All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
CVE-2025-51480 is a path traversal vulnerability (a flaw where attackers use special sequences like '../' to access files outside intended directories) in ONNX 1.17.0's save_external_data function that allows attackers to overwrite arbitrary files by supplying malicious file paths. The vulnerability bypasses the intended directory restrictions that should prevent this kind of file manipulation.
Fix: Patches are available through pull requests #6959 and #7040 on the ONNX GitHub repository (https://github.com/onnx/onnx/pull/6959 and https://github.com/onnx/onnx/pull/7040).
NVD/CVE DatabaseCVE-2025-51863 is a self XSS (cross-site scripting, where an attacker tricks a user into running malicious code on a website by injecting it into the page) vulnerability in ChatGPT Unli that was present through May 26, 2025. The vulnerability allows attackers to execute arbitrary code (run any commands they want) by uploading a specially crafted SVG file (a type of image format) to the chat interface.
Chaindesk has a stored XSS vulnerability (cross-site scripting, where malicious code is saved and runs in users' browsers) in its chat feature through May 26, 2025. An attacker can trick the AI agent's system prompt (the instructions that control how an LLM behaves) to output harmful scripts that execute when users view conversations, potentially stealing session tokens (security credentials that prove who you are) and taking over accounts.
CVE-2025-49747 is a missing authorization vulnerability (a flaw where a system fails to properly check if a user has permission to perform an action) in Azure Machine Learning that allows someone who already has some access to the system to gain elevated privileges, or higher levels of access, over a network.
CVE-2025-49746 is a vulnerability in Azure Machine Learning where improper authorization (CWE-285, a flaw in how the system checks who is allowed to do what) allows someone who already has legitimate access to gain higher-level privileges over a network. This is categorized as a privilege escalation attack, where an authorized user exploits a weakness to gain permissions they shouldn't normally have.
CVE-2025-47995 is a vulnerability in Azure Machine Learning that involves weak authentication (a system that doesn't properly verify user identity), allowing someone who already has some access to gain elevated privileges (higher-level permissions) over a network. The vulnerability has a CVSS 4.0 severity rating, though a full assessment from NIST has not yet been provided.
A Linux kernel bug in epoll (a system for monitoring multiple file descriptors) allows a use-after-free vulnerability (accessing memory that has already been freed) when the reference count is decremented before releasing a mutex (a lock that ensures only one thread accesses code at a time). The problem occurs when multiple threads drop their references nearly simultaneously, allowing one thread to free the memory while another is still using the mutex to clean up.
GPT-SoVITS-WebUI, a tool for voice conversion and text-to-speech, has an unsafe deserialization vulnerability (CWE-502, a weakness where untrusted data is converted back into executable code) in versions 20250228v3 and earlier. The vulnerability exists in process_ckpt.py, where user input for a model file path is passed directly to torch.load without validation, allowing attackers to potentially execute arbitrary code. The vulnerability has a CVSS score (severity rating) of 8.9, indicating it is highly severe.
CVT-2025-49840 is an unsafe deserialization vulnerability (CWE-502, a security flaw where a program processes untrusted data without checking it first) in GPT-SoVITS-WebUI, a tool for voice conversion and text-to-speech. In versions 20250228v3 and earlier, the software unsafely loads user-provided model files using torch.load, allowing attackers to potentially execute malicious code. The vulnerability has a CVSS score (severity rating) of 8.9, indicating high risk.
GPT-SoVITS-WebUI, a tool for converting voices and generating speech from text, has a vulnerability in versions 20250228v3 and earlier where user input (like a file path) is passed directly to torch.load, a function that can execute malicious code when loading files. An attacker could exploit this by providing a specially crafted model file that runs unauthorized code on the system.
GPT-SoVITS-WebUI (a tool for converting voices and creating speech from text) has a vulnerability in versions 20250228v3 and earlier where user input for model file paths is passed unsafely to torch.load, a function that reads model files. This unsafe deserialization (loading files without proper security checks) could allow attackers to execute malicious code by providing a specially crafted model file.
GPT-SoVITS-WebUI, a tool for converting voices and generating speech from text, has an unsafe deserialization vulnerability (a flaw where untrusted data is converted back into code objects, potentially allowing attackers to run malicious code) in versions 20250228v3 and earlier. The vulnerability occurs because user-supplied file paths are directly passed to torch.load, a function that can execute arbitrary code during the deserialization process.
DSpace, an open-source application for storing and accessing digital files, has a vulnerability in versions before 7.6.4, 8.2, and 9.1 where it doesn't properly disable XML External Entity (XXE) injection, a technique where attackers embed malicious code in XML files to read sensitive files or steal data from the server). The vulnerability affects both the command-line import tool and the web interface's batch import feature, but only administrators can trigger it by importing archive files.
A ReDoS (regular expression denial of service, where carefully designed text input causes a regex pattern to consume excessive CPU) vulnerability was found in the Hugging Face Transformers library's DonutProcessor class, affecting versions 4.50.3 and earlier. The vulnerable regex pattern can be exploited through crafted input strings to cause the system to slow down or crash, disrupting document processing tasks that use the Donut model.
A WordPress plugin called 'Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery' has a vulnerability called Stored Cross-Site Scripting (XSS, where an attacker can hide malicious code in a webpage that runs when others view it) in versions up to 26.0.8. Attackers with Author-level permissions or higher can inject harmful scripts through the upload title field because the plugin doesn't properly clean and secure user input.
CVE-2025-7021 is a vulnerability in OpenAI Operator SaaS on Web where an attacker can trick users into entering sensitive information like login credentials by creating a fake fullscreen interface that mimics browser controls and hides security warnings. The attacker overlays distracting elements (such as a fake cookie consent screen) to obscure notifications and deceive users into interacting with the malicious site. This vulnerability has a CVSS score of 6.9 (MEDIUM severity).
CVE-2025-38341 is a double free vulnerability (a bug where memory is freed twice, causing crashes or security issues) in the Linux kernel's fbnic ethernet driver that occurs when a function called fbnic_mbx_map_msg() fails to DMA-map (transfer data to hardware memory) a firmware message. The vulnerability arises because the function's design expects callers to free the message themselves on error, but some code paths may incorrectly free the message twice.
Fix: Fix this by moving the ep refcount dropping to outside the mutex, since the refcount itself is atomic (thread-safe without locks) and doesn't need mutex protection. As the source states: 'the refcount itself is atomic, and doesn't need mutex protection (that's the whole _point_ of refcounts: unlike mutexes, they are inherently about object lifetimes).'
NVD/CVE DatabaseMeta's new Llama 4 models (Scout and Maverick) were tested for security vulnerabilities using Protect AI's Recon tool, which runs 450+ attack prompts across six categories including jailbreaks (attempts to make AI ignore safety rules), prompt injection (tricking an AI by hiding instructions in its input), and evasion (using obfuscation to hide malicious requests). Both models received medium-risk scores (Scout: 58/100, Maverick: 52/100), with Scout showing particular vulnerability to jailbreak attacks at 67.3% success rate, though Maverick demonstrated better overall resilience.
Fix: The source explicitly states: 'The fix is included in DSpace 7.6.4, 8.2, and 9.1. Please upgrade to one of these versions.' For organizations unable to upgrade immediately, the source mentions: 'it is possible to manually patch the DSpace backend' and recommends administrators 'carefully inspect any SAF archives (they did not construct themselves) before importing' and 'affected external services can be disabled to mitigate the ability for payloads to be delivered via external service APIs.'
NVD/CVE DatabaseThe EU published a General-Purpose AI Code of Practice in July 2025 to clarify how AI developers should comply with the EU AI Act's safety requirements, which had been ambiguously worded. The Code establishes a three-step framework for identifying, analyzing, and determining whether systemic risks (including CBRN threats, loss of control, cyber attacks, and harmful manipulation) are acceptable before deploying large AI models, along with requirements for continuous monitoring and incident reporting.
Fix: The EU General-Purpose AI Code of Practice provides a structured approach requiring GPAI providers to: (1) Identify potential systemic risks in four categories (CBRN, loss of control, cyber offense capabilities, and harmful manipulation), (2) Analyze each risk using model evaluations and third-party evaluators when necessary, (3) Determine whether risks are acceptable and implement safety and security mitigations if not, and (4) conduct continuous monitoring after deployment with strict incident reporting timelines.
CAIS AI Safety NewsletterIn Q2 2025, attackers exploited GPT-4.1 by embedding malicious hidden instructions within tool descriptions, a technique called tool poisoning (hiding harmful prompts inside the text that describes what a tool does). When the AI interacted with these poisoned tools, it unknowingly executed unauthorized actions and leaked sensitive data without the user's knowledge.
Fix: The source explicitly mentions these mitigations: implement strict validation and sanitization of tool descriptions, establish permissions and access controls for tool integrations, monitor AI behavior for anomalies during tool execution, and educate developers on secure integration practices. Developers must validate third-party tools and ensure descriptions are free of hidden prompts, and IT teams should audit AI tool integrations and monitor for unusual activity.
OWASP GenAI SecurityFix: Update the Hugging Face Transformers library to version 4.52.1 or later, as this version contains the fix for the vulnerability.
NVD/CVE DatabaseFix: The Linux kernel project has released patches to fix this vulnerability. Three patch commits are available: https://git.kernel.org/stable/c/0a211e23852019ef55c70094524e87a944accbb5, https://git.kernel.org/stable/c/5bd1bafd4474ee26f504b41aba11f3e2a1175b88, and https://git.kernel.org/stable/c/670179265ad787b9fd8e701601914618b8927755. Users should apply the appropriate kernel update containing one of these patches.
NVD/CVE Database