All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Anthropic's Slack MCP Server (a tool that lets AI agents interact with Slack) has a vulnerability where it doesn't disable link unfurling, a feature that automatically previews hyperlinks in messages. An attacker can use prompt injection (tricking an AI by hiding instructions in its input) to make an AI agent post a malicious link to Slack, which then leaks sensitive data like API keys to the attacker's server when Slack's systems automatically fetch the preview.
Claude Code is an AI-powered coding assistant available as extensions in popular coding editors (IDEs, or integrated development environments, which are software tools developers use to write code). Versions before 1.0.24 for VSCode and before 0.1.9 for JetBrains IDEs have a security flaw that lets attackers connect to the tool without permission when users visit malicious websites, potentially allowing them to read files, see what code you're working on, or even run code in certain situations.
The Aiomatic WordPress plugin (versions up to 2.5.0) has a security flaw where it doesn't properly check what type of files users are uploading, allowing authenticated attackers with basic user access to upload harmful files to the server. This could potentially lead to RCE (remote code execution, where an attacker can run commands on a system they don't own), though an attacker needs to provide a Stability.AI API key value to exploit it.
A Server-Side Request Forgery (SSRF, a vulnerability where an AI system makes unwanted requests to internal or local servers on behalf of an attacker) vulnerability exists in the RequestsToolkit component of the langchain-community package version 0.0.27. The flaw allows attackers to scan ports, access local services, steal cloud credentials, and interact with local network servers because the toolkit doesn't block requests to internal addresses.
MLflow versions before 3.1.0 have a vulnerability in the gateway_proxy_handler component where it fails to properly validate the gateway_path parameter, potentially allowing SSRF (server-side request forgery, where an attacker tricks the server into making unwanted requests to internal systems). This validation gap could be exploited to access resources the attacker shouldn't be able to reach.
FastGPT, an AI Agent building platform, has a vulnerability in versions before 4.9.12 where the LastRoute parameter on the login page is not properly validated or cleaned of malicious code. This allows attackers to perform open redirect (sending users to attacker-controlled websites) or DOM-based XSS (injecting malicious JavaScript that runs in the user's browser).
A vulnerability in Postbox on macOS (CVE-2025-5963) allows local attackers to inject malicious code through environment variables like DYLD_INSERT_LIBRARIES, exploiting security settings that disable library validation. The injected code can bypass TCC (Transparency, Consent, and Control, which is macOS's permission system) but is limited to access that the user has already granted to the application. Since Postbox is no longer maintained and the acquiring company did not cooperate with security researchers, no patch or update is available.
Phoenix Code on macOS has a security weakness where certain entitlements (special permissions) allow dylib injection, which means an attacker with basic system access can secretly load malicious code into applications and bypass TCC (Transparency, Consent, and Control, Apple's permission system). The injected code can only access resources the user previously allowed, though accessing new resources requires user confirmation through a system prompt.
A bug in the Linux kernel's iavf driver caused memory leaks when the driver shut down, because it wasn't properly freeing DMA memory (memory allocated for direct communication between the CPU and a network card) that was used for the VF mailbox (a communication channel between a virtual network function and its parent device). This left orphaned memory blocks that the system couldn't reclaim.
CVE-2025-5141 is a vulnerability in Fortra's BoKS (a privileged access manager, which is software that controls who can access sensitive systems) that allows low-privilege local users (people with basic access to a computer) to read cached data (temporarily stored information) on affected versions of the software running on Linux, AIX, and Solaris systems. The vulnerability affects BoKS versions 7.2.0 through 7.2.0.17, 8.1.0 through 8.1.0.22, 8.1.1 through 8.1.1.7, 9.0.0 through 9.0.0.1, and older BoKS 7.2 installations without a specific hotfix (security patch) number 0474.
New York's legislature passed the RAISE Act (Responsible AI Safety and Education Act), which would regulate frontier AI systems (the largest, most powerful AI models) if signed into law. The act requires developers of expensive AI models to publish safety plans, withhold unreasonably risky models from release, report safety incidents within 72 hours, and face penalties up to $10 million for violations.
The European Commission is recruiting up to 60 independent experts for a scientific panel to advise on general-purpose AI (GPAI, large AI models designed for many tasks) under the EU AI Act. The panel will assess systemic risks (widespread dangers affecting multiple countries or many users), classify AI models, and issue alerts when AI systems pose significant dangers to Europe. Applicants need a PhD in a relevant field, proven AI research experience, and independence from AI companies, with the deadline set for September 14th.
Cursor, a code editor designed for AI-assisted programming, had a security flaw in versions before 0.51.0 where JSON files could automatically trigger web requests without user approval. An attacker could exploit this, especially after a prompt injection attack (tricking the AI with hidden instructions in its input), to make the AI agent send data to a malicious website.
CVE-2025-32711 is a command injection vulnerability (a weakness where an attacker tricks a program into running unintended commands) in Microsoft 365 Copilot that allows an unauthorized attacker to disclose information over a network. The vulnerability has a CVSS severity score of 4.0 (a moderate rating on a 0-10 scale where 10 is most severe). Microsoft has published information about this vulnerability, but the provided source does not contain specific technical details about the attack or its impact.
A deserialization of untrusted data vulnerability (CWE-502, a weakness where an application processes data from an untrusted source without checking it first) was found in The Fashion - Model Agency One Page Beauty Theme for WordPress, affecting versions up to 1.4.4. This vulnerability allows object injection (inserting malicious objects into the application), which could let attackers execute unintended code or actions.
FastGPT is an open-source platform for building AI workflows and chatbots that uses a sandbox (an isolated container designed to safely run untrusted code). Versions before 4.9.11 had weak isolation that allowed attackers to escape the sandbox by using overly permissive syscalls (system calls, which are requests programs make to the operating system), letting them read files, modify files, and bypass security restrictions. The vulnerability is fixed in version 4.9.11 by limiting which system calls are allowed to a safer set.
Fix: Claude released a patch on June 13th, 2025. For VSCode and similar editors, open Extensions (View->Extensions), find Claude Code for VSCode, and update or uninstall any version prior to 1.0.24, then restart the editor. For JetBrains IDEs (IntelliJ, PyCharm, Android Studio), open the Plugins list, find Claude Code [Beta], update or uninstall any version prior to 0.1.9, and restart the IDE. The extension auto-updates when launched, but users should manually verify they have the patched version.
NVD/CVE DatabaseFix: This issue has been fixed in version 0.0.28. Users should upgrade langchain-ai/langchain to version 0.0.28 or later.
NVD/CVE DatabaseRuntime attacks on large language models are rapidly increasing, with jailbreak techniques (methods that bypass AI safety restrictions) and denial-of-service exploits (attacks that make systems unavailable) becoming more sophisticated and widely shared through open-source platforms like GitHub. The report explains that these attacks have evolved from isolated research experiments into organized toolkits accessible to threat actors, affecting production AI deployments across enterprises.
Fix: Upgrade MLflow to version 3.1.0 or later. The fix is available in the official release at https://github.com/mlflow/mlflow/releases/tag/v3.1.0.
NVD/CVE DatabaseFix: Update FastGPT to version 4.9.12 or later, where this issue has been patched.
NVD/CVE DatabaseFix: This issue was fixed in commit 0c75fb57f89d0b7d9b180026bc2624b7dcf807da
NVD/CVE DatabaseFix: Free DMA regions for both ASQ and ARQ (the send and receive queues for the mailbox) in case an error happens during configuration of ASQ/ARQ registers, instead of leaving them allocated.
NVD/CVE DatabaseAttackers can exploit large language models (LLMs) through "sponge attacks," which are denial of service (DoS) attacks that craft prompts designed to generate extremely long outputs, exhausting the model's resources and degrading performance. Researchers are developing methods to predict how long an LLM's response will be based on a given prompt, creating an early warning system to detect and prevent these resource-draining attacks.
This article compares traditional application security (AppSec) practices with AI security, noting that familiar principles like input validation and authentication apply to both, but AI systems introduce unique risks. New attack types specific to AI, such as prompt injection (tricking an AI by hiding instructions in its input), model poisoning (tampering with training data), and membership inference attacks (determining if specific data was in training), require security engineers to develop new defensive strategies beyond traditional code-level vulnerability management.
Fix: The vulnerability is fixed in version 0.51.0. Users should update to this version or later.
NVD/CVE DatabaseFix: Update to version 4.9.11 or later. According to the source, this version patches the vulnerability by restricting the allowed system calls to a safer subset and adding additional descriptive error messaging.
NVD/CVE DatabaseGenerative AI (AI systems that create new text, code, or images) is a double-edged sword in cybersecurity, helping both defenders and attackers. The case study of a fictional insurance company shows how GenAI can be used to launch cyberattacks (malicious attempts to breach computer systems) and also to defend against them, creating a difficult choice for IT leaders about whether to use AI as a defensive tool or risk falling behind attackers who already have it.