aisecwatch.com
DashboardVulnerabilitiesNewsResearchArchiveStatsDatasetFor devs
Subscribe
aisecwatch.com

Real-time AI security monitoring. Tracking AI-related vulnerabilities, safety and security incidents, privacy risks, research developments, and policy changes.

Navigation

VulnerabilitiesNewsResearchDigest ArchiveNewsletter ArchiveSubscribeData SourcesStatisticsDatasetAPIIntegrationsWidgetRSS Feed

Maintained by

Truong (Jack) Luu

Information Systems Researcher

Browse All

All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.

to
Export CSV
6518 items

How to Operationalize Responsible Use of Artificial Intelligence

inforesearchPeer-Reviewed
policyresearch
Jun 9, 2025

As AI development has grown rapidly, organizations struggle with how to actually put responsible AI practices into action beyond just making promises about it. This article describes how two organizations created a five-phase process to embed responsibility pledges (formal commitments to use AI ethically) into their daily practices using a systems approach (treating responsibility as interconnected parts of the whole organization rather than isolated efforts).

AIS eLibrary (Journal of AIS, CAIS, etc.)

Hosting COM Servers with an MCP Server

mediumnews
security
Jun 9, 2025

The mcp-com-server is a tool that connects the Model Context Protocol (MCP, a standard for AI systems to interact with external tools) to COM (Component Object Model, Microsoft's decades-old system for sharing functionality across programs on Windows). This allows an AI like Claude to automate Windows and Office tasks, such as creating Excel files and sending emails, by dynamically discovering and controlling COM objects. The main security risk is that COM can access dangerous operations like file system access, so the server uses an allowlist (a list of approved COM objects that are permitted to run) to restrict which COM objects can be instantiated.

CVE-2025-49619: Skyvern through 0.1.85 is vulnerable to server-side template injection (SSTI) in the Prompt field of workflow blocks suc

highvulnerability
security
Jun 7, 2025
CVE-2025-49619EPSS: 66.4%

CVE-2025-5018: The Hive Support plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing cap

highvulnerability
security
Jun 6, 2025
CVE-2025-5018

The Hive Support plugin for WordPress has a security flaw in versions up to 1.2.4 where two functions lack capability checks (security checks that verify user permissions). This allows attackers with basic Subscriber-level accounts to read and change the site's OpenAI API key, inspect data, and modify how the AI chatbot behaves.

Balancing Velocity and Vulnerability with llamafile

infonews
securitysafety

CVE-2025-48957: AstrBot is a large language model chatbot and development framework. A path traversal vulnerability present in versions

highvulnerability
security
Jun 2, 2025
CVE-2025-48957

AstrBot, a chatbot and development framework powered by large language models (LLMs, AI systems trained on large amounts of text data), has a path traversal vulnerability (a flaw that lets attackers access files they shouldn't be able to reach) in versions 3.4.4 through 3.5.12 that could expose sensitive information like API keys (credentials used to access external services) and passwords. The vulnerability was fixed in version 3.5.13.

CVE-2025-48944: vLLM is an inference and serving engine for large language models (LLMs). In version 0.8.0 up to but excluding 0.9.0, th

mediumvulnerability
security
May 30, 2025
CVE-2025-48944

vLLM (a system for running and serving large language models) versions 0.8.0 through 0.9.0 have a vulnerability where the /v1/chat/completions API endpoint doesn't properly check user input in the 'pattern' and 'type' fields when the tools feature is used, allowing a single malformed request to crash the inference worker (the part that actually runs the model) until someone restarts it.

CVE-2025-48943: vLLM is an inference and serving engine for large language models (LLMs). Version 0.8.0 up to but excluding 0.9.0 have a

mediumvulnerability
security
May 30, 2025
CVE-2025-48943

CVE-2025-48943 is a Denial of Service vulnerability (a type of attack that crashes a system) in vLLM versions 0.8.0 through 0.8.x that causes the server to crash when given an invalid regex (a pattern used to match text). This happens specifically when using the structured output feature, which lets the AI format responses in a specific way.

CVE-2025-48942: vLLM is an inference and serving engine for large language models (LLMs). In versions 0.8.0 up to but excluding 0.9.0, h

mediumvulnerability
security
May 30, 2025
CVE-2025-48942

vLLM (an inference and serving engine for large language models) versions 0.8.0 through 0.8.x have a vulnerability where sending an invalid JSON schema as a parameter to the /v1/completions API endpoint causes the server to crash. This happens because the application doesn't properly handle (catch) exceptions that occur when processing malformed input.

CVE-2025-48887: vLLM, an inference and serving engine for large language models (LLMs), has a Regular Expression Denial of Service (ReDo

mediumvulnerability
security
May 30, 2025
CVE-2025-48887

vLLM, a software system that runs and serves large language models, has a vulnerability in how it parses tool commands that can be exploited to crash or slow down the service. The problem comes from using an overly complex pattern-matching rule (regular expression with nested quantifiers, optional groups, and inner repetitions) that can cause the system to get stuck processing certain inputs, leading to severe performance problems.

CVE-2025-48889: Gradio is an open-source Python package that allows quick building of demos and web application for machine learning mod

mediumvulnerability
security
May 30, 2025
CVE-2025-48889

Gradio is an open-source Python package for building machine learning demos and web applications. Before version 5.31.0, a vulnerability in its flagging feature let unauthenticated attackers copy any readable file from the server's filesystem, which could cause DoS (denial of service, where a system becomes unavailable) by copying massive files to fill up disk space, though attackers couldn't actually read the copied files.

CVE-2025-48491: Project AI is a platform designed to create AI agents. Prior to the pre-beta version, a hardcoded API key was present in

highvulnerability
security
May 30, 2025
CVE-2025-48491

CVE-2025-48491 is a vulnerability in Project AI, a platform for creating AI agents, where a hardcoded API key (a secret credential stored directly in the code rather than kept separate) was exposed in versions before the pre-beta release. This means attackers could potentially find and misuse this key to access the system without proper authorization.

CVE-2025-46722: vLLM is an inference and serving engine for large language models (LLMs). In versions starting from 0.7.0 to before 0.9.

mediumvulnerability
security
May 29, 2025
CVE-2025-46722

vLLM (a system for running large language models) versions 0.7.0 through 0.8.x have a bug in how they create hash values (fingerprints) for images. The hashing method only looks at the raw pixel data and ignores important image properties like width and height, so two different-sized images with the same pixels would create identical hash values. This can cause the system to incorrectly reuse cached results or expose data it shouldn't.

CVE-2025-46570: vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.9.0, when a new prompt is p

lowvulnerability
security
May 29, 2025
CVE-2025-46570

vLLM, an inference and serving engine for large language models, had a vulnerability in versions before 0.9.0 where timing differences in the PageAttention mechanism (a feature that speeds up processing by reusing matching text chunks) were large enough that attackers could detect and exploit them. This type of attack is called a timing side-channel attack, where an attacker learns information by measuring how long operations take.

CVE-2025-5320: A vulnerability classified as problematic has been found in gradio-app gradio up to 5.29.1. This affects the function is

lowvulnerability
security
May 29, 2025
CVE-2025-5320

A vulnerability (CVE-2025-5320) was found in Gradio, a web framework for building AI demos, affecting versions up to 5.29.1. An attacker could manipulate the localhost_aliases parameter in the CORS Handler (the component that controls which websites can access the application) to gain elevated privileges, though executing this attack is difficult and requires remote access.

Security Spotlight: Securing Cloud & AI Products with Guardrails

infonews
securitysafety

AI Safety Newsletter #56: Google Releases Veo 3

infonews
safetyindustry

CVE-2025-5277: aws-mcp-server MCP server is vulnerable to command injection. An attacker can craft a prompt that once accessed by the M

criticalvulnerability
security
May 28, 2025
CVE-2025-5277

CVE-2025-5277 is a command injection vulnerability (a flaw where an attacker can trick a program into running unwanted commands) in aws-mcp-server, an MCP server (a software tool that helps AI systems interact with AWS cloud services). An attacker can craft a malicious prompt that, when accessed by an MCP client (a program that connects to the server), executes arbitrary commands on the host system, with a critical severity rating of 9.4.

AI ClickFix: Hijacking Computer-Use Agents Using ClickFix

infonews
securitysafety

AI Literacy Programs in Europe – Supporting Article 4 of the EU AI Act

inforegulatory
policy
May 23, 2025

This article describes a curated database of AI literacy training programs across Europe designed to help organizations and professionals comply with Article 4 of the EU AI Act (a regulation requiring organizations to build employee understanding of AI). The programs are selected based on whether they teach what AI is, its risks and benefits, and how to use it responsibly in the workplace.

Previous258 / 326Next

Fix: The source explicitly mentions two mitigations: (1) An Allow List for CLSIDs and ProgIDs, where 'the MCP server will instantiate allow listed COM objects' and notes this 'could be expanded to include specific interfaces/methods as well,' and (2) 'Confirmation Dialogs' where 'Claude shows an Allow / Deny button before invoking custom tools by default' to 'make sure a human remains in the loop,' though the source notes this 'can be disabled, but also re-enabled in the Claude Settings per MCP tool.'

Embrace The Red

Skyvern through version 0.1.85 has a vulnerability where attackers can inject malicious code into the Prompt field of workflow blocks through SSTI (server-side template injection, where untrusted input is processed as code by the server's template engine). Authenticated users can craft special expressions in Jinja2 templates (a template system that evaluates code on the server) that aren't properly cleaned up, allowing them to execute commands on the server without direct feedback, a capability known as blind RCE (remote code execution).

Fix: A fix is referenced in the GitHub commit db856cd8433a204c8b45979c70a4da1e119d949d in the Skyvern repository, but the source text does not explicitly describe what the fix does or provide a specific patched version number to upgrade to.

NVD/CVE Database
NVD/CVE Database
Jun 4, 2025

This content is a collection of blog post titles and announcements from Palo Alto Networks about AI security, covering topics like agentic AI (AI systems that can autonomously take actions), container security, and operational technology (OT, the systems that control physical infrastructure) security. The posts discuss vulnerabilities in autonomous AI systems, the need for contextual red teaming (security testing tailored to specific use cases), and various security products like Prisma AIRS.

Protect AI Blog

Fix: Upgrade to version 3.5.13 or later. As a temporary workaround, users can edit the `cmd_config.json` file to disable the dashboard feature.

NVD/CVE Database

Fix: Update to version 0.9.0 or later, which fixes the issue.

NVD/CVE Database

Fix: Upgrade to version 0.9.0, which fixes the issue. A patch is available at https://github.com/vllm-project/vllm/commit/08bf7840780980c7568c573c70a6a8db94fd45ff.

NVD/CVE Database

Fix: Update to vLLM version 0.9.0 or later, which fixes the issue.

NVD/CVE Database

Fix: Update to version 0.9.0 or later, which contains a patch for the issue.

NVD/CVE Database

Fix: Update to Gradio version 5.31.0 or later, where this issue has been patched.

NVD/CVE Database
NVD/CVE Database

Fix: This issue has been patched in version 0.9.0.

NVD/CVE Database

Fix: Update vLLM to version 0.9.0 or later. The issue has been patched in version 0.9.0.

NVD/CVE Database
NVD/CVE Database
May 28, 2025

This article collection discusses security challenges in AI and cloud systems, particularly focusing on agentic AI (AI systems that can take autonomous actions). Key risks include jailbreaks (tricking AI systems into ignoring safety rules), prompt injection (hidden malicious instructions in AI inputs), and tool misuse by autonomous agents, which require contextual red teaming (security testing designed for specific use cases) rather than generic testing to identify real vulnerabilities.

Protect AI Blog
May 28, 2025

Google released Veo 3, a frontier video generation model (an advanced AI system at the cutting edge of technology) that generates both video and audio with high quality and appears to be a marked improvement over existing systems. The model performs well on human preference benchmarks and may represent the point where video generation becomes genuinely useful rather than just a novelty. Additionally, Google announced several other AI improvements at its I/O 2025 conference, including Gemini 2.5 Pro and enhanced reasoning capabilities, while Anthropic released Claude Opus 4 and Claude Sonnet 4 with frontier-level performance.

CAIS AI Safety Newsletter
NVD/CVE Database
May 24, 2025

ClickFix is a social engineering technique (a method that tricks people rather than exploiting technical vulnerabilities) that adversaries are adapting to attack computer-use agents (AI systems that can control computers by clicking and typing). The attack works by deceiving users into believing something is broken or needs verification, then tricking them into clicking buttons or running commands that compromise their system.

Embrace The Red
EU AI Act Updates