All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
LLMs (large language models) can output ANSI escape codes (special control characters that modify how terminal emulators display text and behave), and when LLM-powered applications print this output to a terminal without filtering it, attackers can use prompt injection (tricking an AI by hiding instructions in its input) to make the terminal execute harmful commands like clearing the screen, hiding text, or stealing clipboard data. The vulnerability affects LLM-integrated command-line tools and applications that don't properly handle or encode these control characters before displaying LLM output.
A researcher discovered that DeepSeek-R1-Lite, a new AI reasoning model, is vulnerable to prompt injection (tricking an AI by hiding instructions in its input) combined with XSS (cross-site scripting, where malicious code runs in a user's browser). By uploading a specially crafted document with base64-encoded malicious code, an attacker could trick the AI into executing JavaScript that steals a user's session token (a credential stored in browser memory that proves who you are), leading to complete account takeover.
Autolab, a course management system for auto-graded programming assignments, has a vulnerability where students can insert spreadsheet formulas (like those used in Excel) into their first or last names. When instructors download and open the course roster, these formulas execute and can leak student information by sending it to remote servers. The vulnerability has been patched in the source code repository.
Lobe Chat, an open-source AI chat framework, has a vulnerability in versions before 1.19.13 that allows attackers to perform SSRF (server-side request forgery, where an attacker tricks a server into making unauthorized requests to other systems) without logging in. Attackers can exploit this to scan internal networks and steal sensitive information like API keys stored in authentication headers.
CVE-2024-49038 is a cross-site scripting (XSS, a type of attack where malicious code is injected into a webpage to trick users) vulnerability in Microsoft Copilot Studio that allows an unauthorized attacker to gain elevated privileges over a network by exploiting improper handling of user input during webpage generation.
Autolab is a course management system that automatically grades programming assignments. A vulnerability in versions 3.0.0 and later allows any logged-in student to download all submissions from other students or even instructor test files using the download_all_submissions feature, potentially exposing private coursework to unauthorized people.
MLflow has a vulnerability (CVE-2024-27134) where directories have overly permissive access settings, allowing a local attacker to gain elevated permissions through a ToCToU attack (a race condition where an attacker exploits the gap between when a program checks permissions and when it uses a resource). This only affects code using the spark_udf() MLflow API.
LLama Factory, a tool for fine-tuning large language models (AI systems trained on specific tasks or data), has a critical vulnerability that lets attackers run arbitrary commands on the computer running it. The flaw comes from unsafe handling of user input, specifically using a Python function called `Popen` with `shell=True` (a setting that interprets input as system commands) without checking or cleaning the input first.
CVE-2024-48530 is a vulnerability in eSoft Planner version 3.24.08271-USA that allows attackers to cause a DoS (denial of service, where a system becomes unavailable to legitimate users) through a specially crafted POST request (a type of web request) sent to the Instructor Appointment Availability module. The vulnerability stems from CWE-770, which means the software fails to limit resource allocation, allowing attackers to exhaust system resources.
CVE-2024-52445 is a deserialization of untrusted data vulnerability (a flaw where a program processes data from an untrusted source without checking it, potentially allowing an attacker to manipulate the program) in the Modeltheme QRMenu Restaurant QR Menu Lite plugin that affects versions up to 1.0.3. This vulnerability allows object injection (an attack where malicious data tricks the program into creating unintended objects).
A vulnerability in the Linux kernel's panthor graphics driver allows userspace to make memory mappings writable after creation through mprotect(), and to create copy-on-write mappings that can cause system crashes. The issue occurs because the driver doesn't properly restrict VM_MAYWRITE (a flag controlling whether memory can be made writable later) and doesn't require VM_SHARED (a flag indicating shared memory semantics) when mapping GPU flush registers.
The European AI Office posted a job opening for a Lead Scientific Advisor for AI, responsible for ensuring scientific rigor in testing and evaluating general-purpose AI (large AI models trained on broad data that can handle many tasks) models and leading the office's scientific approach to AI safety. The position required EU citizenship, at least 15 years of professional experience, and fluency in EU languages, with an application deadline of December 13, 2024.
Autolab, a service that manages programming courses and automatically grades assignments, has an HTML injection vulnerability (a flaw where untrusted data is inserted as HTML, potentially allowing attackers to inject malicious code) in version 3.0.1 that affects instructors and course assistants viewing grade submissions. The vulnerability allows attackers to execute cross-site scripting (XSS, where malicious scripts run in a user's browser without their knowledge).
MarkUs (a web application for student assignment submission and grading) has a vulnerability in versions before 2.4.8 that allows authenticated instructors to write files anywhere on the web server, potentially leading to remote code execution (the ability to run commands on a system from a distance). This happens because the file upload methods don't properly restrict where files can be saved.
MarkUs, a web application for submitting and grading student assignments, has a path traversal vulnerability (a security flaw that lets attackers access files outside the intended directory) in versions before 2.4.8. Authenticated instructors can download any file on the server, depending on file permissions. The vulnerability affects how the application limits access to files.
CVE-2024-24446 is a vulnerability in OpenAirInterface CN5G AMF (a network component that manages connections in 5G systems) up to version 2.0.0 where an uninitialized pointer dereference (using a memory address that hasn't been properly set up) allows attackers to crash the system by sending a specially crafted message. This vulnerability can cause a Denial of Service (DoS, making the system unavailable to legitimate users).
Fix: According to the source, users are advised to manually patch their systems or wait for the next release. The fix is expected to be released in the next version. No known workarounds are available.
NVD/CVE DatabaseFix: Upgrade to lobe-chat version 1.19.13 or later. According to the source, 'This issue has been addressed in release version 1.19.13 and all users are advised to upgrade.' There are no known workarounds for this vulnerability.
NVD/CVE DatabaseFix: The issue has been patched in commit `1aa4c769`, which is expected to be included in version 3.0.3. Users can either manually patch their installation or wait for version 3.0.3 to be released. As an immediate temporary workaround, administrators can disable the download_all_submissions feature.
NVD/CVE DatabaseFix: A patch is available at https://github.com/mlflow/mlflow/pull/10874, though the source does not specify which MLflow version contains the fix.
NVD/CVE DatabaseA security flaw in Hugging Face Transformers allows attackers to run arbitrary code (RCE, remote code execution) on a user's computer by tricking them into opening a malicious file or visiting a malicious webpage. The vulnerability happens because the software doesn't properly validate data when loading model files, allowing untrusted data to be deserialized (converted from storage format back into a running program).
A vulnerability in Hugging Face Transformers' MaskFormer model allows attackers to run arbitrary code (RCE, or remote code execution) on a user's computer if they visit a malicious webpage or open a malicious file. The flaw occurs because the model file parser doesn't properly validate user-supplied data before deserializing it (converting saved data back into working code), allowing attackers to inject and execute malicious code.
Hugging Face Transformers MobileViTV2 has a vulnerability where attackers can execute arbitrary code (running commands they choose) by tricking users into visiting malicious pages or opening malicious files that contain specially crafted configuration files. The flaw happens because the software doesn't properly check (validate) data before deserializing it (converting it from stored format back into usable code), allowing untrusted data to be executed.
Fix: This vulnerability is fixed in version 0.9.1.
NVD/CVE DatabaseFix: Clear the VM_MAYWRITE flag and require VM_SHARED when handling DRM_PANTHOR_USER_FLUSH_ID_MMIO_OFFSET mappings. The patch restricts both userspace's ability to change permissions via mprotect() and prevents unsupported copy-on-write semantics for this memory region.
NVD/CVE DatabaseFix: Update to version 3.0.2, which patches the vulnerability. Alternatively, manually edit line 589 in the file `gradesheet.js.erb` to treat feedback as plain text rather than HTML code.
NVD/CVE DatabaseFix: Upgrade to MarkUs v2.4.8 or later. The source states: 'MarkUs v2.4.8 has addressed this issue' and notes that 'no known workarounds are available at the application level aside from upgrading.'
NVD/CVE DatabaseFix: Upgrade to MarkUs v2.4.8 or later. The source states: 'MarkUs v2.4.8 has addressed this issue' and notes that 'No known workarounds are available at the application level aside from upgrading.'
NVD/CVE DatabaseThis is the official 2025 release of the OWASP Top 10 for Large Language Model Applications, which is a ranked list of the most critical security risks affecting AI systems. The document provides guidance on the biggest threats that developers should be aware of when building or using LLM-based applications (software built around large language models, which are AI systems trained on vast amounts of text).