All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
OpenAI released gpt-4o-mini with safety improvements aimed at strengthening 'instruction hierarchy,' which is supposed to prevent users from tricking the AI into ignoring its built-in rules through commands like 'ignore all previous instructions.' However, researchers have already demonstrated bypasses of this protection, and analysis shows that system instructions (the AI's core rules) still cannot be fully trusted as a security boundary (a hard limit that stops attackers).
The MasterStudy LMS WordPress Plugin (a learning management system add-on for WordPress) before version 3.3.24 has a security flaw where students can create instructor accounts, giving them access to features they shouldn't be able to use. This vulnerability allows unauthorized privilege escalation (gaining higher-level permissions than intended).
CVE-2024-6960 is a vulnerability in the H2O machine learning platform where the Iced format (a system for moving Java objects across a computer cluster) allows deserialization of any Java class without restrictions. An attacker can create a malicious model using Java gadgets (pre-built code snippets that can be chained together for attacks) that executes arbitrary code when imported into H2O.
TorchServe (a tool for running PyTorch machine learning models in production) has a security flaw where two communication ports, 7070 and 7071, are exposed to all network interfaces instead of being restricted to localhost (the local machine only). This means anyone on a network could potentially access these ports. The vulnerability has been fixed and is available in TorchServe version 0.11.0.
TorchServe (a tool for running machine learning models in production) has a security flaw where its allowed_urls check (a restriction on which websites models can be downloaded from) can be bypassed using special characters like ".." in the URL. Once a model file is downloaded through this bypass, it can be used again without the security check, effectively removing the protection.
Khoj, an application that creates personal AI agents, has a vulnerability in its Obsidian, Desktop, and Web clients where user inputs and AI responses are not properly cleaned (sanitized). This allows attackers to inject malicious code through prompt injection (tricking the AI by hiding instructions in its input) via untrusted documents, which can trigger XSS (cross-site scripting, where malicious code runs in a user's browser when they view a webpage).
The EU AI Act Code of Practice is a voluntary set of guidelines published in July 2025 to help general-purpose AI (GPAI, large AI models used across many applications) model providers comply with new EU AI regulations during the gap period before formal European standards take effect in 2027 or later. The Code, developed by the EU AI Office and many stakeholders, covers three areas: Transparency and Copyright (for all GPAI providers) and Safety and Security (for providers of GPAI models with systemic risk, meaning those that could cause widespread harm). Though not legally binding, the Commission and EU AI Board confirmed the Code adequately demonstrates compliance with the AI Act's requirements.
Gradio v4.36.1 contains a code injection vulnerability (CWE-94, improper control of code generation) in the /gradio/component_meta.py file that can be triggered by crafted input. The vulnerability supplier disputes the report, arguing it describes a user attacking their own system rather than a genuine security flaw.
Flowise version 1.4.3 has a reflected cross-site scripting vulnerability (XSS, a type of attack where malicious code is injected into a webpage) in its `/api/v1/credentials/id` endpoint that allows attackers to inject harmful JavaScript into user sessions, potentially stealing information or redirecting users to malicious websites. The vulnerability is especially dangerous because it can be exploited without authentication in the default configuration and can be combined with other attacks to read files from the Flowise server.
Flowise version 1.4.3 has a reflected cross-site scripting vulnerability (XSS, where an attacker injects malicious code into web pages shown to users) in its `/api/v1/chatflows-streaming/id` endpoint. If using default settings without authentication, an attacker can craft a malicious URL that runs JavaScript in a user's browser, potentially stealing information, showing fake popups, or redirecting users to other websites.
Flowise version 1.4.3 has a reflected cross-site scripting vulnerability (XSS, a type of attack where malicious code is injected into a webpage) in its `/api/v1/public-chatflows/id` endpoint. An attacker can craft a malicious URL that injects JavaScript code into a user's session, potentially stealing information, showing fake popups, or redirecting users to other websites. This vulnerability is especially dangerous because the vulnerability exists in an unauthenticated endpoint (one that doesn't require a login) and can potentially be combined with other attacks to read files from the server.
Flowise version 1.4.3 contains a reflected cross-site scripting vulnerability (XSS, a type of attack where malicious code is injected into a webpage to compromise user sessions) in its chatflow endpoint that allows attackers to steal information or redirect users to other sites if the default unauthenticated configuration is used. The vulnerability occurs because when a chatflow ID is not found, the invalid ID is displayed in the error page without proper protection, letting attackers inject arbitrary JavaScript code. This XSS flaw can potentially be combined with path injection attacks (exploiting how the system handles file paths) to read files from the Flowise server.
Flowise version 1.4.3 has a CORS misconfiguration (a security setting that controls which websites can access the application), which allows any website to connect to it and steal user information. Attackers could potentially combine this flaw with another vulnerability to read files directly from the Flowise server without needing to log in.
Flowise version 1.4.3 has a vulnerability in its `/api/v1/openai-assistants-file` endpoint that allows arbitrary file read attacks (reading files on a system without permission) because the `fileName` parameter is not properly sanitized (cleaned of malicious input). This is caused by improper input validation, which is a common security weakness in software.
CVE-2023-47803 is a path traversal vulnerability (a flaw where attackers bypass directory restrictions to access files they shouldn't) found in the Language Settings feature of certain Synology camera models. The vulnerability allows remote attackers to read non-sensitive files through unspecified methods, affecting BC500 and TC500 camera models running firmware versions before 1.0.7-0298.
CVE-2024-5826 is a remote code execution vulnerability in the vanna-ai/vanna library's `vanna.ask` function, caused by prompt injection (tricking an AI by hiding instructions in its input) without code sandboxing. An attacker can manipulate the code executed by the `exec` function to gain full control of the app's backend server.
Fix: Update the MasterStudy LMS WordPress Plugin to version 3.3.24 or later.
NVD/CVE DatabaseFix: Upgrade to TorchServe release 0.11.0, which includes the fix for this vulnerability. The fix was implemented in pull request #3083.
NVD/CVE DatabaseFix: The issue has been fixed by validating the URL without characters such as ".." before downloading (see PR #3082). TorchServe release 0.11.0 includes the fix. Users are advised to upgrade.
NVD/CVE DatabaseVersions 0.0.15 through 0.0.20 of langchain-experimental contain a vulnerability where the code uses 'eval' (a function that runs Python code from text) on database values, allowing attackers to execute arbitrary code if they can control the input prompt and the server uses VectorSQLDatabaseChain (a component that connects language models to SQL databases). An attacker with low privileges could exploit this to break out of the application and access files or make unauthorized network connections.
Fix: Update langchain-experimental to version 0.0.21 or later.
NVD/CVE DatabaseAttackers can use prompt injection (tricking an AI by hiding malicious instructions in its input) to create fake memories in ChatGPT's memory tool, causing the AI to refuse all future responses with a maintenance message that persists across chat sessions. This creates a denial of service attack (making a service unavailable to users) that lasts until the user manually fixes it.
Fix: Users can recover by opening the memory tool, locating and removing suspicious memories created by the attacker. Additionally, users can entirely disable the memory feature to prevent this type of attack.
Embrace The RedFix: This vulnerability is fixed in version 1.13.0. Users should update to this version or later.
NVD/CVE DatabaseThe OpenAI ChatGPT app for macOS before July 5, 2024 had two security problems: it disabled the sandbox (a security boundary that limits what an app can access) and stored conversations in cleartext (unencrypted plain text) in a location that other apps could read. This meant user conversations were exposed to other programs on the same computer.
NextChat, a user interface for ChatGPT and Gemini, has a Server-Side Request Forgery vulnerability (SSRF, a flaw that lets attackers trick the server into making requests to unintended destinations) in its WebDav API endpoint because the `endpoint` parameter is not validated. An attacker could use this to make unauthorized HTTPS requests from the vulnerable server or inject malicious JavaScript code into users' browsers.
Fix: This vulnerability has been patched in version 2.12.4. Users should update to this version or later.
NVD/CVE DatabaseFix: Update Synology Camera Firmware to version 1.0.7-0298 or later for affected BC500 and TC500 models.
NVD/CVE Database