All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
vLLM (a tool that runs and serves large language models) has a vulnerability in versions 0.10.1 through 0.17.x where two model files ignore a user's security setting that disables remote code execution (the ability to run code from outside sources). This means attackers could run malicious code through model repositories even when the user explicitly turned off that capability.
Fix: Upgrade to version 0.18.0, which patches the issue.
NVD/CVE DatabaseA federal judge granted Anthropic a preliminary injunction, blocking the Trump administration's ban on federal agencies using the company's Claude AI models and its Pentagon blacklisting as a supply chain risk (a designation claiming use of a company's technology threatens national security). The judge ruled the administration's actions constituted First Amendment retaliation for Anthropic publicly disagreeing with the government's contracting decisions, though a final verdict in the case could take months.
David Sacks, a venture capitalist who served as President Trump's Special Advisor on AI and Crypto, announced he is no longer a special government employee (SGE, a role that allows someone to work part-time for the government while maintaining private sector jobs). His SGE status had a legal limit of 130 days, but questions arose about why he remained in the position for over a year.
Anthropic won a temporary legal victory when a federal judge ordered a pause on the Department of Defense's punishment of the company, which had refused to let the military use its Claude AI model in autonomous weapons systems (systems that can make attack decisions without human control). Anthropic claimed the government violated its free speech rights by declaring it a supply chain risk (a company whose products could be exploited to harm national security) and blocking agencies from using its technology.
OpenAI has launched an advertising pilot program in ChatGPT that generated over $100 million in annual revenue within two months, working with more than 600 advertisers. The ads appear at the bottom of ChatGPT responses, are clearly labeled, and do not influence the AI's answers or appear near sensitive topics like politics or health. Users under 18 are excluded from seeing ads, and OpenAI reports no negative impact on user trust metrics.
The Forge library has a vulnerability in its RSA signature verification that allows attackers to forge signatures on keys with low public exponents (like e=3). The flaw occurs because Forge's ASN.1 parser (a format for encoding data structures) doesn't strictly validate the signature structure — it allows extra garbage bytes inside the ASN.1 container and doesn't enforce the required minimum 8 bytes of padding, enabling attackers to construct fake signatures that pass Forge's checks but would be rejected by other cryptographic libraries like OpenSSL.
OpenClaw has a symlink traversal vulnerability (symlink: a file that points to another file) in two API handlers (`agents.create` and `agents.update`) that use `fs.appendFile` to write to an `IDENTITY.md` file without checking if it's a symlink. An attacker can place a symlink in the agent workspace pointing to a sensitive system file (like `/etc/crontab`), and when these handlers run, they will append attacker-controlled content to that sensitive file, potentially allowing remote code execution. This is an incomplete fix for CVE-2026-32013, which only patched two other handlers but missed these two.
Google Gemini is adding new features that let users transfer their chat history and memory from other AI assistants into Gemini. The "Import Memory" tool works by copying a prompt from Gemini into your previous AI, then pasting the response back into Gemini, while "Import Chat History" lets you export all your past conversations from another AI and upload them to Gemini.
Apple's upcoming iOS 27 update will let users choose which AI chatbot to connect with Siri (Apple's voice assistant), including options like Google's Gemini or Anthropic's Claude downloaded from the App Store. The new feature, called "Extensions," will allow users to enable or disable different chatbots across iPhones, iPads, and Macs, expanding beyond the current ChatGPT integration.
PinchTab v0.8.4, a tool that lets AI agents control Chrome browsers through an HTTP server, has a command injection vulnerability on Windows where attackers can run arbitrary PowerShell commands if they have administrative access to the server's API. The vulnerability exists because the cleanup routine doesn't properly escape PowerShell metacharacters (special characters that PowerShell interprets as commands) when building cleanup commands from profile names.
PinchTab is an HTTP server that allows AI agents to control a Chrome browser, but versions 0.8.3 through 0.8.5 have a security flaw where two endpoints (POST /wait and POST /tabs/{id}/wait) can execute arbitrary JavaScript (run code of an attacker's choice in the browser) even when JavaScript evaluation is disabled by the operator. Unlike the properly protected POST /evaluate endpoint, these vulnerable endpoints don't check the security policy before running user-provided code, though an attacker still needs valid authentication credentials to exploit it.
PinchTab is an HTTP server (a program that handles web requests) that lets AI agents control a Chrome browser, but versions 0.7.7 through 0.8.4 had incomplete protections against brute-force attacks (rapid repeated requests) on endpoints that check authentication tokens. The middleware (software layer that filters requests) designed to limit requests per IP address was either not activated or had flaws like trusting client-controlled headers, making it easier for attackers to guess weak passwords if they could reach the API.
PinchTab, an HTTP server that lets AI agents control Chrome browsers, had a vulnerability in versions 0.7.8 through 0.8.3 where API tokens (credentials that prove you're authorized to use the service) could be passed as URL query parameters, making them visible in logs and browser history instead of being kept private in secure headers. This exposed sensitive credentials to intermediary systems that record full URLs, though it only affected deployments that actually used this method of passing tokens.
PinchTab v0.8.3, a tool that lets AI agents control Chrome browsers through an HTTP server, has a server-side request forgery vulnerability (SSRF, where the server can be tricked into making requests to unintended targets) in its optional webhook system. When tasks are submitted with a user-controlled callback URL, the server sends an HTTP request to that URL without properly validating it, allowing attackers to make the server send requests to private or internal network addresses.
Android Canvas WebView pages (web content displayed inside an Android app) from untrusted sources could call the JavascriptInterface bridge (a connection that lets web code run native app commands), allowing attackers to inject malicious instructions into the app. The vulnerability was fixed by validating the origin (where the web content comes from) before allowing bridge calls.
CISA warns that hackers are actively exploiting CVE-2026-33017, a critical vulnerability (rated 9.3 out of 10) in Langflow, an open-source framework for building AI workflows. This code injection flaw allows attackers to execute arbitrary Python code and gain remote code execution (the ability to run commands on a system they don't own) on unpatched systems running version 1.8.1 or earlier, with exploitation beginning just 20 hours after the vulnerability details were made public.
Google is expanding Search Live, an AI search assistant that lets users search the web using their voice and camera to ask questions about physical objects or tasks. The feature, which initially launched in the US, is now available in over 200 countries and territories in dozens of languages, with Google powering this global expansion using its latest technology.
F5 BIG-IP APM (a network access management tool) contains an unspecified vulnerability that allows attackers to achieve remote code execution (the ability to run commands on a system they don't own). This vulnerability is actively being exploited by real attackers in the wild, making it an urgent security concern.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Check for signs of potential compromise on all internet accessible F5 products affected by this vulnerability. Consult F5's official guidelines and the referenced knowledge base articles at https://my.f5.com/manage/s/article/K000156741, https://my.f5.com/manage/s/article/K000160486, and https://my.f5.com/manage/s/article/K11438344 to assess exposure and mitigate risks.
CISA Known Exploited VulnerabilitiesFinancial institutions deploying agentic AI (autonomous AI systems that make decisions and take actions independently) must add AI-specific security controls beyond traditional frameworks like ISO 27001 and NIST, because these systems' autonomous nature and non-deterministic behavior introduce unique risks. The source recommends two critical capabilities: comprehensive observability (clear visibility into what AI agents do and why) and fine-grained access controls (limiting what tools and actions each agent can use), supported by seven design principles including human-AI security homology (applying human oversight rules to AI agents) and modular agent workflow architecture.
Fix: The source provides design principles and implementation guidance rather than explicit patches or updates. It recommends: (1) implementing agent identities with role and attribute-based permissions; (2) adding logging and behavioral monitoring; (3) requiring supervision for critical actions; (4) defining agent scope in workflows; (5) applying segregation of agent duties; (6) using maker-checker verification (where one agent proposes an action and another verifies it); and (7) implementing change and incident management. The source also advises to 'consult with your compliance and legal teams to determine specific requirements for your situation' and notes that 'regulatory requirements establish minimum baselines, but organizational risk considerations often require additional controls.'
AWS Security BlogFix: Version 0.8.5 contains a patch for the issue.
NVD/CVE DatabaseFix: The source states that 'the current worktree fixes this by applying the same policy boundary to `fn` mode in `/wait` that already exists on `/evaluate`, while preserving the non-code wait modes.' However, the source explicitly notes 'as of time of publication, a patched version is not yet available.'
NVD/CVE DatabaseFix: This was fully addressed in v0.8.5 by applying RateLimitMiddleware in the production handler chain, deriving the client address from the immediate peer IP instead of trusting forwarded headers by default, and removing the /health and /metrics exemption so auth-checkable endpoints are throttled as well.
NVD/CVE DatabaseFix: This was addressed in v0.8.4 by removing query-string token authentication and requiring safer header- or session-based authentication flows.
NVD/CVE DatabaseFix: This was addressed in v0.8.4 by validating callback targets before dispatch, rejecting non-public IP ranges, pinning delivery to validated IPs, disabling redirect following, and validating callbackUrl during task submission.
NVD/CVE DatabaseFix: Update to version 2026.3.22 or later. The fix validates page origin and rejects untrusted bridge calls, with trusted origin and path validation now centralized in CanvasActionTrust.kt.
GitHub Advisory DatabaseFix: System administrators should upgrade to Langflow version 1.9.0 or later, which addresses the vulnerability. Alternatively, administrators can disable or restrict the vulnerable endpoint. Endor Labs additionally recommends not exposing Langflow directly to the internet, monitoring outbound traffic, and rotating API keys, database credentials, and cloud secrets if suspicious activity is detected.
BleepingComputerShadow AI refers to AI tools that employees use without approval from their organization, whether these are standalone tools or AI features embedded in existing software that weren't clearly communicated. CISOs (chief information security officers, the executives responsible for an organization's security) need to assess the risks these tools pose, understand why employees are using them, and decide whether to block them or bring them into official company use.
Fix: The source describes a response approach rather than a technical fix: CISOs should (1) assess the specific risk by examining data sensitivity, how the AI provider handles data, and whether a breach occurred, (2) understand why employees are using shadow AI and educate them on risks, (3) check if the organization already has approved tools that meet the same needs, and (4) redirect employees to approved alternatives "with a serious reminder" of approval requirements. The source also notes that organizations with slow AI adoption tend to see more shadow AI use, suggesting faster official adoption may reduce instances.
CSO Online