aisecwatch.com
DashboardVulnerabilitiesNewsResearchArchiveStatsDatasetFor devs
Subscribe
aisecwatch.com

Real-time AI security monitoring. Tracking AI-related vulnerabilities, safety and security incidents, privacy risks, research developments, and policy changes.

Navigation

VulnerabilitiesNewsResearchDigest ArchiveNewsletter ArchiveSubscribeData SourcesStatisticsDatasetAPIIntegrationsWidgetRSS Feed

Maintained by

Truong (Jack) Luu

Information Systems Researcher

Browse All

All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.

to
Export CSV
6498 items

AdU-Net: Adaptive Dilated U-Net for Glacial Lake Region Detection and Outburst Risk Assessment Using Satellite Imagery

inforesearchPeer-Reviewed
research
Sep 10, 2025

Glacial lake outburst floods (GLOFs, sudden releases of water from glacial lakes that threaten communities) are dangerous, and detecting them early requires accurate identification of glacial lakes and assessment of their risk. Researchers developed AdU-Net, a framework combining a dilated U-Net (a type of neural network architecture for image analysis) with a vision transformer encoder to identify glacial lakes in satellite imagery, and then used a modified spiking neural network (SNN, a type of AI model that processes information similarly to how neurons communicate) to analyze how the risk of outbursts changes over time.

IEEE Xplore (Security & AI Journals)

CVE-2025-59046: The npm package `interactive-git-checkout` is an interactive command-line tool that allows users to checkout a git branc

criticalvulnerability
security
Sep 9, 2025
CVE-2025-59046

The npm package `interactive-git-checkout` (a command-line tool for switching between git branches) has a command injection vulnerability (a flaw where attackers can run malicious commands by inserting code into input fields) in versions up to 1.1.4 because it doesn't properly check the branch name before passing it to the git command.

CVE-2025-58756: MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.0, in

highvulnerability
security
Sep 8, 2025
CVE-2025-58756

MONAI, an AI toolkit for medical imaging, has a deserialization vulnerability (unsafe unpickling, where untrusted data is converted back into executable code) in versions up to 1.5.0 when loading pre-trained model checkpoints from external sources. While one part of the code uses secure loading (`weights_only=True`), other parts load checkpoints insecurely, allowing attackers to execute malicious code if a checkpoint contains intentionally crafted harmful data.

Dual Thinking and Logical Processing in Human Vision and Multimodal Large Language Models

inforesearchPeer-Reviewed
research

CVE-2025-58374: Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a def

highvulnerability
security
Sep 5, 2025
CVE-2025-58374

Roo Code is an AI tool that helps developers write code directly in their editors, but versions 3.25.23 and older have a security flaw where npm install (a command that downloads and sets up code packages) is automatically approved without asking the user first. If a malicious repository's package.json file contains a postinstall script (code that runs automatically during package installation), it could execute harmful commands on the user's computer without their knowledge or consent.

CVE-2025-58373: Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a vul

mediumvulnerability
security
Sep 5, 2025
CVE-2025-58373

Roo Code is an AI tool that helps developers write code directly in their editor, but versions 3.25.23 and earlier have a security flaw where attackers can bypass .rooignore (a file that tells Roo Code which files to ignore) using symlinks (shortcuts that point to other files). This allows someone with write access to the workspace to trick Roo Code into reading sensitive files like passwords or configuration files that should have been hidden.

CVE-2025-58372: Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a vul

highvulnerability
security
Sep 5, 2025
CVE-2025-58372

Roo Code is an AI tool that automatically writes code in your editor, but versions 3.25.23 and earlier have a security flaw where workspace configuration files (.code-workspace files that store project settings) aren't properly protected. An attacker using prompt injection (tricking the AI by hiding malicious instructions in its input) could trick the agent into writing harmful settings that execute as code when you reopen your project, potentially giving the attacker control of your computer.

CVE-2025-58371: Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions 3.26.6 and below, a Github w

criticalvulnerability
security
Sep 5, 2025
CVE-2025-58371

Roo Code is an AI tool that helps developers write code automatically within their editors. In versions 3.26.6 and earlier, a Github workflow (an automated process that runs tasks in a repository) used unsanitized pull request metadata (information that wasn't checked for malicious content) in a privileged context, allowing attackers to execute arbitrary commands on the Actions runner (a computer that runs automated tasks) through RCE (remote code execution, where an attacker can run commands on a system they don't own). This could let attackers steal secrets, modify code, or completely compromise the repository.

CVE-2025-58370: Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions below 3.26.0 contain a vulnerab

highvulnerability
security
Sep 5, 2025
CVE-2025-58370

Roo Code is an AI tool that automatically writes code in your editor, but versions before 3.26.0 have a security flaw in how it parses commands (reads and interprets instructions). If someone configures the tool to automatically run commands without checking them first, an attacker could trick it into running extra harmful commands by manipulating the input the AI receives.

CVE-2025-58829: Server-Side Request Forgery (SSRF) vulnerability in aitool Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGP

mediumvulnerability
security
Sep 5, 2025
CVE-2025-58829

A server-side request forgery vulnerability (SSRF, a flaw where an attacker tricks a server into making unwanted requests to other systems) was discovered in the aitool Ai Auto Tool Content Writing Assistant plugin for WordPress, affecting versions up to 2.2.6. This vulnerability allows attackers to exploit the plugin's ability to make requests on the server's behalf, potentially accessing internal systems or data.

CVE-2025-58401: Obsidian GitHub Copilot Plugin versions prior to 1.1.7 store Github API token in cleartext form. As a result, an attacke

mediumvulnerability
security
Sep 5, 2025
CVE-2025-58401

The Obsidian GitHub Copilot Plugin (a tool that integrates GitHub's AI code assistant into the Obsidian note-taking app) has a security flaw in versions before 1.1.7 where it stores GitHub API tokens (authentication credentials that allow access to a GitHub account) in cleartext (unencrypted, readable text). This means an attacker who gains access to a user's computer could steal these tokens and perform unauthorized actions on their GitHub account.

CVE-2025-6984: The langchain-ai/langchain project, specifically the EverNoteLoader component, is vulnerable to XML External Entity (XXE

highvulnerability
security
Sep 4, 2025
CVE-2025-6984

The EverNoteLoader component in langchain-ai/langchain version 0.3.63 has a security flaw that allows XXE (XML External Entity) attacks, where an attacker tricks the XML parser into reading external files by embedding special references in XML input. This could expose sensitive system files like password lists to an attacker.

CVE-2025-58357: 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Version 0.13.2 con

criticalvulnerability
security
Sep 4, 2025
CVE-2025-58357

5ire version 0.13.2, a desktop AI assistant and model context protocol client (software that lets AI models interact with external tools), contains a vulnerability that allows content injection attacks (inserting malicious code into web pages) through multiple routes including malicious prompts, compromised servers, and exploited tool connections. This vulnerability is fixed in version 0.14.0.

CVE-2025-9959: Incomplete validation of dunder attributes allows an attacker to escape from the Local Python execution environment sand

highvulnerability
security
Sep 3, 2025
CVE-2025-9959

CVE-2025-9959 is a vulnerability in smolagents (a Python agent library) where incomplete validation of dunder attributes (special Python variables with double underscores, like __import__) allows an attacker to escape the sandbox (a restricted execution environment) if they use prompt injection (tricking the AI into executing malicious commands). The attack requires the attacker to manipulate the agent's input to make it create and run harmful code.

Watermarking Language Models Through Language Models

inforesearchPeer-Reviewed
research

Wrap Up: The Month of AI Bugs

infonews
securityresearch

AgentHopper: An AI Virus

highnews
securityresearch

Online Safety Analysis for LLMs: A Benchmark, an Assessment, and a Path Forward

inforesearchPeer-Reviewed
safety

Windsurf MCP Integration: Missing Security Controls Put Users at Risk

mediumnews
securitysafety

AI Safety Newsletter #62: Big Tech Launches $100 Million pro-AI Super PAC

inforegulatory
policysafety
Previous248 / 325Next

Fix: Commit 8dd832dd302af287a61611f4f85e157cd1c6bb41 fixes the issue. Users should update to a version that includes this commit.

NVD/CVE Database
NVD/CVE Database
safety
Sep 8, 2025

Researchers studied how humans use two types of thinking (fast intuitive processing and slower logical reasoning) when looking at images, and tested whether AI systems like multimodal large language models (MLLMs, which process both text and images together) have similar abilities. They found that while MLLMs have improved at correcting intuitive errors, they still struggle with logical processing tasks that require deeper analysis, and segmentation models (AI systems that identify objects in images) make errors similar to human intuitive mistakes rather than using logical reasoning.

IEEE Xplore (Security & AI Journals)

Fix: This is fixed in version 3.26.0.

NVD/CVE Database

Fix: This is fixed in version 3.26.0.

NVD/CVE Database

Fix: Update to version 3.26.0 or later, which fixes this issue.

NVD/CVE Database

Fix: Update to version 3.26.7.

NVD/CVE Database

Fix: Update to version 3.26.0 or later.

NVD/CVE Database
NVD/CVE Database

Fix: Update the Obsidian GitHub Copilot Plugin to version 1.1.7 or later.

NVD/CVE Database
NVD/CVE Database

Fix: Update to version 0.14.0, which contains the fix for this vulnerability.

NVD/CVE Database
NVD/CVE Database
security
Sep 2, 2025

Researchers developed a new method for watermarking LLM outputs (adding hidden markers to prove ownership and track content) using a three-part system that works only through input prompts, without needing access to the model's internal parameters. The approach uses one AI to create watermarking instructions, another to generate marked outputs, and a third to detect the watermarks, making it work across different LLM types including both proprietary and open-source models.

IEEE Xplore (Security & AI Journals)
Aug 30, 2025

This post wraps up a series of research articles documenting security vulnerabilities found in various AI tools and code assistants during a month-long investigation. The vulnerabilities included prompt injection (tricking an AI by hiding instructions in its input), data exfiltration (stealing sensitive information), and remote code execution (RCE, where attackers can run commands on systems they don't control) across tools like ChatGPT, Claude, GitHub Copilot, and others.

Embrace The Red
Aug 29, 2025

AgentHopper is a proof-of-concept attack that demonstrates how indirect prompt injection (hidden instructions in code that trick AI agents into running unintended commands) can spread like a computer virus across multiple AI coding agents and code repositories. The attack works by compromising one agent, injecting malicious prompts into GitHub repositories, and then infecting other developers' agents when they pull and process the infected code. The researchers note that all vulnerabilities exploited by AgentHopper have been responsibly disclosed and patched by vendors including GitHub Copilot, Amazon Q, AWS Kiro, and others.

Fix: The source text states that 'All vulnerabilities mentioned in this research were responsibly disclosed and have been patched by the respective vendors.' Specific patched vulnerabilities include: GitHub Copilot (CVE-2025-53773), Amazon Q Developer, AWS Kiro, and Amp Code. The source also mentions a 'Safety Switch' feature was implemented 'to avoid accidents,' though the explanation is incomplete in the provided text.

Embrace The Red
research
Aug 29, 2025

This research creates a benchmark and evaluation framework for online safety analysis of LLMs, which involves detecting unsafe outputs while the AI is generating text rather than after it finishes. The study tests various safety detection methods on different LLMs and finds that combining multiple methods together, called hybridization, can improve safety detection effectiveness. The work aims to help developers choose appropriate safety methods for their specific applications.

IEEE Xplore (Security & AI Journals)
Aug 28, 2025

Windsurf's MCP (Model Context Protocol, a system that connects AI agents to external tools) integration lacks fine-grained security controls that would let users decide which actions the AI can perform automatically versus which ones need human approval before running. This is especially risky when the AI agent runs on a user's local computer, where it could have access to sensitive files and system functions.

Embrace The Red
Aug 27, 2025

Big Tech companies like Andreessen Horowitz and OpenAI are investing over $100 million in political organizations called super PACs (groups that can raise unlimited money to influence elections) to fight against AI regulations in U.S. elections. Additionally, Meta faced bipartisan congressional criticism after internal documents revealed its AI chatbots were permitted to engage in romantic and sensual conversations with minors, though Meta removed these policy sections when questioned.

CAIS AI Safety Newsletter