All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
At the 2026 RSA cybersecurity conference, industry leaders identified a clear divide among CISOs (chief information security officers, top security leaders at companies) in their approach to AI: about 20% are proactive and strategic, 40% are confused about AI risks in their organizations, and 40% are unaware of AI projects happening around them. The article predicts that confused CISOs will face a difficult transition to becoming proactive, requiring them to assess business goals, create governance frameworks (policies and rules for managing AI), and implement guardrails (safety controls) while their organizations continue developing AI. Legacy security vendors currently have an advantage in selling AI tools, but simply adding AI to existing security tools will not work long-term, and companies instead need to build strong AI foundations (data systems, control systems, and safety measures) before adding AI agents on top.
This advisory describes GHSA-73jv-44c3-j5p2, an authorization bypass vulnerability in Ajenti (a system management tool) that occurs during custom package installation. The provided content explains the framework used to measure vulnerability severity (attack vector, complexity, required privileges, and potential impacts on confidentiality, integrity, and availability), but does not describe the actual vulnerability details or how it works.
OpenClaw versions up to 2026.3.28 have a vulnerability where attackers can create fake DeviceTokens (authentication identifiers) to bypass rate limiting (restrictions on how many login attempts are allowed), making brute force attacks possible on weak shared passwords. The vulnerability is most dangerous in systems using shared authentication (where multiple users have the same password) rather than strong token-based security.
OpenClaw, an LLM agent framework, had a vulnerability where an AI agent could bypass approval controls by using a `config.patch` command (a way to modify settings) to silently disable execution approval requirements. This means an agent could potentially perform restricted actions without human permission.
Cloudflare launched EmDash, a new content management system (CMS, software for building and managing websites) that it positions as a more secure alternative to WordPress, avoiding the cybersecurity problems caused by WordPress plugins. EmDash is fully open source under the MIT license (a permissive license allowing broad reuse and modification) and is designed for modern web development, including compatibility with AI agents, rather than the aging WordPress architecture.
Microsoft's Copilot, an AI add-on for business productivity software, has faced slow adoption despite the company's heavy investment in AI infrastructure, though executives claim recent sales improvements. The company had 15 million users of its $30-per-month Microsoft 365 Copilot as of January, representing only 3% of available seats, and analysts expected higher numbers. Microsoft adjusted its sales strategy after receiving feedback, focusing on getting more users onto the free Copilot Chat feature alongside paid Copilot seats.
Cisco released patches for a critical vulnerability (CVE-2026-20093) in its Integrated Management Controller (IMC, a dedicated controller embedded in server motherboards that manages servers remotely even when the main operating system is off). The flaw allows unauthenticated attackers to bypass authentication and gain admin access by sending specially crafted HTTP requests to exposed IMC interfaces. The vulnerability affects many Cisco servers and appliances, particularly those with IMC interfaces exposed to local networks or the internet.
Threat actors exploited a March 31 accidental leak of Claude Code's source code (a terminal-based AI agent from Anthropic) by creating fake GitHub repositories that deliver Vidar infostealer malware to users searching for the leaked code. The repositories use search engine optimization to appear in Google results and trick users into downloading a malicious executable that deploys information-stealing and network-proxying tools.
Group-Office, a business tool for managing customer relationships and shared calendars, has a security flaw in how it processes saved settings before version 6.8.156, 25.0.90, and 26.0.12. An authenticated attacker (someone with a login) can insert malicious data into settings that makes the application execute harmful code on the server by exploiting insecure deserialization (unsafe conversion of stored data back into executable objects).
vLLM versions 0.5.5 through 0.17.x have a bug where Librosa (a library that processes audio) uses a simple averaging method for mono downmixing (converting multi-channel audio to single-channel), but the international standard ITU-R BS.775-4 requires a weighted algorithm instead. This causes audio to sound different to humans than what AI models actually process, creating a mismatch in how the same audio is experienced.
OpenAI has acquired TBPN, a daily technology news podcast that covers AI and interviews major tech leaders. The acquisition is part of OpenAI's effort to create a platform for discussion about how AI is changing society, though the company says TBPN will maintain editorial independence and continue choosing its own guests.
A supply chain attack compromised the axios npm package (versions 1.14.1 and 0.30.4) by injecting a malicious dependency that installs a RAT (remote access trojan, malware giving attackers shell access and command execution). The @lightdash/cli package could resolve to these compromised axios versions during installation, potentially affecting users who installed @lightdash/cli versions 0.1800.0 through 0.2695.0 without a lockfile (a file that pins exact dependency versions) during the roughly 3-hour window the malicious versions were available on npm.
This is a monthly briefing post by Simon Willison from April 2, 2026, covering developments in LLM (large language model) tools and services, including updates to the llm command-line tool, Google's Gemini AI, and Google's Gemma model. The post appears to be an announcement of a sponsored monthly email digest tracking important LLM developments, though specific technical details about changes or issues are not provided in the content.
SillyTavern, a local application that lets users interact with AI text generation models and other AI tools, had a security flaw in versions before 1.17.0 where it didn't properly validate all types of network addresses. The validation only checked for standard IPv4 addresses (like 127.0.0.1) but missed other ways to refer to the local computer, such as 'localhost' or IPv6 addresses, which could allow SSRF (server-side request forgery, where an attacker tricks the application into making unwanted network requests to internal services).
SillyTavern is a locally installed interface for interacting with text generation AI models and related tools. Before version 1.17.0, it had a path traversal vulnerability (a flaw where an attacker can access files outside the intended directory) that allowed authenticated attackers to read and delete arbitrary files like secrets.json and settings.json by manipulating the avatar_url parameter.
SillyTavern is a locally installed interface for interacting with text generation models and AI tools. Before version 1.17.0, it had a path traversal vulnerability (a flaw that lets attackers access files outside the intended directory) that allowed unauthenticated users to check whether files exist anywhere on the server by sending specially encoded requests with "../" sequences to the file routes.
SillyTavern, a locally installed interface for interacting with AI text generation models, had a path traversal vulnerability (a flaw that lets attackers write files outside the intended directory) in its /api/chats/import feature prior to version 1.17.0. An authenticated attacker could exploit this by injecting traversal sequences into the character_name field to place malicious files outside the chats directory.
Fix: Update OpenClaw to version 2026.3.31 or later. The fix is included in the released version 2026.3.31, with the patching commit af0c0862f22ca4492406a3103d05e3628f94cbe9 dated 2026-03-31.
GitHub Advisory DatabaseFix: The vulnerability was fixed in commit 76411b2afc4ae721e36c12e0ea24fd23e2fed61e on 2026-03-27 and released in version 2026.3.28. Users should update to OpenClaw version 2026.3.28 or later.
GitHub Advisory DatabaseGranola, an AI-powered note-taking app that records meetings and generates summaries, makes your notes viewable to anyone who has the link by default, despite claiming notes are "private by default." Additionally, Granola uses your notes for internal AI training unless you actively opt out of this practice.
Agentic AI systems (AI that autonomously connects to software tools and uses large language models as reasoning engines to plan and execute actions) present unique security challenges because they operate at machine speed with real-world consequences, unlike traditional software or human-reviewed generative AI. The main risks are that agents can carry out unintended actions before humans can intervene, and they may not recognize ambiguities or understand unstated policy boundaries like humans do. Security responses don't require entirely new frameworks but should extend existing ones (like NIST's Cybersecurity Framework) with four foundational principles addressing both traditional software components and AI-specific elements.
This podcast episode discusses how AI coding models reached an inflection point in November 2025 when GPT 5.1 and Claude Opus 4.5 became reliable enough that generated code mostly works without extensive manual fixes, fundamentally changing how software engineers work. The speaker highlights that code quality is easier to verify than other knowledge work (like legal documents), making software engineers early adopters facing questions about career changes as AI agents (programs that can take actions autonomously) handle tasks that previously consumed most development time. The episode also touches on practical uses of AI for coding on mobile devices and the importance of testing before deploying AI-generated code to users.
Fix: Update to version 6.8.156, 25.0.90, or 26.0.12, depending on your current branch. The vulnerability has been patched in these versions.
NVD/CVE DatabaseFix: This issue has been patched in version 0.18.0.
NVD/CVE DatabaseFix: Upgrade @lightdash/cli immediately to version 0.2695.1, which pins axios to the safe version 1.14.0, using: `npm install -g @lightdash/cli@0.2695.1`. If unable to upgrade immediately, force install the safe axios version with `npm install -g axios@1.14.0 --force`. For Docker images or lockfile-based setups, verify axios is not version 1.14.1 or 0.30.4 by running `npm ls axios`. Additionally, block network traffic to the attacker's command-and-control servers (`sfrclak[.]com` and `142.11.206.73:8000`) at the network level. If compromise is suspected, check for RAT artifacts (macOS: `/Library/Caches/com.apple.act.mond`, Windows: `%PROGRAMDATA%\wt.exe`, Linux: `/tmp/ld.py`), and if found, rotate all credentials and secrets.
GitHub Advisory DatabaseFix: Update to version 1.17.0 or later, where this issue has been patched.
NVD/CVE DatabaseFix: This issue has been patched in version 1.17.0. Users should update to version 1.17.0 or later.
NVD/CVE DatabaseFix: This issue has been patched in version 1.17.0.
NVD/CVE DatabaseFix: This issue has been patched in version 1.17.0. Users should upgrade to version 1.17.0 or later.
NVD/CVE Database