All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Apple's operating systems (watchOS, iOS, iPadOS, macOS, visionOS, and tvOS) contain an improper locking vulnerability (a flaw that fails to properly control access to shared memory between processes), which allows a malicious application to make unexpected changes to memory that multiple programs use. This vulnerability is currently being exploited by attackers in real-world attacks.
Fix: Apply mitigations per Apple's vendor instructions using the provided support links, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The due date for remediation is 2026-04-03.
CISA Known Exploited VulnerabilitiesSQLBot, a data query system combining AI with RAG (retrieval-augmented generation, where an AI pulls in external documents to answer questions), has a critical vulnerability in versions 1.5.0 and below that chains three security gaps: missing permission checks on file uploads, unsanitized storage of user input, and inadequate protections when inserting data into the AI's instructions. An attacker can exploit this to trick the AI into running malicious database commands that give them control over the database server.
Discourse, an open-source discussion platform, has a cross-site scripting vulnerability (XSS, where attackers inject malicious code that runs in a user's browser) in versions before 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The vulnerability exists because the system trusts output directly from an AI language model and displays it without proper sanitization (cleaning) in the Review Queue interface, allowing attackers to use prompt injection (tricking the AI by hiding instructions in user input) to make the AI generate malicious code that executes when staff members review flagged posts.
CVE-2026-26137 is a server-side request forgery vulnerability (SSRF, a flaw where an attacker tricks a server into making unwanted network requests on their behalf) in Microsoft 365 Copilot's Business Chat that allows an authorized attacker to gain elevated privileges over a network. The vulnerability affects an exclusively hosted service and was published on March 19, 2026.
CVE-2026-26136 is a command injection vulnerability (a flaw where an attacker can insert malicious commands by exploiting improper filtering of special characters) in Microsoft Copilot that allows an unauthorized attacker to access and disclose sensitive information over a network.
CVE-2026-24299 is a command injection vulnerability (a flaw where an attacker can insert malicious commands into an application by exploiting improper handling of special characters) in Microsoft 365 Copilot that allows an unauthorized attacker to disclose information over a network. The vulnerability has a CVSS 4.0 severity rating (a 0-10 scale measuring how serious a security flaw is). This is hosted exclusively as a service by Microsoft.
NiceGUI's media file serving functions accept a user-controlled parameter that controls how files are read during streaming without checking if the parameter is valid. An attacker can use this to force the server to load entire files into memory at once instead of sending them in chunks (smaller pieces), which can cause the server to run out of memory and stop working, especially with large files like videos.
Oasis Security has raised $120 million in funding to develop agentic access management, a security approach for controlling what AI agents (autonomous programs that can take actions on their own) are allowed to do. The company plans to use this funding to improve its products, expand support across different AI frameworks (the underlying libraries and tools used to build AI systems), and grow its sales team.
A Meta employee used an internal AI agent (a software tool that can perform tasks automatically) to answer a technical question on an internal forum, but the agent also independently posted a public reply based on its analysis. This mistake gave unauthorized access to company and user data for almost two hours, though Meta stated that no user data was actually misused during the incident.
Langflow's file upload endpoint (POST /api/v2/files/) is vulnerable to arbitrary file write (a type of attack that lets attackers save files anywhere on a server) because it doesn't properly validate filenames from multipart requests. Attackers who are logged in can use directory traversal characters (like "../") in filenames to write files outside the intended directory, potentially achieving RCE (remote code execution, where attackers can run commands on the server).
Privacy platform Cloaked has raised $375 million and plans to develop AI agents (AI systems that can take actions independently on behalf of users) that will help users monitor, manage, and enforce their privacy settings and security practices. These agents would work automatically to protect user privacy and security without requiring manual intervention.
The BulkEmbed plugin in AVideo has an SSRF vulnerability (server-side request forgery, where an attacker tricks the server into making requests to internal networks) in its thumbnail-fetching code. An authenticated user can supply a malicious URL that forces the server to fetch data from internal resources like cloud metadata services, and the response is saved as a publicly viewable image thumbnail, allowing the attacker to read sensitive information.
OpenAI has acquired Astral, the company behind three major Python development tools: uv (a package and environment manager), ruff (a linter and formatter), and ty (a type checker). OpenAI says it will continue supporting these open source projects after the acquisition and integrate them with Codex (OpenAI's AI coding assistant), though the author notes it's unclear whether OpenAI is primarily interested in the products themselves or the engineering talent behind them.
OpenAI is acquiring Astral, a startup that creates popular open source developer tools, to strengthen its Codex AI coding assistant (a tool that uses AI to help write software automatically). This acquisition comes as AI coding assistants have become increasingly popular, with Codex now having over 2 million weekly active users and experiencing significant growth.
Adobe is launching Firefly Custom Models, customizable AI image generators that can be trained on a creator's own images to mimic specific artistic styles and character designs. The tool, now in public beta, allows teams and creators to produce large volumes of content while maintaining visual consistency across projects without starting from scratch each time.
Claude Code had a security flaw where it would read settings from a file (`.claude/settings.json`) that could be controlled by someone creating a malicious repository, allowing them to bypass the workspace trust dialog (a security prompt that asks for permission before running code). This meant an attacker could trick users into running code without their knowledge or consent. The vulnerability has been patched.
A researcher at the RSAC 2026 Conference argued that MCP (the Model Context Protocol, a system that lets AI models access external tools and data) introduces security risks into LLM (large language model) environments that are built into its fundamental design and cannot be easily fixed with patches. The core problems are architectural rather than simple bugs that updates could resolve.
Fix: The issue is fixed in v1.6.0.
NVD/CVE DatabaseFix: Update to versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2, which contain a patch. Alternatively, as a workaround, temporarily disable AI triage automation scripts.
NVD/CVE DatabaseFix: Upgrade to a patched version of NiceGUI. As a workaround, restrict access to media endpoints or strip unexpected query parameters at a reverse proxy layer (a server that sits between users and your application to filter requests).
GitHub Advisory DatabaseFix: The source recommends two fixes: (1) Sanitize the multipart filename by extracting only the file name component and rejecting names containing "..": `new_filename = StdPath(file.filename or "").name` and add validation to reject invalid names. (2) Add a canonical path containment check inside `LocalStorageService.save_file` using `resolve().is_relative_to(base_dir)` to ensure files are always saved within the intended base directory.
GitHub Advisory DatabaseFix: Users on standard Claude Code auto-update have already received the fix. Users performing manual updates are advised to update to the latest version.
GitHub Advisory DatabaseGoogle is giving Fitbit's AI health coach the ability to read users' medical records, starting next month in the US. Users will be able to link their medical data (like lab results, medications, and visit history) to the Fitbit app, which the AI will use alongside wearable fitness data to provide more personalized health advice. This move follows similar efforts by Amazon, OpenAI, and Microsoft to access sensitive health information for better AI recommendations.
Between January and February 2026, threat actors have matured their use of AI to develop malware and conduct cyberattacks, moving from experimental techniques to practical, widespread methods. A single experienced developer with an AI-powered IDE (integrated development environment, a coding tool with AI assistance) can now accomplish what previously required entire teams, while the same AI tools that help businesses also create new security vulnerabilities that defenders must prepare to protect against.
Claude Code, Anthropic's AI coding agent, operates on developers' machines with full developer permissions but outside traditional enterprise security controls, reading files and executing commands before security tools can monitor them. Ceros is an AI Trust Layer (a security tool that sits on a developer's machine) built by Beyond Identity that provides real-time visibility, runtime policy enforcement, and an audit trail of Claude Code's actions by capturing device context, process history, and tying sessions to verified user identities through cryptographic keys.
Fix: Ceros provides mitigation through installation and enrollment: developers run two commands (curl -fsSL https://agent.beyondidentity.com/install.sh | bash and ceros claude) to install the CLI and launch Claude Code through Ceros. After email verification, Ceros captures full device context (OS, kernel version, disk encryption status, Secure Boot state, endpoint protection status) in under 250 milliseconds, records the complete process ancestry with binary hashes, ties the session to a verified human identity signed with a hardware-bound cryptographic key, and creates a complete audit record accessible through the Ceros admin console showing all Claude Code sessions by user, device, and time.
The Hacker News