All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
AI agents (automated systems that can take actions based on AI decisions) are easy to build with modern tools, but they face several security threats. The OWASP Gen AI Security Project held a hackathon in New York where participants intentionally created insecure agents to identify common security problems.
On April 22, 2025, the European AI Office published preliminary guidelines explaining which companies count as providers of GPAI models (general-purpose AI models, which are AI systems capable of performing many different tasks across various applications). The guidelines cover seven key topics, including defining what a GPAI model is, identifying who qualifies as a provider, handling open-source exemptions, and compliance requirements such as documentation, copyright policies, and security protections for higher-risk models.
YoutubeDLSharp (a tool that wraps command-line video downloaders) has a vulnerability in versions 1.0.0-beta4 through 1.1.1 on Windows where attackers can inject malicious commands by exploiting unsafe argument conversion, especially when a Windows encoding workaround is enabled by default. Users cannot disable this workaround through built-in methods, making all applications using these versions potentially vulnerable.
PyTorch (a Python package for machine learning computations) versions 2.5.1 and earlier contain a remote code execution (RCE, where an attacker can run commands on a system they don't own) vulnerability when loading models with the torch.load function set to weights_only=True. The vulnerability stems from insecure deserialization (converting data back into executable code without checking if it's safe), which allows attackers to execute arbitrary commands remotely.
Rasa Pro is a framework for building conversational AI assistants that use large language models. A vulnerability was found where voice connectors (tools that receive audio input) did not properly check user authentication even when security tokens were configured, allowing attackers to send voice data to the system without permission.
PyTorch 2.6.0 contains a vulnerability in the torch.nn.functional.ctc_loss function (a component used for speech recognition tasks) that can cause denial of service (making the system unavailable). The vulnerability requires local access to exploit and has been publicly disclosed, though its actual existence is still uncertain.
A critical vulnerability (CVE-2025-3677) was found in lm-sys FastChat version 0.2.36 and earlier in the file apply_delta.py. The flaw involves deserialization (converting data back into code or objects, which can be dangerous if the data comes from an untrusted source) and can only be exploited by someone with local access to the affected system.
Mattermost (a team communication platform) versions 10.4.2 and earlier, 10.5.0 and earlier, and 9.11.9 and earlier don't properly block which websites their built-in AI tool can contact. This allows logged-in users to use prompt injection (tricking the AI by hiding instructions in their input) to steal data from servers that the Mattermost system can access.
In Aidex versions before 1.7, a logged-in attacker could exploit an open registry to run unauthorized commands on the system through prompt injection attacks (tricking the AI by hiding malicious instructions in user input) via the chat message endpoint. This allowed them to execute operating system commands, access databases, and invoke framework functions.
MaxKB (Max Knowledge Base) is an open source system that answers questions using a large language model and RAG (retrieval-augmented generation, where an AI pulls in external documents to answer questions). A reverse shell vulnerability (a security flaw that lets attackers gain control of a system remotely) exists in its function library module and can be exploited by privileged users to create unauthorized access.
BentoML is a Python library for building AI model serving systems, but versions before 1.4.8 had a vulnerability in its runner server that allowed attackers to execute arbitrary code (unauthorized commands) by sending specially crafted requests with specific headers and parameters, potentially giving them full access to the server and its data.
Spammers used OpenAI's GPT-4o-mini model to generate unique spam messages for each target website, allowing them to bypass spam-detection filters (systems that block unwanted messages) across over 80,000 sites in four months. The spam campaign, called AkiraBot, automated message delivery through website contact forms and chat widgets to promote search optimization services. OpenAI revoked the spammers' account in February after the activity was discovered.
CVE-2025-26644 is a vulnerability in Windows Hello (a biometric authentication system) where its recognition mechanism fails to properly detect or handle adversarial input perturbations (slight changes designed to fool AI systems). This weakness allows a local attacker to spoof someone's identity without authorization.
Cursor (a code editor designed for AI-assisted programming) had a bug in versions 0.45.0 through 0.48.6 where the Cursor Agent (an AI component that can automatically modify files) could be tricked into writing to files outside the workspace the user opened, either through direct user requests or hidden instructions in context. However, the risk was low because exploitation required deliberate prompting and any changes were visible to the user for review.
A vulnerability in the Linux kernel for ARM64 Qualcomm SDM845 processors was caused by a previous change that enabled pagetable walker cache coherency (a feature that keeps memory caches synchronized during page table operations). However, this feature doesn't work reliably across all SDM845/850 devices, causing some systems like the Lenovo Yoga C630 to lock up or crash. The fix reverts the problematic change to prevent these crashes.
Fix: Update to version 1.1.2, which contains the patch for this vulnerability.
NVD/CVE DatabaseAs AI systems start connecting to real tools and databases through the Model Context Protocol (MCP, a system that lets AI models interact with external applications and data), new security risks appear that older security methods cannot fully handle. The OWASP GenAI Security Project has released research on how to secure MCP, offering defense-in-depth strategies (a layered security approach using multiple protective measures) to help developers build safer AI applications that can act independently in real time.
Version 4.9.0 is a release of the MITRE ATLAS framework, which documents attack techniques and defenses specific to AI systems. The update adds new attack methods like reverse shells (unauthorized remote access to a system), model corruption, and supply chain attacks targeting AI tools, while also updating existing security techniques and adding real-world case studies of AI-related security breaches.
Researchers created the Virology Capabilities Test (VCT), a benchmark measuring how well AI systems can solve complex virology lab problems, and found that leading AI models like OpenAI's o3 now outperform human experts in specialized virology knowledge. This is concerning because virology knowledge has dual-use potential, meaning the same capabilities that could help prevent disease could also be misused by bad actors to develop dangerous pathogens.
Fix: The authors recommend that highly dual-use virology capabilities should be excluded from publicly-available AI systems, and know-your-customer mechanisms (verification processes to confirm who customers are and what they'll use the technology for) could ensure these capabilities remain accessible only to researchers in institutions with appropriate safety protocols. As a result of the paper, xAI has added new safeguards to their systems.
CAIS AI Safety NewsletterFix: This issue has been patched in version 2.6.0. Users should upgrade PyTorch to version 2.6.0 or later.
NVD/CVE DatabaseFix: This issue has been patched in versions 3.9.20, 3.10.19, 3.11.7 and 3.12.6 for the audiocodes, audiocodes_stream, and genesys connectors. Update Rasa Pro to one of these versions or later.
NVD/CVE DatabaseThe OWASP Generative AI Security Project, an organization focused on application security, announced nine new corporate sponsors to support efforts in improving security for generative AI technologies. The sponsors, including companies like ByteDance and Trend Micro, represent increased investment and momentum in making AI systems more secure.
Fix: Apply patch 46fc5d8e360127361211cb237d5f9eef0223e567. The project's security policy also recommends avoiding unknown models, which could have malicious effects.
NVD/CVE DatabaseThe AI Safety Newsletter highlights the launch of AI Frontiers, a new publication featuring expert commentary on critical AI challenges including national security risks, resource access inequality, risk management approaches, and governance of autonomous systems (AI agents that can make decisions without human input). The newsletter presents diverse viewpoints on how society should navigate AI's wide-ranging impacts on jobs, health, and security.
Fix: Update to Aidex version 1.7 or later.
NVD/CVE DatabaseFix: This vulnerability is fixed in v1.10.4-lts. Users should update to this version or later.
NVD/CVE DatabaseFix: Update BentoML to version 1.4.8 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 0.48.7.
NVD/CVE DatabaseFix: Revert commit 6b31a9744b8726c69bb0af290f8475a368a4b805 by removing the change that affirmed IDR0.CCTW on apps_smmu in the Linux kernel's arm64 device tree configuration for Qualcomm SDM845.
NVD/CVE Database