aisecwatch.com
DashboardVulnerabilitiesNewsResearchArchiveStatsDatasetFor devs
Subscribe
aisecwatch.com

Real-time AI security monitoring. Tracking AI-related vulnerabilities, safety and security incidents, privacy risks, research developments, and policy changes.

Navigation

VulnerabilitiesNewsResearchDigest ArchiveNewsletter ArchiveSubscribeData SourcesStatisticsDatasetAPIIntegrationsWidgetRSS Feed

Maintained by

Truong (Jack) Luu

Information Systems Researcher

Browse All

All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.

to
Export CSV
6518 items

CVE-2025-50472: The modelscope/ms-swift library thru 2.6.1 is vulnerable to arbitrary code execution through deserialization of untruste

criticalvulnerability
security
Aug 1, 2025
CVE-2025-50472

The modelscope/ms-swift library up to version 2.6.1 has a critical vulnerability where it unsafely deserializes (reconstructs objects from saved data) untrusted files using pickle.load(), a Python function that can run arbitrary code during deserialization. Attackers can exploit this by tricking users into loading a malicious checkpoint file during model training, executing code on their machine while keeping the training process running normally so the user doesn't notice the attack.

NVD/CVE Database

Exfiltrating Your ChatGPT Chat History and Memories With Prompt Injection

highnews
securityprivacy

CVE-2025-7725: The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Str

highvulnerability
security
Aug 1, 2025
CVE-2025-7725

A WordPress plugin called 'Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery' has a stored cross-site scripting vulnerability (XSS, a security flaw where attackers inject malicious code into a website that runs when others visit it) in its comment feature through version 26.1.0. Because the plugin doesn't properly clean and validate user input, unauthenticated attackers can inject harmful scripts that will execute for anyone viewing the affected pages.

AI Safety Newsletter #60: The AI Action Plan

inforegulatory
policysafety

Overview of Guidelines for GPAI Models

inforegulatory
policy
Jul 30, 2025

On July 18, 2025, the European Commission released draft Guidelines that explain how the EU AI Act applies to General Purpose AI models (GPAI, which are flexible AI systems that can handle many different tasks). The Guidelines define GPAI models based on a compute threshold (10²³ FLOPs, or floating point operations, a measure combining model size and training data size), require providers to document their models and report serious incidents, and impose stricter obligations on very large models trained with 10²⁵ FLOPs or more. Providers of these large models must notify the Commission within two weeks and can request reassessment of their systemic risk classification if they provide evidence the model is not actually risky.

Overview of the Code of Practice

inforegulatory
policy
Jul 30, 2025

The Code of Practice is a framework that helps developers of General Purpose AI models (large AI systems designed for many different tasks) comply with EU AI Act requirements, though following it is voluntary. New GPAI models released after August 2, 2025 must comply immediately, while older models have until August 2, 2027, with enforcement actions delayed until August 2, 2026 to give developers time to adjust.

CVE-2025-54430: dedupe is a python library that uses machine learning to perform fuzzy matching, deduplication and entity resolution qui

criticalvulnerability
security
Jul 30, 2025
CVE-2025-54430

The dedupe Python library (which uses machine learning for fuzzy matching, deduplication, and entity resolution on structured data) had a critical vulnerability in its GitHub Actions workflow that allowed attackers to trigger code execution by commenting @benchmark on pull requests, potentially exposing the GITHUB_TOKEN (a credential that grants access to modify repository contents) and leading to repository takeover.

CVE-2025-54381: BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1

criticalvulnerability
security
Jul 29, 2025
CVE-2025-54381

BentoML versions 1.4.0 to 1.4.19 have an SSRF vulnerability (server-side request forgery, where an attacker tricks a server into making requests to internal or restricted addresses) in their file upload feature. An unauthenticated attacker can exploit this to force the server to download files from any URL, including internal network addresses and cloud metadata endpoints (services that store sensitive information), without any validation.

CVE-2025-46059: langchain-ai v0.3.51 was discovered to contain an indirect prompt injection vulnerability in the GmailToolkit component.

criticalvulnerability
security
Jul 29, 2025
CVE-2025-46059

LangChain AI version 0.3.51 contains an indirect prompt injection vulnerability (a technique where attackers hide malicious instructions in data like emails to trick AI systems) in its GmailToolkit component that could allow attackers to run arbitrary code through crafted emails. However, the supplier disputes this, arguing the actual vulnerability comes from user code that doesn't follow LangChain's security guidelines rather than from LangChain itself.

Teleportation: Defense Against Stealing Attacks of Data-Driven Healthcare APIs

inforesearchPeer-Reviewed
security

The Month of AI Bugs 2025

infonews
securityresearch

CVE-2025-5120: A sandbox escape vulnerability was identified in huggingface/smolagents version 1.14.0, allowing attackers to bypass the

criticalvulnerability
security
Jul 27, 2025
CVE-2025-5120

A sandbox escape vulnerability (a security flaw allowing code to break out of a restricted execution environment) was found in huggingface/smolagents version 1.14.0 that lets attackers bypass safety restrictions and achieve remote code execution (RCE, running commands on a system they don't own). The flaw is in the local_python_executor.py module, which failed to properly block Python code execution even though it had safety checks in place.

CVE-2025-54413: skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below co

highvulnerability
security
Jul 26, 2025
CVE-2025-54413

skops is a Python library for sharing scikit-learn machine learning models. Versions 0.11.0 and below have a flaw in MethodNode that allows attackers to access unexpected object fields using dot notation, potentially leading to arbitrary code execution (running any code on a system) when loading a model file.

CVE-2025-54412: skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below co

highvulnerability
security
Jul 26, 2025
CVE-2025-54412

skops is a Python library for sharing scikit-learn (a machine learning toolkit) based models. Versions 0.11.0 and below have a flaw in the OperatorFuncNode component that allows attackers to hide the execution of untrusted code, potentially leading to arbitrary code execution (running any commands on a system). This vulnerability can be exploited through code reuse attacks that make unsafe functions appear trustworthy.

CVE-2025-38427: In the Linux kernel, the following vulnerability has been resolved: video: screen_info: Relocate framebuffers behind PC

mediumvulnerability
security
Jul 25, 2025
CVE-2025-38427

A Linux kernel vulnerability allowed invalid access to graphics memory (framebuffer) when PCI host bridges relocated memory addresses during boot. The fix applies PCI address offsets to the framebuffer information stored in screen_info (a kernel data structure tracking display memory locations) so the kernel uses the correct updated memory addresses instead of the original boot-time addresses.

CVE-2025-54558: OpenAI Codex CLI before 0.9.0 auto-approves ripgrep (aka rg) execution even with the --pre or --hostname-bin or --search

mediumvulnerability
security
Jul 25, 2025
CVE-2025-54558

OpenAI Codex CLI versions before 0.9.0 have a security flaw where ripgrep (a command-line search tool) can be executed automatically without requiring user approval, even when security flags like --pre, --hostname-bin, or --search-zip are used. This means an attacker could potentially run ripgrep commands without proper user consent.

CVE-2025-7780: The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including,

mediumvulnerability
security
Jul 24, 2025
CVE-2025-7780

The AI Engine WordPress plugin (a tool that adds AI features to WordPress websites) has a security flaw in versions up to 2.9.4 where the simpleTranscribeAudio endpoint (a connection point for audio transcription) fails to check what types of file locations are allowed before accessing files. This allows attackers with basic user access to read any file on the web server and steal it through the plugin's OpenAI integration (connection to OpenAI's service).

CVE-2025-54377: Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions 3.23.18 and below, RooCode d

highvulnerability
security
Jul 23, 2025
CVE-2025-54377

Roo Code is an AI coding agent that runs inside code editors, but versions 3.23.18 and earlier have a vulnerability where it doesn't check for line breaks in commands, allowing attackers to bypass the allow-list (a list of approved commands) by hiding extra commands on new lines. The tool only checks the first line of input when deciding whether to run a command, so attackers can inject additional malicious commands after a line break.

OWASP Agentic AI Taxonomy in Action: From Theory to Tools

inforesearchIndustry
security

CVE-2025-51471: Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authen

mediumvulnerability
security
Jul 22, 2025
CVE-2025-51471

Ollama version 0.6.7 has a cross-domain token exposure vulnerability (CVE-2025-51471) in its authentication system where attackers can steal authentication tokens and bypass access controls by sending a malicious realm value in a WWW-Authenticate header (a standard web authentication response) through the /api/pull endpoint. This allows remote attackers, who don't need existing access, to gain unauthorized entry to the system.

Previous254 / 326Next
Aug 1, 2025

A researcher discovered that ChatGPT's 'safe URL' feature, which is supposed to prevent data theft, can be bypassed using prompt injection (tricking an AI by hiding malicious instructions in its input). By exploiting this bypass, an attacker can trick ChatGPT into sending sensitive information like your chat history and memories to a server they control, especially if you ask ChatGPT to process untrusted content like PDFs or websites.

Embrace The Red
NVD/CVE Database
Jul 31, 2025

The Trump Administration released an AI Action Plan with policies across three areas: accelerating innovation, building infrastructure, and international leadership. While the plan primarily focuses on speeding up US AI development, it also includes several AI safety policies such as investing in AI interpretability (how AI systems make decisions), building evaluation systems to test AI safety, strengthening cybersecurity, and controlling exports of powerful AI chips.

CAIS AI Safety Newsletter
EU AI Act Updates
EU AI Act Updates

Fix: This is fixed by commit 3f61e79.

NVD/CVE Database

Fix: Upgrade to version 1.4.19 or later, which contains a patch for the issue.

NVD/CVE Database
NVD/CVE Database
research
Jul 29, 2025

This research addresses the problem of stealing attacks against healthcare APIs (application programming interfaces, which are tools that let software systems communicate with each other), where attackers try to copy or extract data from medical AI models. The authors propose a defense strategy called "adaptive teleportation" that modifies incoming queries (requests) in clever ways to fool attackers while still allowing legitimate users to get accurate results from the healthcare API.

Fix: The source proposes 'adaptive teleportation of incoming queries' as the defense mechanism. According to the text, 'The adaptive teleportation operations are generated based on the formulated bi-level optimization target and follows the evolution trajectory depicted by the Wasserstein gradient flows, which effectively push attacking queries to cross decision boundary while constraining the deviation level of benign queries.' This approach 'provides misleading information on malicious queries while preserving model utility.' The authors validated this mechanism on three healthcare prediction tasks (inhospital mortality, bleed risk, and ischemic risk prediction) and found it 'significantly more effective to suppress the performance of cloned model while maintaining comparable serving utility compared to existing defense approaches.'

IEEE Xplore (Security & AI Journals)
Jul 28, 2025

The Month of AI Bugs 2025 is an initiative to expose security vulnerabilities in agentic AI systems (AI that can take actions on its own), particularly coding agents, through responsible disclosure and public education. The campaign will publish over 20 blog posts demonstrating exploits, including prompt injection (tricking an AI by hiding malicious instructions in its input) attacks that can allow attackers to compromise a developer's computer without permission. While some vendors have fixed reported vulnerabilities quickly, others have ignored reports for months or stopped responding, and many appear uncertain how to address novel AI security threats.

Embrace The Red

Fix: The issue is resolved in version 1.17.0.

NVD/CVE Database

Fix: This is fixed in version 12.0.0. Users should update to version 12.0.0 or later.

NVD/CVE Database

Fix: Update to version 0.12.0, where this vulnerability is fixed.

NVD/CVE Database

Fix: The helper function pcibios_bus_to_resource() performs the relocation of the screen_info framebuffer resource, and commit 78aa89d1dfba ("firmware/sysfb: Update screen_info for relocated EFI framebuffers") added code to update screen_info with the corrected addresses. This approach mirrors similar existing functionality in efifb (the EFI framebuffer driver).

NVD/CVE Database

Fix: Update OpenAI Codex CLI to version 0.9.0 or later.

NVD/CVE Database
NVD/CVE Database

Fix: This is fixed in version 3.23.19.

NVD/CVE Database
policy
Jul 22, 2025

OWASP's Agentic Security Initiative has created a taxonomy (a classification system for threats and their fixes) that is now being used in real developer tools like PENSAR, SPLX.AI Agentic Radar, and AI&ME to help teams build and test secure agentic AI systems (AI systems that can take actions autonomously). This taxonomy is also informing the development of OWASP's Top 10 for Agentic AI, a list of the most critical security risks in this area.

OWASP GenAI Security
NVD/CVE Database