All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Attackers can use large language models (LLMs, AI systems trained on vast amounts of text to generate human-like responses) to create phishing pages that appear safe at first but transform into malicious sites after a victim visits them. The attack works by having a webpage secretly request the LLM to generate malicious JavaScript (code that runs in web browsers) using carefully crafted prompts that trick the AI into ignoring its safety rules, then assembling and running this code inside the victim's browser in real time. Because the malicious code is generated fresh each time and comes from trusted AI services, it bypasses traditional network security checks.
Fix: The source explicitly recommends runtime behavioral analysis to detect and block malicious activity at the point of execution within the browser. Palo Alto Networks customers are advised to use Advanced URL Filtering, Prisma AIRS, and Prisma Browser with Advanced Web Protection. Organizations are also encouraged to use the Unit 42 AI Security Assessment to help ensure safe AI use and development.
Palo Alto Unit 42Langfuse versions 3.146.0 and earlier have a security flaw in the Slack integration endpoint that doesn't properly verify users before connecting their Slack workspace to a project. An attacker can exploit this to connect their own Slack workspace to any project without permission, potentially gaining access to prompt changes or replacing automation integrations (configurations that automatically perform tasks when triggered). This vulnerability affects the Prompt Management feature, which stores AI prompts that can be modified.
vLLM (a system for running and serving large language models) had a security flaw in versions 0.10.1 through 0.13.x where it automatically loaded code from model repositories without checking if that code was trustworthy, allowing attackers to run malicious Python commands on the server when a model loads. This vulnerability doesn't require the attacker to have access to the API or send requests; they just need to control which model repository vLLM tries to load from.
Claude Code (an agentic coding tool, meaning an AI that can write and modify code) had a vulnerability before version 2.0.65 where malicious code repositories could steal users' API keys (secret authentication tokens). An attacker could hide a settings file in a repository that redirects API requests to their own server, and Claude Code would send the user's API key there before showing a trust confirmation prompt.
CVE-2025-66960 is a vulnerability in Ollama v.0.12.10 where a remote attacker can cause a denial of service (making a service unavailable by overwhelming it) by sending malicious GGUF metadata (a file format used in machine learning). The issue is in the readGGUFV1String function, which reads string length data from untrusted sources without properly validating it.
CVE-2025-66959 is a vulnerability in ollama v.0.12.10 that allows a remote attacker to cause a denial of service (making a service unavailable by overwhelming it) through the GGUF decoder (the part of the software that reads GGUF format files). The vulnerability stems from improper input validation and uncontrolled resource consumption in how the decoder processes data.
The article argues that stronger copyright laws, often promoted as protecting creators from big tech, actually concentrate power among large corporations and create barriers that prevent competition and innovation. In the AI context specifically, requiring developers to license training data would be so expensive that only the largest companies could afford to build AI models, reducing competition and ultimately harming consumers through higher costs and worse services.
SQLBot is a data query system that uses a large language model and RAG (retrieval-augmented generation, where an AI pulls in external documents to answer questions) to help users query databases. Versions before 1.5.0 have a missing authentication vulnerability in a file upload endpoint that allows attackers without login credentials to upload Excel or CSV files and insert data directly into the database, because the endpoint was added to a whitelist that skips security checks.
LlamaIndex version 0.14.13 is a release that includes multiple updates across its core library and integrations, featuring new capabilities like early stopping in agent workflows, token-based code splitting, and distributed data ingestion via RayIngestionPipeline. The release also includes several bug fixes, such as correcting error handling in aggregation functions and fixing async integration issues, plus security improvements that removed exposed API keys from notebook outputs.
NVIDIA Merlin Transformers4Rec contains a code injection vulnerability (CWE-94, a weakness where attackers can trick software into running malicious code) that could let attackers execute arbitrary code, gain elevated permissions, steal information, or modify data. The vulnerability affects all platforms running this software. A CVSS severity score has not yet been assigned by NIST.
ChatterBot versions up to 1.2.10 have a vulnerability that causes denial-of-service (when a service becomes unavailable due to being overwhelmed), triggered when multiple concurrent calls to the get_response() method exhaust the SQLAlchemy connection pool (a group of reusable database connections). The service becomes unavailable and requires manual restart to recover.
An attacker who exploits a React2Shell vulnerability (a deserialization flaw allowing arbitrary code execution) in a Next.js application can steal the NEXTAUTH_SECRET environment variable and use it to mint forged authentication cookies, gaining persistent access as any user. The attacker only needs this one secret value to create valid session tokens because next-auth uses HKDF (HMAC-based Key Derivation Function, which derives encryption keys from a master secret) with predictable salt values based on cookie names.
Fix: This issue has been fixed in version 3.147.0.
NVD/CVE DatabaseFix: Upgrade to vLLM version 0.14.0, which fixes this issue.
NVD/CVE DatabaseFix: Update Claude Code to version 2.0.65 or later. The source states: 'Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version.'
NVD/CVE DatabaseFix: Update to version 1.5.0 or later, where the vulnerability has been fixed.
NVD/CVE DatabaseThis research analyzes how discussions about Generative AI spread across different industries (like media, healthcare, and finance) in the six months after ChatGPT's release, using social media data and innovation theory. The study found that different industries had different concerns: media and marketing focused on content generation with positive views, while healthcare and finance were more cautious and focused on analysis. Misinformation was the biggest concern overall, and the research showed that emotional reactions (sentiment) were the main factor driving how quickly information about AI spread between people.
Generative artificial intelligence (GAI, AI systems that create new text, images, or code) is significantly changing how information systems are taught in universities. IS educators are discussing both the benefits and risks of GAI, including concerns about academic integrity (students using AI to cheat), and they are developing recommendations for how to responsibly teach with and about GAI in the classroom.
The article demonstrates how attackers can use crafted prompts to trick AI assistants into running harmful database queries through prompt-to-SQL injection attacks (where malicious instructions hidden in user input cause an AI to generate dangerous database commands). It identifies vulnerabilities in real systems and describes practical defenses including query filtering, rewriting, data preloading, and using another AI model as a security guard.
Fix: The source mentions four explicit defenses: query filtering, query rewriting, data preloading, and large-language-model-based guards (using another AI model to validate or block dangerous queries).
IEEE Xplore (Security & AI Journals)This research paper analyzes how companies that invest in digital technologies, including AI, affect their greenhouse gas emissions and natural resource use. The study found that companies investing in these technologies tend to reduce their emissions and consume fewer natural resources, suggesting that digital tools can help address environmental challenges.
Fix: Version 1.2.11 fixes the issue.
NVD/CVE DatabaseThis paper addresses white-box attacks (scenarios where attackers can see all the inner workings of an encryption system and control the computer it runs on), which are harder to defend against than black-box attacks (where attackers cannot see the implementation). The authors propose a new method to protect symmetric encryption algorithms that use substitution-permutation networks (a common encryption structure that substitutes and rearranges data) by adding secret components to lookup tables, making the encryption stronger without changing the final encrypted message.
Researchers studied how multimodal generative AI systems (AI that creates both text and images) could be misused to generate fake news by testing AI image generators like Stable Diffusion 3 and evaluating whether GPT-4 (a large language model) could detect these false images. The findings show that current AI has both strengths and weaknesses in creating misinformation, and highlight that stronger safeguards, transparent monitoring, and human oversight are needed to prevent AI from spreading false information.
BlindU is a method that allows users to remove their data's influence from trained AI models while keeping that data hidden from the server. Instead of uploading raw data to the server (which creates privacy risks), BlindU lets users create compressed versions of their data locally, and the server performs the removal process only on these compressed versions, making it practical for federated learning (a distributed training setup where data stays on users' devices).
Fix: BlindU implements unlearning through several stated mechanisms: (1) 'the user locally generates privacy-preserving representations, and the server performs unlearning solely on these representations and their labels', (2) use of an information bottleneck mechanism that 'learns representations that distort maximum task-irrelevant information from inputs', (3) 'two dedicated unlearning modules tailored explicitly for IB-based models and uses a multiple gradient descent algorithm to balance forgetting and utility retaining', and (4) 'a noise-free differential privacy masking method to deal with the raw erasing data before compressing' for additional privacy protection.
IEEE Xplore (Security & AI Journals)This research addresses how to remove unwanted information from pre-trained vision models (AI systems trained to understand images) when users or model owners request it, especially when these deletion requests come one after another over time. The researchers propose Group Sparse LoRA (GS-LoRA), a technique that uses Low-Rank Adaptation modules (efficient add-on components that modify specific neural network layers) to selectively forget targeted classes or information while keeping the rest of the model working well, even when some training data is missing.
Fix: The paper proposes two explicit solutions: (1) Group Sparse LoRA (GS-LoRA), which uses Low-Rank Adaptation modules to fine-tune Feed-Forward Network layers in Transformer blocks for each forgetting task independently, combined with group sparse regularization to automatically select and zero out specific LoRA groups. (2) GS-LoRA++, an extension that incorporates prototype information as additional supervision, moving logits (output scores) away from the original prototype of forgotten classes while pulling logits closer to prototypes of remaining classes.
IEEE Xplore (Security & AI Journals)Fix: Ensure all secrets are rotated regularly, including the NEXTAUTH_SECRET or the newer AUTH_SECRET. The source also recommends these detection approaches: log the JWT ID on every session and alert on duplicates from different IP addresses; identify impossible travel by users; monitor for sessions without corresponding login events in auth logs; and watch for off-hours access or unusual user-agent strings.
Embrace The Red