All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
OpenMeter has a SQL injection vulnerability (a flaw that lets attackers insert malicious database commands) in its meter creation endpoint. An authenticated tenant can inject arbitrary SQL through the `valueProperty` or `groupBy` fields, bypassing validation and executing commands against the shared ClickHouse database (the system that stores event data for all tenants), allowing any tenant to read or modify other tenants' metering data.
Fix: Replace `fmt.Sprintf` string interpolation with `sb.Var()`, which appends the value to the builder's args list and emits a `?` placeholder. Specifically, change: `sb.Select(fmt.Sprintf("JSON_VALUE('{}', '%s')", sqlbuilder.Escape(d.jsonPath)))` to `sb.Select(fmt.Sprintf("JSON_VALUE('{}', %s)", sb.Var(d.jsonPath)))`.
GitHub Advisory DatabaseThis article is about a political dispute, not an AI or LLM security issue. It discusses UK Prime Minister Keir Starmer criticizing Elon Musk for posts on X (a social media platform) related to a murder case, but contains no technical content about artificial intelligence, large language models, cybersecurity, or software vulnerabilities.
OpenAI has proposed a federal governance framework for frontier AI (the most advanced AI systems) that requires mandatory evaluations by a government body before public release, but stops short of giving regulators the power to block deployments. The proposal also includes broader requirements like third-party audits, transparency reports, incident reporting, and whistleblower protections for frontier AI developers, arguing that voluntary commitments alone are insufficient as AI systems become more capable.
A vulnerability exists in Milvus (a vector database software) versions up to 2.6.13 where the Grantee ID Hash Handler component uses weak hash (a cryptographic function that is easy to break). An attacker would need local access to the system and would face high complexity in exploiting it, though the vulnerability details have been publicly disclosed.
A security flaw in Anthropic's Claude Code GitHub Action allowed attackers to hijack repositories by opening a single malicious GitHub issue that exploited a broken permission check and indirect prompt injection (tricking an AI by hiding instructions in its input). The vulnerability let attackers steal credentials needed to gain write access to code and workflows, potentially poisoning the Claude Code Action itself for downstream projects that use it.
This security bulletin covers multiple threats: Cisco released patches for a high-severity SSRF vulnerability (server-side request forgery, where attackers trick a server into making unwanted requests) in Unified Communications Manager that could let unauthenticated attackers write files and gain root access; Russia's FSB reported foreign intelligence services deployed spyware on officials' mobile devices to steal data and conduct surveillance; threat actors are using social engineering to distribute VIP Keylogger through JavaScript, batch, and VBS loaders disguised as business communications; and the U.S. Treasury sanctioned Iran's largest cryptocurrency exchange for facilitating payments linked to terrorist activities and ransomware actors.
This article discusses a podcast interview about Elon Musk's planned SpaceX IPO (initial public offering, when a private company sells shares to become publicly traded) and the state of X (formerly Twitter). The interview explores how Musk may be bending corporate governance rules (the systems that keep companies accountable to shareholders and investors) to make the SpaceX IPO happen, and examines whether Musk's 2022 purchase of Twitter has damaged his reputation and businesses as predicted.
Streamlit versions up to 1.53.0 contain a vulnerability in the hashing function (a process that converts data into a fixed-size code for security purposes) within its caching system that uses weak cryptographic methods. The vulnerability is difficult to exploit as it requires local access (being on the same computer) and high technical complexity, though it has been disclosed publicly.
MLflow versions up to 3.10.0 contain a vulnerability in the dataset digest computation function that uses weak cryptographic hashing (a mathematical function that converts data into a fixed-size code, but this version uses an insecure version). The flaw requires local access to exploit and is difficult to execute, but a working exploit has been published.
A high-severity vulnerability in Hugging Face Transformers (a popular Python library for running AI models) allows attackers to execute malicious code on systems even when developers use the trust_remote_code=false setting, which is meant to block remote code execution. The attack works by hiding malicious instructions in a fake configuration parameter called _attn_implementation_internal that looks like a normal internal setting, leaving no warning messages or traces. This vulnerability affects versions 4.56.0 through 5.2.x and is particularly dangerous because the Transformers library is downloaded millions of times per week and used widely in enterprise environments.
Endava, a global technology services company, transformed its software delivery by adopting AI agents (AI systems that can autonomously perform tasks) as a core part of daily work across all business functions, not just engineering. The company made OpenAI its enterprise platform and embedded AI throughout its entire DavaFlow lifecycle (their software development process), from requirements gathering to deployment, which accelerated delivery and reduced manual work. Key to their success was treating AI adoption as a behavior change requiring leadership commitment and hands-on experimentation, rather than simply rolling out new software tools.
Hackers discovered a way to take over Instagram accounts by tricking Meta's AI support chatbot into resetting passwords for accounts that weren't theirs. The attacker would use a VPN (a tool that masks your location) to hide their location, then convince the chatbot to send a password reset code to an email address they controlled, allowing them to take over the victim's account. Meta said the specific exploit was fixed, but security experts warned that chatbots are fundamentally unreliable for account security tasks.
OpenAI is rolling out an improved memory system called "Dreaming" for ChatGPT that automatically learns user preferences and context from conversations over time, addressing problems with older memory features that became outdated or incorrect. Unlike the previous "saved memories" system that only worked when users explicitly asked ChatGPT to remember something, Dreaming runs in the background to continuously synthesize and update memories from chat history, making ChatGPT more personalized without requiring manual input. Users can view and edit their stored memories through a memory summary page, and this update is being released to Plus and Pro users in the US with broader rollout planned.
Fix: Apply the patch identified as 3d932f1c3e065351c4440c27abe1e6479752544d to fix this issue.
NVD/CVE DatabaseFix: Update to claude-code-action v1.0.94 or later. Then audit any workflow that lets users without write access or bots trigger Claude: if it takes untrusted input, limit secrets to only the Anthropic API key and GITHUB_TOKEN, and remove tools and permissions that could be used for stealing data.
The Hacker NewsAgentic AI (AI systems that can take independent actions across networks) is being deployed in U.S. defense networks, but security risks are growing just as fast, especially after an unauthorized group reportedly accessed Anthropic's Claude Mythos model within hours. The article emphasizes that AI is only as trustworthy as the data it uses, the networks it connects to, and the security controls protecting it, requiring careful attention to what data enters the model, who can access it, and where the AI sends requests.
Offroad, a new startup, uses agentic AI (AI systems that can take autonomous actions) to help organizations find and fix identity risks across their systems. The company addresses a growing problem where identities (human users, machines, and AI agents) are spreading across many systems, making it difficult for security teams to manually manage access and permissions, especially as AI agents operate at scales and speeds humans cannot match.
Fix: Offroad's approach, as described in the source, is to 'use its own autonomous agents to find the issue, gather the context necessary to understand the problem, and then fix it.' The system either reports details to a human for review or takes autonomous action wherever safe. Additionally, Offroad has launched ohauth.ai, described as 'A community catalog of OAuth apps (third-party applications with delegated access) with over-privileged scopes, dead publisher domains, and silent permission drift' to help organizations identify risky applications.
SecurityWeekWillow, an Israeli startup, launched a platform that manages identity and access for AI agents (autonomous systems that perform tasks independently) in enterprises, securing tools like Claude and ChatGPT through centralized control. The platform assigns verified identities to each AI agent, restricts which systems they can reach using least-privilege access (allowing only the minimum permissions needed), and detects unauthorized AI usage across a company's network. With $7 million in funding, Willow aims to let companies safely deploy AI agents without giving them unrestricted access to sensitive systems and data.
AI is making it faster for attackers to turn newly discovered vulnerabilities into working exploits, with exploitation timelines shrinking from days or weeks to just hours. Security teams are overwhelmed with too many vulnerability alerts to handle, so they need to focus on identifying which exposures actually matter by evaluating reachability (can attackers access it?), exploitability (can it be compromised?), and business impact. To address this, organizations should use AI-powered scanning tools to find complex attack chains and prioritize vulnerabilities based on real-world risk rather than just volume.
Fix: The source mentions that organizations should use Wiz Attack Surface Management (ASM), which combines external visibility of internet-facing assets with internal cloud context to help identify and reduce critical exposures. However, the text is cut off and does not provide specific implementation details or complete mitigation steps beyond recommending this tool approach.
Wiz Research BlogFix: Cisco has addressed the SSRF vulnerability in Unified CM and Unified CM SME Release versions 14SU6 and 15SU5.
The Hacker NewsResearchers discovered a critical vulnerability in Google's Gemini voice assistant where attackers could inject malicious commands through messaging notifications (WhatsApp, Slack, SMS) using a technique called Fake Context Alignment, allowing them to control smart home devices, make calls, and manipulate the assistant without the user knowing. The attack exploited prompt injection (tricking an AI by hiding instructions in its input) by embedding hidden commands in foreign languages or muted links that Gemini would process but not read aloud. Google patched the vulnerability in November 2025 with content classifier improvements (software filters that categorize and block harmful content).
Fix: Google patched the vulnerability in mid-November 2025 with content classifier improvements.
SecurityWeekMajor AI company leaders, including those from Anthropic, OpenAI, and Microsoft, have sent an open letter to US lawmakers calling for stronger rules to prevent their AI systems from being used to develop biological weapons. They argue there is a serious gap in biosecurity (protections against biological threats) that could allow people to use AI to help create dangerous genetic material for harmful purposes, potentially causing a global pandemic.
Fix: The vulnerability was silently patched in Transformers version 5.3.0, released on March 3. Users should update to this version or later to receive the fix.
CSO OnlineFix: Instagram spokesperson Andy Stone stated that 'the issue was now fixed' on Monday.
Schneier on SecurityMajor AI companies like Anthropic and OpenAI are expanding access to frontier AI models (cutting-edge AI systems) for vulnerability discovery tools like Claude Mythos, which can identify security weaknesses in software. Security experts warn that these tools are becoming cheaper and more capable, and that attackers are already using similar AI systems, so organizations need to prepare for more advanced threats including the ability to chain together multiple medium-severity vulnerabilities into high-impact attacks.
Fix: According to Paul Chichester from the UK's National Cyber Security Centre, "Organisations should improve cybersecurity by hardening access controls and running incident response exercises." Additionally, organizations should "use AI to write better code and look for vulnerabilities" themselves, and ensure their teams can "rapidly validate, prioritize, and remediate the issues being discovered before attackers find them first."
CSO Online