All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
A vulnerability in the Linux kernel's SGX (Software Guard Extensions, a CPU feature that creates isolated execution areas) allows the system to attempt reclaiming memory pages that are already poisoned (marked as corrupted due to hardware errors). When the kernel tries to reclaim these poisoned pages using special CPU instructions like EWB (encrypt and write back), it can trigger machine check errors that crash the system, because SGX instructions cannot safely handle these hardware errors.
Fix: Call sgx_unmark_page_reclaimable() to remove the affected EPC (Enclave Page Cache) page from sgx_active_page_list when a memory error is detected. This prevents the corrupted page from being considered for reclaiming and stops the system from attempting dangerous operations on it.
NVD/CVE DatabaseRoo Code is an AI tool that can write code automatically. Before version 3.22.6, if a user had auto-approved write permissions, an attacker could send prompts to the agent that would modify VS Code settings files (configuration files that control how the editor works) and run malicious code on the user's computer. For example, an attacker could change a PHP validation setting to point to a harmful command, then create a PHP file to execute it.
Hugging Face Transformers versions up to 4.49.0 have a vulnerability in the `image_utils.py` file where URL validation (checking if a URL starts with certain text) can be tricked through URL username injection (adding fake credentials to a URL). Attackers can create fake URLs that look like they're from YouTube but actually point to malicious sites, risking phishing attacks, malware, or stolen data.
A ReDoS vulnerability (regular expression denial of service, where specially crafted text causes a regex pattern to consume excessive CPU) was found in Hugging Face Transformers library version 4.49.0, specifically in code that filters Python try/except blocks. Attackers could exploit this to crash or slow down systems using the library, potentially disrupting model serving or supply chain processes.
A ReDoS vulnerability (regular expression denial of service, where specially crafted input causes a program to use excessive CPU by making the regex engine work inefficiently) was found in the Hugging Face Transformers library version 4.49.0, specifically in a function that reads configuration files. An attacker could send malicious input to make the application slow down or crash by exhausting its computing resources.
A ReDoS vulnerability (regular expression denial of service, where inefficient pattern matching causes a system to slow down or crash) was found in the Hugging Face Transformers library version 4.49.0. The problem is in a regex pattern called `SETTING_RE` that uses inefficient repetition, causing it to take exponentially longer when processing specially crafted input strings, which can make the application unresponsive or crash.
BerriAI litellm version 1.65.4 contains a SQL injection vulnerability (a type of attack where malicious SQL code is inserted into user inputs to manipulate database queries) in the /key/block endpoint. This weakness allows attackers to potentially access or modify database contents through this vulnerable endpoint.
The U.S. Senate voted 99-1 to remove a provision from a Republican bill that would have prevented states from regulating AI if they wanted to receive federal broadband expansion funds. The provision was weakened by Senate rules that limited it to only $500 million in new funding rather than $42.45 billion in total broadband funds, making it less likely states would comply even if it had passed.
A vulnerability exists in Anthropic's deprecated Slack MCP Server (Model Context Protocol Server, a tool that lets AI agents interact with Slack) that allows attackers to steal sensitive data. When an AI agent processes untrusted input, an attacker can trick it into creating messages with malicious links that, when Slack's link preview bots automatically expand them, secretly send private data to the attacker's server without requiring any user action.
The @cyanheads/git-mcp-server (an MCP server, or a tool that lets AI systems interact with Git repositories) has a command injection vulnerability (a flaw where attackers can sneak extra system commands into input) in versions before 2.1.5. Because the server doesn't check user input before running system commands, attackers can execute arbitrary code on the server, or trick an AI client into running unwanted actions through indirect prompt injection (hiding malicious instructions in data the AI reads).
dpkg-deb (a tool that extracts and manages Debian package files) fails to properly set permissions on temporary directories when unpacking package contents, potentially leaving temporary files behind. If an attacker repeatedly sends malicious packages or uses highly compressible files placed in directories that can't be deleted by regular users, this could fill up the disk and cause a denial of service (DoS, a situation where a system becomes unusable due to resource exhaustion).
CVE-2025-6855 is a critical vulnerability in Langchain-Chatchat (a tool built on LLMs) up to version 0.3.1 that allows path traversal (accessing files outside the intended directory) through manipulation of a parameter called 'flag' in the /v1/file endpoint. The vulnerability has been publicly disclosed and could potentially be exploited.
CVE-2025-6854 is a path traversal vulnerability (a flaw that lets attackers access files outside intended directories) in Langchain-Chatchat software versions up to 0.3.1, specifically in a file upload endpoint. The vulnerability can be exploited remotely by attackers with login credentials and has already been publicly disclosed.
CVE-2025-6853 is a critical vulnerability in Langchain-Chatchat version 0.3.1 and earlier that allows attackers to exploit a path traversal (a type of attack where an attacker manipulates file paths to access files outside their intended directory) flaw in the upload_temp_docs backend function by manipulating the flag argument. The vulnerability can be exploited remotely by users with basic access permissions, and the exploit details have been publicly disclosed.
Roo Code is an AI tool that can automatically write code, and it stores settings in a `.roo/mcp.json` file that can execute commands. Before version 3.20.3, an attacker who could trick the AI (through prompt injection, a technique where hidden instructions are embedded in user input) into writing malicious commands to this file could run arbitrary code if the user had enabled automatic approval of file changes. This required multiple conditions: the attacker could submit prompts to the agent, the MCP (model context protocol, a system for connecting AI agents to external tools) feature was enabled, and auto-approval of writes was turned on.
Roo Code, an AI agent that writes code automatically, had a vulnerability (CVE-2025-53097) in versions before 3.20.3 where its file search tool ignored settings that should have blocked it from reading files outside the VS Code workspace (the folder a user is working in). An attacker could use prompt injection (tricking the AI by hiding instructions in its input) to make the agent read sensitive files and send that information over the network without user permission, though this attack required the attacker to already control what prompts the agent receives.
LLaMA-Factory, a library for training large language models, has a remote code execution vulnerability (RCE, where attackers can run malicious code on a victim's computer) in versions up to 0.9.3. Attackers can exploit this by uploading a malicious checkpoint file through the web interface, and the victim won't know they've been compromised because the vulnerable code loads files without proper safety checks.
iOS Simulator MCP Server (ios-simulator-mcp) versions before 1.3.3 have a command injection vulnerability (a security flaw where attackers insert shell commands into input that gets executed). The vulnerability exists because the `ui_tap` tool uses Node.js's `exec` function unsafely, allowing an attacker to trick an LLM through prompt injection (feeding hidden instructions to an AI to make it behave differently) to pass shell metacharacters like `;` or `&&` in parameters, which can execute unintended commands on the server's computer.
Google is automatically enabling its Gemini AI to access third-party apps like WhatsApp on Android devices, overriding previous user settings that blocked such access. Users who want to prevent this must take action, though Google's guidance on how to fully disable Gemini integrations is unclear and confusing, with the company stating that even when Gemini access is blocked, data is still stored for 72 hours.
Fix: According to a Tuta researcher cited in the article, disabling Gemini app activity is likely to prevent data collection beyond the 72-hour temporary storage period. Additionally, if the Gemini app is not already installed on a device, it will not be installed after the change takes effect.
Ars Technica (Security)Fix: Update Roo Code to version 3.22.6 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: The issue is fixed in version 4.52.1. Update Hugging Face Transformers to version 4.52.1 or later.
NVD/CVE DatabaseFix: Update to version 4.51.0, where the vulnerability is fixed.
NVD/CVE DatabaseFix: Update to version 4.51.0, where the issue is resolved.
NVD/CVE DatabaseFix: Update to version 4.51.0 or later, where the issue is fixed.
NVD/CVE DatabaseFix: Update to version 2.1.5, where this issue has been patched.
NVD/CVE DatabaseCyberRisk Alliance and OWASP (Open Worldwide Application Security Project, a non-profit focused on improving software security) announced a partnership to advance education in application security (protecting software from attacks) and AI security. The collaboration will involve creating shared content, hosting events, and conducting research initiatives together.
Fix: Version 3.20.3 fixes the issue by adding an additional layer of opt-in configuration for auto-approving writing to Roo's configuration files, including all files within the `.roo/` folder.
NVD/CVE DatabaseFix: Upgrade to version 3.20.3 or later. According to the source, "Version 3.20.3 fixed the issue where `search_files` did not respect the setting to limit it to the workspace."
NVD/CVE DatabaseFix: Update to version 0.9.4, which contains a fix for the issue.
NVD/CVE DatabaseFix: Update to version 1.3.3, which contains a patch for the issue.
NVD/CVE Database