aisecwatch.com
DashboardVulnerabilitiesNewsResearchArchiveStatsDatasetFor devs
Subscribe
aisecwatch.com

Real-time AI security monitoring. Tracking AI-related vulnerabilities, safety and security incidents, privacy risks, research developments, and policy changes.

Navigation

VulnerabilitiesNewsResearchDigest ArchiveNewsletter ArchiveSubscribeData SourcesStatisticsDatasetAPIIntegrationsWidgetRSS Feed

Maintained by

Truong (Jack) Luu

Information Systems Researcher

Browse All

All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.

to
Export CSV
6490 items

CVE-2025-64320: Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Agentforce Vibes Extension allows Co

mediumvulnerability
security
Nov 4, 2025
CVE-2025-64320

CVE-2025-64320 is a code injection vulnerability in Salesforce Agentforce Vibes Extension that occurs because the software doesn't properly filter user input before sending it to an LLM (large language model), allowing attackers to inject malicious code. The vulnerability affects versions before 3.2.0 of the extension.

Fix: Update Salesforce Agentforce Vibes Extension to version 3.2.0 or later.

NVD/CVE Database

CVE-2025-10875: Improper Neutralization of Input Used for LLM Prompting vulnerability in Salesforce Mulesoft Anypoint Code Builder allow

mediumvulnerability
security
Nov 4, 2025
CVE-2025-10875

CVE-2025-10875 is a vulnerability in Salesforce Mulesoft Anypoint Code Builder that allows improper neutralization of input used for LLM prompting (a technique where attackers manipulate AI system instructions through user input), leading to code injection (inserting malicious code into a system). This vulnerability affects versions of the software before 1.11.6.

CVE-2025-12695: The overly permissive sandbox configuration in DSPy allows attackers to steal sensitive files in cases when users build

mediumvulnerability
security
Nov 4, 2025
CVE-2025-12695

CVE-2025-12695 is a vulnerability in DSPy (a framework for building AI agents) where an overly permissive sandbox configuration (a restricted environment meant to limit what code can do) allows attackers to steal sensitive files when users build an AI agent that takes user input and uses the PythonInterpreter class (a tool that runs Python code). The vulnerability stems from improper isolation, meaning the sandbox doesn't adequately separate the untrusted code from the rest of the system.

CVE-2025-12156: The Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One plugin for WordPress is vulnerable to un

mediumvulnerability
security
Nov 4, 2025
CVE-2025-12156

A WordPress plugin called 'Ai Auto Tool Content Writing Assistant' (versions 2.0.7 to 2.2.6) has a security flaw where it doesn't properly check user permissions before allowing the save_post_data() function (a feature that stores post information) to run. This means even low-level users (Subscriber level and above) can create and publish posts they shouldn't be able to, allowing unauthorized modification of website content.

v0.14.7

infonews
industry
Oct 30, 2025

LlamaIndex released version 0.14.7 and several component updates that add new features and fix bugs across the platform. Key updates include integrations with tool-calling features for multiple AI models (Anthropic, Mistral, Ollama), new support for GitHub App authentication, and fixes for failing tests and documentation issues. These changes improve how LlamaIndex connects to different AI services and external tools.

CVE-2025-12060: The keras.utils.get_file API in Keras, when used with the extract=True option for tar archives, is vulnerable to a path

highvulnerability
security
Oct 30, 2025
CVE-2025-12060

Keras, a machine learning library, has a vulnerability in its keras.utils.get_file function when extracting tar archives (compressed file collections). An attacker can create a malicious tar file with special symlinks (shortcuts to files) that, when extracted, writes files anywhere on the system instead of just the intended folder, giving them unauthorized access to overwrite important system files.

MaxDiv: Zero-Shot Machine Unlearning via Distributionally Divergent Erasing Samples

inforesearchPeer-Reviewed
research

CVE-2025-11203: LiteLLM Information health API_KEY Information Disclosure Vulnerability. This vulnerability allows remote attackers to d

highvulnerability
security
Oct 29, 2025
CVE-2025-11203

LiteLLM, a tool that helps developers use different AI models through one interface, has a vulnerability where the health endpoint (a checking tool that monitors system status) improperly exposes API_KEY information (secret credentials used to authenticate requests) to attackers who are already authenticated. An attacker with access could steal these stored credentials and use them to compromise the system further.

CVE-2025-11201: MLflow Tracking Server Model Creation Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows

criticalvulnerability
security
Oct 29, 2025
CVE-2025-11201

MLflow Tracking Server contains a directory traversal (a vulnerability where an attacker uses special path characters like '../' to access files outside the intended directory) vulnerability that allows unauthenticated attackers to execute arbitrary code on the server. The flaw stems from insufficient validation of file paths when handling model creation, letting attackers run commands with the privileges of the service account running MLflow.

CVE-2025-11200: MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to byp

criticalvulnerability
security
Oct 29, 2025
CVE-2025-11200

CVE-2025-11200 is a vulnerability in MLflow that allows remote attackers to bypass authentication (gain access without logging in) because the system has weak password requirements (passwords that are too easy to guess or crack). Attackers can exploit this flaw to access MLflow installations without needing valid credentials.

AI Safety Newsletter #65: Measuring Automation and Superintelligence Moratorium Letter

infonews
policyresearch

CVE-2025-12058: The Keras.Model.load_model method, including when executed with the intended security mitigation safe_mode=True, is vuln

highvulnerability
security
Oct 29, 2025
CVE-2025-12058

CVE-2025-12058 is a vulnerability in Keras (a machine learning library) where the load_model method can be tricked into reading files from a computer's local storage or making network requests to external servers, even when the safe_mode=True security flag is enabled. The problem occurs because the StringLookup layer (a component that converts text into numbers) accepts file paths during model loading, and an attacker can craft a malicious .keras file (a model storage format) to exploit this weakness.

Claude Pirate: Abusing Anthropic's File API For Data Exfiltration

highnews
security
Oct 28, 2025

Anthropic added network request capabilities to Claude's Code Interpreter, which creates a security risk for data exfiltration (unauthorized stealing of sensitive information). An attacker, either controlling the AI model or using indirect prompt injection (hidden malicious instructions in a document the AI processes), could abuse Anthropic's own APIs to steal data that a user has access to, rather than using typical methods like hidden links.

A Systematic Literature Review on SWOT Analysis of Prompt Engineering Techniques

inforesearchPeer-Reviewed
research

CVE-2025-40058: In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Disallow dirty tracking if incoherent p

infovulnerability
security
Oct 28, 2025
CVE-2025-40058

A Linux kernel vulnerability (CVE-2025-40058) affects Intel VT-d IOMMU (input/output memory management unit, a hardware component that manages memory access for devices) dirty page tracking. Dirty page tracking requires the IOMMU and CPU to keep memory synchronized, but if the IOMMU's page walk (the process of reading memory structure tables) is incoherent (not synchronized), the tracking fails and can cause non-recoverable faults. The fix prevents this misconfiguration by only enabling SSADS (support for dirty tracking) when both ecap_slads and ecap_smpwc hardware capabilities are present.

Lightweight Reparameterizable Integral Neural Networks for Mobile Applications

inforesearchPeer-Reviewed
research

CVE-2025-8709: A SQL injection vulnerability exists in the langchain-ai/langchain repository, specifically in the LangGraph's SQLite st

criticalvulnerability
security
Oct 26, 2025
CVE-2025-8709

A SQL injection vulnerability (a type of attack where an attacker inserts malicious SQL code into an application) exists in LangGraph's SQLite storage system, specifically in version 2.0.10 of langgraph-checkpoint-sqlite. The vulnerability happens because the code directly combines user input with SQL commands instead of safely separating them, allowing attackers to steal sensitive data like passwords and API keys, and bypass security protections.

v0.14.6

lownews
security
Oct 25, 2025

LlamaIndex v0.14.6 is a software update released on October 26, 2025, that fixes various bugs across multiple components including support for parallel tool calls, metadata handling, embedding format compatibility, and SQL injection vulnerabilities (using parameterized queries instead of raw SQL string concatenation). The release also adds new features like async support for retrievers and integrations with new services like Helicone.

CVE-2025-62612: FastGPT is an AI Agent building platform. Prior to version 4.11.1, in the workflow file reading node, the network link i

mediumvulnerability
security
Oct 22, 2025
CVE-2025-62612

FastGPT, an AI Agent building platform, had a vulnerability in its workflow file reading node where network links were not properly verified, creating a risk of SSRF attacks (server-side request forgery, where an attacker tricks the server into making unwanted requests to other systems). The vulnerability affected versions before 4.11.1.

CVE-2025-11844: Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function loca

highvulnerability
security
Oct 22, 2025
CVE-2025-11844

Hugging Face Smolagents version 1.20.0 has an XPath injection vulnerability (a security flaw where attackers can inject malicious code into XPath queries, which are used to search and navigate document structures) in its web browser function. The vulnerability exists because user input is directly inserted into XPath queries without being cleaned, allowing attackers to bypass search filters, access unintended data, and disrupt automated web tasks.

Previous239 / 325Next

Fix: Update Mulesoft Anypoint Code Builder to version 1.11.6 or later.

NVD/CVE Database
NVD/CVE Database
NVD/CVE Database
LlamaIndex Security Releases

Fix: Upgrade Keras to version 3.12 or later. The source notes that upgrading Python alone (even to versions like Python 3.13.4 that fix the underlying CVE-2025-4517 vulnerability) is not sufficient; the Keras upgrade is also required.

NVD/CVE Database
privacy
Oct 30, 2025

This article presents MaxDiv, a technique for machine unlearning, which is the process of removing specific knowledge from an AI model after training to protect privacy, even when the original training data is no longer available. MaxDiv works by creating special synthetic data samples that have opposite characteristics to the data being forgotten, and it uses knowledge distillation (a technique where a model learns to replicate another model's behavior) to ensure important information isn't accidentally lost during the unlearning process.

IEEE Xplore (Security & AI Journals)
NVD/CVE Database
NVD/CVE Database

Fix: A patch is available at the following GitHub commit: https://github.com/mlflow/mlflow/commit/1f74f3f24d8273927b8db392c23e108576936c54

NVD/CVE Database
Oct 29, 2025

A new benchmark called the Remote Labor Index (RLI) measures whether AI systems can automate real computer work tasks across different professions, showing that current AI agents can only fully automate 2.5% of projects despite improving over time. Additionally, over 50,000 people, including top scientists and Nobel laureates, signed an open letter calling for a moratorium (temporary ban) on developing superintelligence (a hypothetical AI system far more capable than humans) until it can be proven safe and controllable.

CAIS AI Safety Newsletter
NVD/CVE Database
Embrace The Red
Oct 28, 2025

This article reviews prompt engineering (the practice of designing inputs like questions or instructions to guide AI systems toward better responses) and analyzes its strengths, weaknesses, opportunities, and threats using a SWOT framework. The review covers how prompt engineering can improve interactions with large language models (advanced AI systems trained on vast amounts of text) across industries like healthcare and education, while also identifying challenges around maintaining accuracy and efficiency.

IEEE Xplore (Security & AI Journals)

Fix: Mark SSADS as supported only when both ecap_slads and ecap_smpwc are supported, preventing the IOMMU from being incorrectly configured for dirty page tracking when operating in incoherent mode.

NVD/CVE Database
Oct 27, 2025

This paper presents RINNs (reparameterizable integral neural networks), a new type of AI model designed to run efficiently on mobile devices with limited computing power. The key innovation is a reparameterization strategy that converts the complex mathematical structure used during training into a simpler feed-forward structure (a straightforward sequence of processing steps) at inference time, allowing these models to achieve high accuracy (79.1%) while running very fast (0.87 milliseconds) on mobile hardware.

IEEE Xplore (Security & AI Journals)
NVD/CVE Database

Fix: The source explicitly mentions one security fix: 'Replace raw SQL string interpolation with proper SQLAlchemy parameterized APIs in PostgresKVStore' (llama-index-storage-kvstore-postgres #20104). Users should update to v0.14.6 to receive this and other bug fixes. No other specific mitigation steps are described in the release notes.

LlamaIndex Security Releases

Fix: Update FastGPT to version 4.11.1 or later, as this issue has been patched in that version.

NVD/CVE Database

Fix: The issue is fixed in version 1.22.0. Users should upgrade Hugging Face Smolagents to version 1.22.0 or later.

NVD/CVE Database