All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
MLflow has a security flaw called an authorization bypass (a weakness where access controls are not properly checked) in its AJAX endpoint (a web interface used to download model files) that allows users without permission to download saved model artifacts they shouldn't be able to access. This affects MLflow versions up to 3.10.1 and has a CVSS score (a 0-10 rating of severity) of 5.3, considered medium severity.
MLflow has a stored XSS vulnerability (cross-site scripting, where malicious code hidden in data executes when viewed in a web browser) in how it handles YAML-based MLmodel artifact files. An authenticated attacker can upload a specially crafted MLmodel file that runs malicious code when another user views it in the web interface, potentially letting the attacker hijack sessions or perform actions as that user. This affects MLflow version 3.10.1 and earlier.
Attackers are targeting over 1,000 publicly accessible ComfyUI instances (a platform for running AI image generation) with an automated scanner that exploits a misconfiguration allowing unauthenticated remote code execution (the ability to run commands on a system without permission). Once compromised, these systems are enrolled in botnets (networks of infected computers controlled remotely) to mine cryptocurrency and serve as proxies.
Broadcom, a chip designer, announced new deals to produce AI chips for Google and expanded its partnership with Anthropic (an AI company), causing its stock price to rise 3.7% in premarket trading. The deals include revenue commitments and access to computing capacity, which analysts believe signal strong future demand for custom AI chips and may ease investor concerns about competition.
Modern cybersecurity is shifting from a reactive model (detecting and responding to attacks after they happen) to a proactive model that aims to disrupt attackers before they strike, because attack timelines have collapsed dramatically. Cyber attacks now unfold in seconds rather than hours, with artificial intelligence automating key attack phases, making traditional defense inadequate. In response, both the U.S. government and major tech companies are investing in legal and technical capabilities like litigation, takedowns, and public exposure of tools to impose cost and friction on threat actors across the entire attack ecosystem.
A vulnerability in HuggingFace Transformers' `Trainer` class (a tool for training AI models) allows attackers to run arbitrary code by providing a malicious checkpoint file. The problem occurs because the `_load_rng_state()` method uses `torch.load()` without the `weights_only=True` parameter (a safety setting that restricts what code can run), leaving systems vulnerable when using PyTorch versions below 2.6.
Flowise, an open-source AI platform, has a maximum-severity vulnerability (CVE-2025-59528, CVSS score 10.0) in its CustomMCP node that allows attackers to execute arbitrary JavaScript code on the server without validation, potentially leading to full system compromise and data theft. The flaw requires only an API token to exploit and is being actively exploited in the wild against over 12,000 exposed Flowise instances.
Broadcom has agreed to produce AI chips for Google and signed an expanded deal with Anthropic, giving the AI startup access to about 3.5 gigawatts of computing capacity (the amount of processing power available at one time) using Google's custom processors called TPUs (tensor processing units, which are specialized chips designed to run AI models). This reflects growing demand for the computing infrastructure needed to run generative AI (AI systems that create new text, images, or other content) at scale.
Anthropic's Claude Code CLI and Claude Agent SDK have a vulnerability where authentication helper settings are executed with shell=true (allowing shell commands to run) without checking the input first. An attacker who can change settings like apiKeyHelper or awsAuthRefresh could inject shell metacharacters (special characters that have meaning in command shells) to run arbitrary commands with the user's privileges, potentially stealing credentials or accessing environment variables.
Anthropic's Claude Code CLI and Claude Agent SDK have a vulnerability where attackers can execute arbitrary commands (run any code they want) by inserting shell metacharacters (special characters like $() that tell the system to run commands) into file paths. Even though the code tries to protect these paths by wrapping them in double quotes, the POSIX shell (the command-line interface on Unix/Linux systems) still processes these injected expressions, giving attackers the same permissions as the user running the CLI.
Anthropic's Claude Code CLI and Claude Agent SDK have a vulnerability where attackers can run arbitrary commands by manipulating the TERMINAL environment variable (a setting that controls which terminal program to use). When the software constructs shell commands, it doesn't properly sanitize the TERMINAL variable, allowing attackers to inject shell metacharacters (special characters that have meaning to command interpreters) that get executed with the user's privileges.
text-generation-webui is an open-source web interface for running Large Language Models (AI systems that generate text). Before version 4.1.1, the application allowed users to save extension settings as Python files (code files that run on servers) in the main app directory, which could let attackers overwrite important Python files like 'download-model.py' and execute malicious code when users tried to download a new model.
PartitionedDataset in kedro-datasets had a path traversal vulnerability (a security flaw where an attacker uses ".." sequences to access files outside an intended directory) that allowed attackers to write files anywhere on a system by including ".." in partition IDs (identifiers for data sections). This affected all users regardless of storage type, local or cloud-based.
GrafanaGhost is a critical vulnerability in Grafana (a data visualization platform) that uses indirect prompt injection (tricking an AI by hiding malicious instructions in data it processes) to steal sensitive enterprise data without requiring user authentication or interaction. Attackers chain together multiple exploits, including bypassing URL validation and AI safety guardrails, to trick Grafana's AI into sending confidential information to attacker-controlled servers.
Fix: Grafana has rolled out a fix for this issue. Additionally, security experts recommend: identifying exposure by checking whether Grafana AI/LLM features are enabled, patching to the latest version, restricting "img-src" (image source permissions) to known domains, and applying egress controls (network rules that limit outbound data traffic).
CSO OnlineOpenAI has published policy proposals suggesting that companies should trial four-day work weeks as AI tools become more capable and potentially displace workers from jobs. The company argues that AI systems will soon complete projects in days that currently take months, and recommends employers offer benefits like reduced work hours without pay cuts, increased retirement contributions, and subsidized childcare to help workers adapt to this shift.
Google has redesigned Gemini's crisis response feature to make it faster for users in distress to access mental health resources. When the chatbot detects a conversation indicating potential suicide or self-harm risk, it now presents a streamlined 'Help is available' module that connects users to crisis resources like suicide hotlines or crisis text lines more quickly.
Fix: Google updated Gemini to streamline its crisis response into a 'one-touch' module (based on the partial text provided, the exact mechanism is not fully detailed in the source). The system detects conversations indicating suicide or self-harm risk and launches the 'Help is available' module to direct users to mental health crisis resources.
The Verge (AI)Multi-tenant SIEM (security information and event management, a platform that collects and analyzes security data from many sources) solutions share physical resources like CPU and memory among different customers, creating a "noisy neighbor" problem where one customer's heavy workload can slow down threat detection for others and violate service promises. While vendors market cloud-based SIEM as efficient and reliable, most don't publicly discuss how they prevent this fairness issue, which requires sophisticated engineering strategies like fair-share scheduling (giving each customer a proportional share of resources) and intelligent queuing rather than simple rate-limiting.
Fix: The issue is resolved in version v5.0.0rc3.
NVD/CVE DatabaseFix: The vulnerability was addressed in version 3.0.6 of the npm package. Users should upgrade to this version or later.
The Hacker NewsAs AI models become more powerful, they create both greater risks and opportunities for security. CrowdStrike argues that while companies like Anthropic build safer models, organizations also need deployment governance (security controls for how and where AI runs in a company) to protect data and systems when AI agents access databases, workflows, and sensitive information. CrowdStrike offers tools for discovering all AI applications in use, monitoring what data they access, and preventing sensitive information from being exposed through AI workflows.
This research paper describes a method for automatically generating password mangling rules (transformations that modify passwords systematically) using adaptive density clustering (a technique that groups similar data points together based on how densely packed they are). The approach aims to improve password security by learning patterns from real password data to create more effective rules for testing password strength.
OpenAI has asked California and Delaware attorneys general to investigate what it calls 'anti-competitive behavior' by Elon Musk, claiming he is working to undermine the company through attacks and coordination with other rivals ahead of an April trial. OpenAI alleges that Musk has conducted opposition research on CEO Sam Altman, spread false allegations, and is using legal efforts to benefit his competing AI company xAI, which faces its own investigations for generating non-consensual explicit deepfake content.
Fix: This vulnerability is fixed in version 4.1.1.
NVD/CVE DatabaseFix: Upgrade to kedro-datasets version 9.3.0 or later. The patch normalizes paths using `posixpath.normpath` and validates that resolved paths stay within the dataset base directory before use, raising a `DatasetError` if the path escapes. For users unable to upgrade, manually validate partition IDs to ensure they do not contain ".." path components before passing them to PartitionedDataset.
GitHub Advisory Database