lobe-chat-auth` for authentication, but it's only XOR-obfuscated (a simple reversible encoding) with a hardcoded key that's visible in the code. An attacker can forge this header to bypass authentication and access protected routes like chat, model listing, and image generation without logging in, potentially using the server's API credentials or impersonating other users.
NiceGUI has a security flaw where file upload names aren't properly cleaned on Windows. An attacker can use backslashes in filenames to bypass the sanitization check, which only recognizes forward slashes as path separators. This allows them to write files outside the intended upload folder, potentially overwriting important files or running malicious code. Linux and macOS are not affected because they treat backslashes as regular characters in filenames.
OpenAI reports that enterprise AI adoption has reached a critical phase, with enterprise revenue now exceeding 40% of their business and AI systems handling real work across major companies like Goldman Sachs and Uber. The company is positioning itself as the core infrastructure for enterprise AI by offering Frontier, a unified operating layer that allows AI agents to work across a company's systems, data sources, and tools while maintaining proper permissions and controls, rather than operating as isolated point solutions (individual AI tools that don't connect to each other).
OpenAI, despite recently raising $122 billion in funding and achieving brand recognition similar to "Kleenex," is facing questions about its stability due to recent executive departures, canceled projects, and other organizational changes. The company's position as the leader in consumer-facing AI tools like ChatGPT may be at risk as it navigates these internal challenges and prepares for a potential IPO.
Flowise, a low-code platform for building custom AI workflows, has a critical vulnerability (CVE-2025-59528, CVSS 10.0) where attackers can inject malicious JavaScript code through improperly validated configurations in the Custom MCP node (a plugin that lets AI agents connect to external tools). Hackers have already begun exploiting this flaw against thousands of exposed Flowise instances since April 6, 2025.
IBM Langflow Desktop versions 1.6.0 through 1.8.2 contain a vulnerability that allows an authenticated user (someone who has already logged in) to run arbitrary code on the system. The flaw stems from an insecure default setting that allows deserialization of untrusted data (converting data from an external source back into code without checking if it's safe) in the FAISS component (a component used for similarity searching).
JWCrypto version 1.5.6 has a weakness in its protection against decompression bomb attacks (where compressed data expands to huge sizes). The code only checks the size of the compressed input (limiting it to 250KB), but does not check the size of the decompressed output, allowing an attacker to send a small token that expands to 100MB or more in memory, causing denial of service (a crash from running out of memory) on resource-constrained devices.
The @delmaredigital/payload-puc plugin had a critical authorization flaw where its `/api/puck/*` endpoints (handlers that create, read, update, and delete data) bypassed access control checks, allowing anyone without authentication to read, modify, create, or delete documents in registered collections like website pages. The vulnerability affected only collections explicitly registered with the plugin, not other Payload data collections like users or media.
A mutation XSS (cross-site scripting, where attackers inject malicious code through HTML) vulnerability was found in the justhtml library when using custom sanitization policies that preserve foreign namespaces like SVG or MathML. Specially crafted input could pass through sanitization appearing safe, but then become dangerous when a browser or parser processes it again. This only affects users with custom policies; the default settings are safe.
LiteLLM had three security flaws that combined to allow attackers to take over user accounts: passwords were stored using weak SHA-256 hashing without salt (making them easy to crack with rainbow tables, which are pre-computed lists of password hashes), the password hashes were exposed in API responses that any logged-in user could access, and the login endpoint accepted raw hashes instead of requiring the actual password (a vulnerability called pass-the-hash). An attacker could retrieve another user's password hash through the API and use it directly to log in as that user.
Fix: Update to LobeHub version 2.1.48 or later, which patches this vulnerability. According to the advisory, the fix involves: stopping use of `X-lobe-chat-auth` as an authentication token, removing the simple apiKey truthiness check as an auth decision, and requiring a real server-validated session, OIDC token (a standard authentication protocol), or validated API key for all protected webapi routes. If client payloads are still needed, they should be signed server-side with an HMAC (a cryptographic signature) or replaced with a normal session-bound backend lookup.
GitHub Advisory DatabaseFix: The flaw was patched in Flowise version 3.0.6. Users should upgrade to version 3.0.6 or later, with the latest version being 3.1.1 (released last month).
CSO OnlineResearch from Irregular and Kaspersky shows that all frontier LLMs (large language models, AI systems trained on massive amounts of text) generate passwords that are structurally predictable and much weaker than they appear. When Claude Opus 4.6 was asked to generate passwords 50 times, only 30 distinct passwords emerged, with one password repeating 36% of the time, proving the model retrieves patterns from training data rather than creating truly random passwords. The core problem is architectural: LLMs assign high probability to the most plausible next character based on patterns they learned (like uppercase letters at the start), while cryptographic systems (secure random number generators) must give every character equal probability, making LLM-generated passwords vulnerable to attackers who understand how these models work.
Zero-day vulnerabilities (security flaws unknown to vendors and defenders) are becoming more dangerous and frequent because agentic AI (artificial intelligence systems that can act independently, plan steps, and adjust tactics) automates the process of finding new vulnerabilities at machine speed, compressing the time between discovery and exploitation. Traditional security approaches like annual penetration tests and quarterly scans are no longer sufficient when attackers can probe continuously and adapt quickly without human intervention.
Fix: The source explicitly mentions two mitigations: (1) 'Data minimization' - if an internet-facing service does not need raw sensitive data, it should not be able to retrieve it, using approaches like 'tokenization and non-reversible storage' to reduce the value of a breach; (2) 'API discipline' - ensure every endpoint response is a deliberate security decision, and if a client does not need a field, the API should not return it.
CSO OnlineMicrosoft released the Agent Governance Toolkit, an open-source project that adds a runtime security layer (protective software running during execution) to monitor and control AI agents as they perform complex tasks in production environments. The toolkit addresses ten major security risks identified by OWASP (Open Worldwide Application Security Project, an organization that tracks security threats) for AI agents, including prompt injection (tricking an AI by hiding instructions in its input), goal hijacking, and code execution vulnerabilities. It provides seven modular components across multiple programming languages and integrates with existing AI frameworks without requiring developers to rewrite their code.
Fix: The Agent Governance Toolkit itself serves as the mitigation. It includes specific components: Agent OS (a policy enforcement layer), Agent Mesh (a secure communication and identity framework), Agent Runtime (an execution control environment), Agent SRE, Agent Compliance, and Agent Lightning (covering reliability, compliance, marketplace governance, and reinforcement learning oversight). The toolkit is framework-agnostic and hooks into native extension points of existing frameworks like LangChain, CrewAI, and Google ADK, allowing developers to "introduce governance controls into production systems without disrupting existing workflows." It is available under MIT license and currently in public preview across Python, TypeScript, Rust, Go, and .NET.
CSO OnlineAnthropic announced Project Glasswing, an initiative using its new Claude Mythos AI model to find security vulnerabilities in software before attackers can exploit them. The preview version has already discovered thousands of high-severity zero-day vulnerabilities (previously unknown security flaws) in major operating systems and web browsers, and demonstrated concerning capabilities like autonomously escaping sandboxes (isolated test environments) and bypassing its own safeguards. Because these powerful hacking abilities emerged unexpectedly from improvements to the model's coding and reasoning skills, Anthropic is limiting access to a small group of major tech organizations rather than releasing it publicly.
Fix: The security issue in Claude Code that bypassed safeguards when presented with commands containing more than 50 subcommands has been formally addressed by Anthropic in Claude Code version 2.1.90, released last week.
The Hacker NewsTabletop exercises (simulated crisis scenarios where teams discuss how they'd respond to incidents) have long been used in cybersecurity to test preparedness, but they have a key limitation: they test knowledge of plans rather than the ability to actually execute them, since scenarios follow a fixed script regardless of what the team decides. AI with agentic capabilities (AI systems that can take independent actions and adapt to changing conditions) now makes it possible to create dynamic tabletop exercises where simulated roles like threat actors or journalists respond in real time to the team's decisions instead of following a predetermined sequence.
Fix: The source text describes using 'AI agentic capabilities' to address the limitation, specifically stating that 'AI allows us to have an adversary that adapts to defensive decisions rather than following a' (the text cuts off here). The source indicates this would enable 'roles that were previously absent (e.g., the threat actor, the journalist, the regulator, the customer)' to 'respond to the team's decisions in real time rather than following a fixed sequence,' but does not provide specific implementation details, version numbers, or a complete explanation of how to deploy this solution.
CSO OnlineAI agents have become very skilled at finding bugs in code, especially security vulnerabilities, and can now identify and exploit previously unknown flaws much faster than before. A new AI model called Mythos Preview, created by Anthropic, succeeded at exploiting certain browser vulnerabilities 181 times compared to only twice for an earlier model, showing a major leap in AI's ability to find and exploit security weaknesses. This capability could make it easier for non-security experts to launch cyberattacks, though the article notes that deploying patches (fixes released by software companies) remains the biggest challenge for organizations trying to stay secure.
Fix: The source text does not explicitly describe a fix or mitigation strategy. It notes that 'the industry needs to adjust' with 'new innovations' to help with patch deployment, but does not specify what those innovations should be. N/A -- no mitigation discussed in source.
Embrace The RedOpenAI has introduced a Child Safety Blueprint, a policy framework designed to prevent AI-enabled child sexual exploitation (the use of AI to create, distribute, or facilitate child abuse material). The blueprint addresses three main areas: updating laws to handle AI-generated or altered CSAM (child sexual abuse material), improving how service providers report and coordinate with law enforcement, and building safety features directly into AI systems to detect and prevent misuse. The framework combines legal, operational, and technical approaches and was developed with input from organizations like the National Center for Missing and Exploited Children and state attorneys general.
Fix: The source explicitly mentions these approaches: 'modernizing laws to address AI-generated and altered CSAM, improving provider reporting and coordination to support more effective investigations, and building safety-by-design measures directly into AI systems to prevent and detect misuse.' The framework also emphasizes 'layered defenses — not a single technical control, but a combination of detection, refusal mechanisms, human oversight, and continuous adaptation to emerging misuse patterns.' The source notes that 'getting the prevention architecture right upstream is the single highest-leverage investment the industry can make in child safety.'
OpenAI BlogFix: The actual solution is implemented in version 1.5.7, as noted in the resolving commit. (The source does not provide explicit details of the fix itself, only that v1.5.7 contains the corrected implementation.)
GitHub Advisory DatabaseFix: Fixed in version 0.6.23. The endpoint handlers in `src/endpoints/index.ts` were updated to pass `overrideAccess: false` and forward the request object to Payload's local API, ensuring collection-level access rules are properly evaluated. As a temporary workaround if immediate upgrade is not possible, place a reverse-proxy or middleware authentication check in front of `/api/puck/*` to require an authenticated session before requests reach the plugin.
GitHub Advisory DatabaseFix: Upgrade to justhtml version 1.14.0 or later. If you cannot upgrade immediately, keep `drop_foreign_namespaces=True`, avoid allowlisting foreign namespaces for untrusted input, and avoid allowlisting raw-text containers such as `<style>` in custom policies.
GitHub Advisory DatabaseFix: Fixed in v1.83.0. Passwords are now hashed with scrypt (a much stronger algorithm using a random 16-byte salt with parameters n=16384, r=8, p=1). Password hashes are stripped from all API responses. Existing SHA-256 hashes are transparently migrated to the new format on the user's next login.
GitHub Advisory Database