aisecwatch.com
DashboardVulnerabilitiesNewsResearchArchiveStatsDatasetFor devs
Subscribe
aisecwatch.com

Real-time AI security monitoring. Tracking AI-related vulnerabilities, safety and security incidents, privacy risks, research developments, and policy changes.

Navigation

VulnerabilitiesNewsResearchDigest ArchiveNewsletter ArchiveSubscribeData SourcesStatisticsDatasetAPIIntegrationsWidgetRSS Feed

Maintained by

Truong (Jack) Luu

Information Systems Researcher

Browse All

All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.

to
Export CSV
6518 items

Security Advisory: Anthropic's Slack MCP Server Vulnerable to Data Exfiltration

highnews
securitysafety
Jun 24, 2025

Anthropic's Slack MCP Server (a tool that lets AI agents interact with Slack) has a vulnerability where it doesn't disable link unfurling, a feature that automatically previews hyperlinks in messages. An attacker can use prompt injection (tricking an AI by hiding instructions in its input) to make an AI agent post a malicious link to Slack, which then leaks sensitive data like API keys to the attacker's server when Slack's systems automatically fetch the preview.

Embrace The Red

CVE-2025-52882: Claude Code is an agentic coding tool. Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium)

highvulnerability
security
Jun 24, 2025
CVE-2025-52882

Claude Code is an AI-powered coding assistant available as extensions in popular coding editors (IDEs, or integrated development environments, which are software tools developers use to write code). Versions before 1.0.24 for VSCode and before 0.1.9 for JetBrains IDEs have a security flaw that lets attackers connect to the tool without permission when users visit malicious websites, potentially allowing them to read files, see what code you're working on, or even run code in certain situations.

CVE-2025-6206: The Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit plugin for WordPress is

highvulnerability
security
Jun 24, 2025
CVE-2025-6206

The Aiomatic WordPress plugin (versions up to 2.5.0) has a security flaw where it doesn't properly check what type of files users are uploading, allowing authenticated attackers with basic user access to upload harmful files to the server. This could potentially lead to RCE (remote code execution, where an attacker can run commands on a system they don't own), though an attacker needs to provide a Stability.AI API key value to exploit it.

CVE-2025-2828: A Server-Side Request Forgery (SSRF) vulnerability exists in the RequestsToolkit component of the langchain-community pa

criticalvulnerability
security
Jun 23, 2025
CVE-2025-2828

A Server-Side Request Forgery (SSRF, a vulnerability where an AI system makes unwanted requests to internal or local servers on behalf of an attacker) vulnerability exists in the RequestsToolkit component of the langchain-community package version 0.0.27. The flaw allows attackers to scan ports, access local services, steal cloud credentials, and interact with local network servers because the toolkit doesn't block requests to internal addresses.

AI Risk Report: Fast-Growing Threats in AI Runtime

infonews
securitysafety

CVE-2025-52967: gateway_proxy_handler in MLflow before 3.1.0 lacks gateway_path validation.

mediumvulnerability
security
Jun 23, 2025
CVE-2025-52967

MLflow versions before 3.1.0 have a vulnerability in the gateway_proxy_handler component where it fails to properly validate the gateway_path parameter, potentially allowing SSRF (server-side request forgery, where an attacker tricks the server into making unwanted requests to internal systems). This validation gap could be exploited to access resources the attacker shouldn't be able to reach.

CVE-2025-52552: FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable t

mediumvulnerability
security
Jun 20, 2025
CVE-2025-52552

FastGPT, an AI Agent building platform, has a vulnerability in versions before 4.9.12 where the LastRoute parameter on the login page is not properly validated or cleaned of malicious code. This allows attackers to perform open redirect (sending users to attacker-controlled websites) or DOM-based XSS (injecting malicious JavaScript that runs in the user's browser).

CVE-2025-5963: The Postbox's configuration on macOS, specifically the presence of entitlements: "com.apple.security.cs.allow-dyld-envir

infovulnerability
security
Jun 20, 2025
CVE-2025-5963

A vulnerability in Postbox on macOS (CVE-2025-5963) allows local attackers to inject malicious code through environment variables like DYLD_INSERT_LIBRARIES, exploiting security settings that disable library validation. The injected code can bypass TCC (Transparency, Consent, and Control, which is macOS's permission system) but is limited to access that the user has already granted to the application. Since Postbox is no longer maintained and the acquiring company did not cooperate with security researchers, no patch or update is available.

CVE-2025-5255: The Phoenix Code's configuration on macOS, specifically the presence of entitlements: "com.apple.security.cs.allow-dyld-

infovulnerability
security
Jun 20, 2025
CVE-2025-5255

Phoenix Code on macOS has a security weakness where certain entitlements (special permissions) allow dylib injection, which means an attacker with basic system access can secretly load malicious code into applications and bypass TCC (Transparency, Consent, and Control, Apple's permission system). The injected code can only access resources the user previously allowed, though accessing new resources requires user confirmation through a system prompt.

CVE-2022-50055: In the Linux kernel, the following vulnerability has been resolved: iavf: Fix adminq error handling iavf_alloc_asq_buf

mediumvulnerability
security
Jun 18, 2025
CVE-2022-50055

A bug in the Linux kernel's iavf driver caused memory leaks when the driver shut down, because it wasn't properly freeing DMA memory (memory allocated for direct communication between the CPU and a network card) that was used for the VF mailbox (a communication channel between a virtual network function and its parent device). This left orphaned memory blocks that the system couldn't reclaim.

CVE-2025-5141: A binary in the BoKS Server Agent component of Fortra's Core Privileged Access Manager (BoKS) on versions 7.2.0 (up to 7

mediumvulnerability
security
Jun 17, 2025
CVE-2025-5141

CVE-2025-5141 is a vulnerability in Fortra's BoKS (a privileged access manager, which is software that controls who can access sensitive systems) that allows low-privilege local users (people with basic access to a computer) to read cached data (temporarily stored information) on affected versions of the software running on Linux, AIX, and Solaris systems. The vulnerability affects BoKS versions 7.2.0 through 7.2.0.17, 8.1.0 through 8.1.0.22, 8.1.1 through 8.1.1.7, 9.0.0 through 9.0.0.1, and older BoKS 7.2 installations without a specific hotfix (security patch) number 0474.

The Cost of Being Wordy: Detecting Resource-Draining Prompts

infonews
securityresearch

AI Safety Newsletter #57: The RAISE Act

inforegulatory
policy
Jun 17, 2025

New York's legislature passed the RAISE Act (Responsible AI Safety and Education Act), which would regulate frontier AI systems (the largest, most powerful AI models) if signed into law. The act requires developers of expensive AI models to publish safety plans, withhold unreasonably risky models from release, report safety incidents within 72 hours, and face penalties up to $10 million for violations.

Why Join the EU AI Scientific Panel?

inforegulatory
policy
Jun 16, 2025

The European Commission is recruiting up to 60 independent experts for a scientific panel to advise on general-purpose AI (GPAI, large AI models designed for many tasks) under the EU AI Act. The panel will assess systemic risks (widespread dangers affecting multiple countries or many users), classify AI models, and issue alerts when AI systems pose significant dangers to Europe. Applicants need a PhD in a relevant field, proven AI research experience, and independence from AI companies, with the deadline set for September 14th.

Security Spotlight: AppSec to AI, a Security Engineer's Journey

infonews
securityresearch

CVE-2025-49150: Cursor is a code editor built for programming with AI. Prior to 0.51.0, by default, the setting json.schemaDownload.enab

mediumvulnerability
security
Jun 11, 2025
CVE-2025-49150

Cursor, a code editor designed for AI-assisted programming, had a security flaw in versions before 0.51.0 where JSON files could automatically trigger web requests without user approval. An attacker could exploit this, especially after a prompt injection attack (tricking the AI with hidden instructions in its input), to make the AI agent send data to a malicious website.

CVE-2025-32711: Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.

criticalvulnerability
security
Jun 11, 2025
CVE-2025-32711

CVE-2025-32711 is a command injection vulnerability (a weakness where an attacker tricks a program into running unintended commands) in Microsoft 365 Copilot that allows an unauthorized attacker to disclose information over a network. The vulnerability has a CVSS severity score of 4.0 (a moderate rating on a 0-10 scale where 10 is most severe). Microsoft has published information about this vulnerability, but the provided source does not contain specific technical details about the attack or its impact.

CVE-2025-31052: Deserialization of Untrusted Data vulnerability in themeton The Fashion - Model Agency One Page Beauty Theme allows Obje

criticalvulnerability
security
Jun 9, 2025
CVE-2025-31052

A deserialization of untrusted data vulnerability (CWE-502, a weakness where an application processes data from an untrusted source without checking it first) was found in The Fashion - Model Agency One Page Beauty Theme for WordPress, affecting versions up to 1.4.4. This vulnerability allows object injection (inserting malicious objects into the application), which could let attackers execute unintended code or actions.

CVE-2025-49131: FastGPT is an open-source project that provides a platform for building, deploying, and operating AI-driven workflows an

mediumvulnerability
security
Jun 9, 2025
CVE-2025-49131

FastGPT is an open-source platform for building AI workflows and chatbots that uses a sandbox (an isolated container designed to safely run untrusted code). Versions before 4.9.11 had weak isolation that allowed attackers to escape the sandbox by using overly permissive syscalls (system calls, which are requests programs make to the operating system), letting them read files, modify files, and bypass security restrictions. The vulnerability is fixed in version 4.9.11 by limiting which system calls are allowed to a safer set.

Promises and Perils of Generative AI in Cybersecurity

inforesearchPeer-Reviewed
security
Previous257 / 326Next

Fix: Claude released a patch on June 13th, 2025. For VSCode and similar editors, open Extensions (View->Extensions), find Claude Code for VSCode, and update or uninstall any version prior to 1.0.24, then restart the editor. For JetBrains IDEs (IntelliJ, PyCharm, Android Studio), open the Plugins list, find Claude Code [Beta], update or uninstall any version prior to 0.1.9, and restart the IDE. The extension auto-updates when launched, but users should manually verify they have the patched version.

NVD/CVE Database
NVD/CVE Database

Fix: This issue has been fixed in version 0.0.28. Users should upgrade langchain-ai/langchain to version 0.0.28 or later.

NVD/CVE Database
Jun 23, 2025

Runtime attacks on large language models are rapidly increasing, with jailbreak techniques (methods that bypass AI safety restrictions) and denial-of-service exploits (attacks that make systems unavailable) becoming more sophisticated and widely shared through open-source platforms like GitHub. The report explains that these attacks have evolved from isolated research experiments into organized toolkits accessible to threat actors, affecting production AI deployments across enterprises.

Protect AI Blog

Fix: Upgrade MLflow to version 3.1.0 or later. The fix is available in the official release at https://github.com/mlflow/mlflow/releases/tag/v3.1.0.

NVD/CVE Database

Fix: Update FastGPT to version 4.9.12 or later, where this issue has been patched.

NVD/CVE Database
NVD/CVE Database

Fix: This issue was fixed in commit 0c75fb57f89d0b7d9b180026bc2624b7dcf807da

NVD/CVE Database

Fix: Free DMA regions for both ASQ and ARQ (the send and receive queues for the mailbox) in case an error happens during configuration of ASQ/ARQ registers, instead of leaving them allocated.

NVD/CVE Database
NVD/CVE Database
Jun 17, 2025

Attackers can exploit large language models (LLMs) through "sponge attacks," which are denial of service (DoS) attacks that craft prompts designed to generate extremely long outputs, exhausting the model's resources and degrading performance. Researchers are developing methods to predict how long an LLM's response will be based on a given prompt, creating an early warning system to detect and prevent these resource-draining attacks.

Protect AI Blog
CAIS AI Safety Newsletter
EU AI Act Updates
Jun 12, 2025

This article compares traditional application security (AppSec) practices with AI security, noting that familiar principles like input validation and authentication apply to both, but AI systems introduce unique risks. New attack types specific to AI, such as prompt injection (tricking an AI by hiding instructions in its input), model poisoning (tampering with training data), and membership inference attacks (determining if specific data was in training), require security engineers to develop new defensive strategies beyond traditional code-level vulnerability management.

Protect AI Blog

Fix: The vulnerability is fixed in version 0.51.0. Users should update to this version or later.

NVD/CVE Database
NVD/CVE Database
NVD/CVE Database

Fix: Update to version 4.9.11 or later. According to the source, this version patches the vulnerability by restricting the allowed system calls to a safer subset and adding additional descriptive error messaging.

NVD/CVE Database
research
Jun 9, 2025

Generative AI (AI systems that create new text, code, or images) is a double-edged sword in cybersecurity, helping both defenders and attackers. The case study of a fictional insurance company shows how GenAI can be used to launch cyberattacks (malicious attempts to breach computer systems) and also to defend against them, creating a difficult choice for IT leaders about whether to use AI as a defensive tool or risk falling behind attackers who already have it.

AIS eLibrary (Journal of AIS, CAIS, etc.)