All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Mesop, a web framework, has a vulnerability in its WebSocket (a protocol for real-time two-way communication between client and server) handler where it creates a new operating system thread for every incoming message without any limits. An attacker can send thousands of messages rapidly, exhausting the server's thread capacity and causing an Out of Memory error that crashes the application for all users.
Fix: The source text recommends four mitigation strategies: (1) Use a bounded thread pool (such as ThreadPoolExecutor with max_workers), (2) Introduce per-connection rate limiting, (3) Implement a message queue with backpressure (preventing queue overflow by slowing down senders), or (4) Consider migrating to an async event loop model instead of spawning OS threads. No specific patch version or code fix is provided.
GitHub Advisory DatabasevLLM's `VideoMediaIO.load_base64()` method has a vulnerability where it processes `video/jpeg` data URLs (a vLLM-specific format for sending multiple JPEG frames) without limiting how many frames can be included. An attacker can send thousands of comma-separated base64-encoded JPEG frames in a single API request, causing the server to decode all of them into memory at once and crash due to running out of memory (OOM, or out-of-memory error).
vLLM (a language model serving framework) has a Server-Side Request Forgery vulnerability (SSRF, where an attacker tricks a server into making requests to unintended targets) in its batch processing feature. An attacker who can submit batch input JSON can make the vLLM server send arbitrary HTTP requests to any URL, including internal services like cloud metadata endpoints, because the `download_bytes_from_url` function has no restrictions on which domains or IP addresses it will contact.
OpenClaw versions before 2026.4.2 have a security flaw in their Google Gemini login process where a secret value (PKCE verifier, a random code used to protect OAuth authorization) is reused as the state parameter (a value meant to prevent certain attacks) and exposed in the redirect URL (the page the user is sent to after login). Attackers who intercept this URL can steal both the authorization code and the PKCE verifier, bypassing the protection it was supposed to provide and allowing them to steal login tokens.
OpenAI's CEO of AGI deployment (artificial general intelligence, an AI system that can handle any intellectual task), Fidji Simo, is taking medical leave for several weeks due to a neuroimmune condition. During her absence, other company leaders including President Greg Brockman will take over her responsibilities for product development and business operations.
LlamaIndex version 0.14.20 includes multiple updates across its callback and core modules, with a primary focus on fixing a vulnerability in NLTK (a natural language processing library that helps AI systems understand and work with human language). The release also updates various dependencies and fixes minor bugs in code formatting and syntax.
MLflow (an open-source machine learning platform) has a vulnerability where certain API endpoints under `/ajax-api/3.0/jobs/*` skip authentication checks (verification of who you are) even when basic-auth protection is enabled. If job execution is turned on, attackers can submit, run, read, and cancel jobs without logging in, potentially leading to remote code execution (running malicious commands on the server) or causing denial of service attacks (making the system unavailable).
Claude Code has a vulnerability where commands with more than 50 subcommands (smaller operations within a larger command) cause the tool to skip its security checks for subcommands after the 50th, asking users to approve them without proper safety analysis. Attackers could exploit this by hiding malicious commands in legitimate-looking code repositories, potentially stealing user credentials and compromising entire software projects.
A bug in the Linux kernel's memory management was causing the system to crash when handling lazyfree folios (large memory pages marked for lazy freeing). The problem occurred because when unmapping multiple page table entries (PTEs, the pointers that map virtual memory to physical memory) in a batch, the code incorrectly set all of them as writable even if some should have been read-only, which violated memory safety rules and triggered a crash.
FastMCP (a framework for building MCP applications, which are tools that extend AI assistants) has a command injection vulnerability (a security flaw where an attacker can run unauthorized commands) in versions before 3.2.0 on Windows. When server names contain shell metacharacters like '&', they can be misinterpreted by the Windows command interpreter and allow attackers to execute malicious commands during installation.
vLLM's OpenAI-compatible API server has a denial-of-service vulnerability where an attacker can send a request with an extremely large `n` parameter (a value that controls how many independent response sequences to generate). Because the server doesn't validate an upper limit on this parameter, it attempts to create millions of copies of the request object in memory, which overwhelms the system and causes it to crash from running out of memory (OOM, out-of-memory).
A Linux kernel component called dpaa2-switch had a bug where it would check if an invalid interface ID (if_id) was received but wouldn't clear the interrupt status (a signal that tells the system an event happened), causing the system to be repeatedly triggered by the same bad signal in what's called an interrupt storm (constant, repetitive alerts). The fix is to clear the interrupt status even when an invalid if_id is detected, preventing the repeated triggering.
Claude's source code was leaked, revealing problems in how the software supply chain (the process of developing, distributing, and maintaining software) is protected. The incident shows that companies need stronger security controls at every step of software development, similar to how critical infrastructure like power grids are protected.
OpenAI announced its purchase of TBPN (Technology Business Programming Network), a media company that streams a daily three-hour tech talk show, marking another acquisition alongside its $6.4 billion purchase of hardware startup io. The acquisition strategy appears unclear to investors and analysts, as the company faces intensifying competition from rivals like Google and Anthropic while dealing with significant losses from infrastructure spending ahead of a planned IPO.
Meta and other AI labs paused work with Mercor, a company that hires contractors to generate training data for AI models, after a security breach exposed proprietary datasets that could reveal competitive secrets to rivals. The breach occurred through a compromised version of LiteLLM (an API tool, which is software that allows different programs to communicate), likely by a hacking group called TeamPCP, affecting thousands of organizations and potentially exposing hundreds of gigabytes of Mercor's confidential data.
Fix: Update OpenClaw to version 2026.4.2 or later.
NVD/CVE DatabaseFix: Update to version 0.14.20, which includes the fix for the NLTK vulnerability across all affected modules (llama-index-agent-agentmesh, llama-index-callbacks-agentops, llama-index-callbacks-aim, and others).
LlamaIndex Security ReleasesA threat group called UAT-10608 is exploiting React2Shell (CVE-2025-55182, a pre-authentication remote code execution vulnerability in Next.js applications), a flaw that was patched four months ago, to steal credentials and tokens from unpatched servers at scale. Researchers discovered the attackers' exposed web dashboard, which revealed they had successfully compromised 766 hosts in 24 hours and stolen credentials from major services like AWS, Azure, OpenAI, GitHub, and others. The vulnerability allows attackers to send malicious code payloads to server endpoints without authentication, triggering arbitrary code execution that deploys credential-harvesting tools.
Fix: A fix was issued four months ago. Additionally, the source states that 'victims and service providers with exposed and at-risk credentials, including AWS and GitHub, are being notified,' and IT professionals should 'act quickly' to patch React servers in their environment before credentials are stolen.
CSO OnlineResearchers have developed AISM (adversarial image steganography model, a technique that hides data inside images while making them resistant to AI recognition), a method for protecting images from being recognized by unauthorized AI systems. The approach uses adversarial techniques (methods that deliberately trick AI models by adding subtle, invisible changes to data) combined with steganography (the practice of hiding information within other data) to prevent unwanted AI analysis while keeping the images visually normal to humans. This work addresses privacy concerns where people want to prevent their images from being processed by AI systems without permission.
Fix: Anthropic has already developed a fix called the tree-sitter parser (a tool that analyzes code structure more carefully), which is included in the source code but has not been enabled in the public builds that customers currently use.
CSO OnlineFix: Update FastMCP to version 3.2.0 or later, where this issue has been patched.
NVD/CVE DatabaseFix: Clear the interrupt status after detecting an out-of-bounds if_id to avoid the interrupt storm problem.
NVD/CVE DatabaseThis research evaluates 28 large language models on named entity recognition (NER, the task of identifying and labeling people, places, and organizations in text) across 13 datasets to understand how well they perform. The study found that all models experience hallucinations (where the AI generates false or unsupported information), but a two-phase framework called LLM-NER that includes a "Check phase" to verify recognized entities can help reduce these errors.
Fix: The source proposes an LLM-NER framework with a Check phase designed to mitigate hallucinations: "the Check guides LLMs to examine the correctness of recognized entities, which is designed to mitigate hallucinations in the NER scenario." The research demonstrates this approach is "a feasible way to alleviate hallucinations."
IEEE Xplore (Security & AI Journals)This news roundup covers several security incidents: a data leak from ChatGPT, a rootkit (malware that hides itself deep in a system to maintain control) discovered on Android devices, and a ransomware attack (malware that encrypts files and demands payment) on a water treatment facility. The article also mentions a Symantec vulnerability, a new anti-ClickFix defense added to macOS (a mechanism to block a social engineering attack that tricks users into visiting malicious websites), and an FBI hack classified as a major incident.
Enterprises are facing growing security risks on mobile devices because unauthorized AI (shadow AI, meaning AI tools deployed without official approval) is being hidden in everyday apps, combined with outdated mobile devices and zero-click exploits (attacks that work without any user interaction like clicking a link). These factors together create mobile security threats that are hard for organizations to detect and manage.