All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Glacial lake outburst floods (GLOFs, sudden releases of water from glacial lakes that threaten communities) are dangerous, and detecting them early requires accurate identification of glacial lakes and assessment of their risk. Researchers developed AdU-Net, a framework combining a dilated U-Net (a type of neural network architecture for image analysis) with a vision transformer encoder to identify glacial lakes in satellite imagery, and then used a modified spiking neural network (SNN, a type of AI model that processes information similarly to how neurons communicate) to analyze how the risk of outbursts changes over time.
The npm package `interactive-git-checkout` (a command-line tool for switching between git branches) has a command injection vulnerability (a flaw where attackers can run malicious commands by inserting code into input fields) in versions up to 1.1.4 because it doesn't properly check the branch name before passing it to the git command.
MONAI, an AI toolkit for medical imaging, has a deserialization vulnerability (unsafe unpickling, where untrusted data is converted back into executable code) in versions up to 1.5.0 when loading pre-trained model checkpoints from external sources. While one part of the code uses secure loading (`weights_only=True`), other parts load checkpoints insecurely, allowing attackers to execute malicious code if a checkpoint contains intentionally crafted harmful data.
Roo Code is an AI tool that helps developers write code directly in their editors, but versions 3.25.23 and older have a security flaw where npm install (a command that downloads and sets up code packages) is automatically approved without asking the user first. If a malicious repository's package.json file contains a postinstall script (code that runs automatically during package installation), it could execute harmful commands on the user's computer without their knowledge or consent.
Roo Code is an AI tool that helps developers write code directly in their editor, but versions 3.25.23 and earlier have a security flaw where attackers can bypass .rooignore (a file that tells Roo Code which files to ignore) using symlinks (shortcuts that point to other files). This allows someone with write access to the workspace to trick Roo Code into reading sensitive files like passwords or configuration files that should have been hidden.
Roo Code is an AI tool that automatically writes code in your editor, but versions 3.25.23 and earlier have a security flaw where workspace configuration files (.code-workspace files that store project settings) aren't properly protected. An attacker using prompt injection (tricking the AI by hiding malicious instructions in its input) could trick the agent into writing harmful settings that execute as code when you reopen your project, potentially giving the attacker control of your computer.
Roo Code is an AI tool that helps developers write code automatically within their editors. In versions 3.26.6 and earlier, a Github workflow (an automated process that runs tasks in a repository) used unsanitized pull request metadata (information that wasn't checked for malicious content) in a privileged context, allowing attackers to execute arbitrary commands on the Actions runner (a computer that runs automated tasks) through RCE (remote code execution, where an attacker can run commands on a system they don't own). This could let attackers steal secrets, modify code, or completely compromise the repository.
Roo Code is an AI tool that automatically writes code in your editor, but versions before 3.26.0 have a security flaw in how it parses commands (reads and interprets instructions). If someone configures the tool to automatically run commands without checking them first, an attacker could trick it into running extra harmful commands by manipulating the input the AI receives.
A server-side request forgery vulnerability (SSRF, a flaw where an attacker tricks a server into making unwanted requests to other systems) was discovered in the aitool Ai Auto Tool Content Writing Assistant plugin for WordPress, affecting versions up to 2.2.6. This vulnerability allows attackers to exploit the plugin's ability to make requests on the server's behalf, potentially accessing internal systems or data.
The Obsidian GitHub Copilot Plugin (a tool that integrates GitHub's AI code assistant into the Obsidian note-taking app) has a security flaw in versions before 1.1.7 where it stores GitHub API tokens (authentication credentials that allow access to a GitHub account) in cleartext (unencrypted, readable text). This means an attacker who gains access to a user's computer could steal these tokens and perform unauthorized actions on their GitHub account.
The EverNoteLoader component in langchain-ai/langchain version 0.3.63 has a security flaw that allows XXE (XML External Entity) attacks, where an attacker tricks the XML parser into reading external files by embedding special references in XML input. This could expose sensitive system files like password lists to an attacker.
5ire version 0.13.2, a desktop AI assistant and model context protocol client (software that lets AI models interact with external tools), contains a vulnerability that allows content injection attacks (inserting malicious code into web pages) through multiple routes including malicious prompts, compromised servers, and exploited tool connections. This vulnerability is fixed in version 0.14.0.
CVE-2025-9959 is a vulnerability in smolagents (a Python agent library) where incomplete validation of dunder attributes (special Python variables with double underscores, like __import__) allows an attacker to escape the sandbox (a restricted execution environment) if they use prompt injection (tricking the AI into executing malicious commands). The attack requires the attacker to manipulate the agent's input to make it create and run harmful code.
Fix: Commit 8dd832dd302af287a61611f4f85e157cd1c6bb41 fixes the issue. Users should update to a version that includes this commit.
NVD/CVE DatabaseResearchers studied how humans use two types of thinking (fast intuitive processing and slower logical reasoning) when looking at images, and tested whether AI systems like multimodal large language models (MLLMs, which process both text and images together) have similar abilities. They found that while MLLMs have improved at correcting intuitive errors, they still struggle with logical processing tasks that require deeper analysis, and segmentation models (AI systems that identify objects in images) make errors similar to human intuitive mistakes rather than using logical reasoning.
Fix: This is fixed in version 3.26.0.
NVD/CVE DatabaseFix: This is fixed in version 3.26.0.
NVD/CVE DatabaseFix: Update to version 3.26.0 or later, which fixes this issue.
NVD/CVE DatabaseFix: Update to version 3.26.7.
NVD/CVE DatabaseFix: Update to version 3.26.0 or later.
NVD/CVE DatabaseFix: Update the Obsidian GitHub Copilot Plugin to version 1.1.7 or later.
NVD/CVE DatabaseFix: Update to version 0.14.0, which contains the fix for this vulnerability.
NVD/CVE DatabaseResearchers developed a new method for watermarking LLM outputs (adding hidden markers to prove ownership and track content) using a three-part system that works only through input prompts, without needing access to the model's internal parameters. The approach uses one AI to create watermarking instructions, another to generate marked outputs, and a third to detect the watermarks, making it work across different LLM types including both proprietary and open-source models.
This post wraps up a series of research articles documenting security vulnerabilities found in various AI tools and code assistants during a month-long investigation. The vulnerabilities included prompt injection (tricking an AI by hiding instructions in its input), data exfiltration (stealing sensitive information), and remote code execution (RCE, where attackers can run commands on systems they don't control) across tools like ChatGPT, Claude, GitHub Copilot, and others.
AgentHopper is a proof-of-concept attack that demonstrates how indirect prompt injection (hidden instructions in code that trick AI agents into running unintended commands) can spread like a computer virus across multiple AI coding agents and code repositories. The attack works by compromising one agent, injecting malicious prompts into GitHub repositories, and then infecting other developers' agents when they pull and process the infected code. The researchers note that all vulnerabilities exploited by AgentHopper have been responsibly disclosed and patched by vendors including GitHub Copilot, Amazon Q, AWS Kiro, and others.
Fix: The source text states that 'All vulnerabilities mentioned in this research were responsibly disclosed and have been patched by the respective vendors.' Specific patched vulnerabilities include: GitHub Copilot (CVE-2025-53773), Amazon Q Developer, AWS Kiro, and Amp Code. The source also mentions a 'Safety Switch' feature was implemented 'to avoid accidents,' though the explanation is incomplete in the provided text.
Embrace The RedThis research creates a benchmark and evaluation framework for online safety analysis of LLMs, which involves detecting unsafe outputs while the AI is generating text rather than after it finishes. The study tests various safety detection methods on different LLMs and finds that combining multiple methods together, called hybridization, can improve safety detection effectiveness. The work aims to help developers choose appropriate safety methods for their specific applications.
Windsurf's MCP (Model Context Protocol, a system that connects AI agents to external tools) integration lacks fine-grained security controls that would let users decide which actions the AI can perform automatically versus which ones need human approval before running. This is especially risky when the AI agent runs on a user's local computer, where it could have access to sensitive files and system functions.
Big Tech companies like Andreessen Horowitz and OpenAI are investing over $100 million in political organizations called super PACs (groups that can raise unlimited money to influence elections) to fight against AI regulations in U.S. elections. Additionally, Meta faced bipartisan congressional criticism after internal documents revealed its AI chatbots were permitted to engage in romantic and sensual conversations with minors, though Meta removed these policy sections when questioned.