All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Major tech companies like Google and Microsoft are competing heavily in the AI coding assistant market, where Anthropic's Claude Code has taken an early lead. The market is projected to grow from $9.3 billion this year to roughly $30 billion by 2031, making it critical for these companies to compete not just for revenue, but also to get developers using their cloud services and training data to improve their AI models.
Anthropic is allowing the European Union's security agency (ENISA, the European Network and Information Security Agency) to access Mythos AI, a tool for testing AI security vulnerabilities. This partnership comes from cooperation between the European Commission and Anthropic as part of Project Glasswing.
Google has released Gemini Spark, an AI agent (a program that can independently complete multi-step tasks) that can work on tasks in the background on your behalf. While the agent performs well in demonstrations, the article raises concerns about its financial cost and potential privacy risks, questioning whether these tradeoffs are worthwhile.
IBM WebSphere Application Server versions 9.0 and 8.5 have a vulnerability that allows remote code execution (running malicious commands on a server from a distance) through deserialization of untrusted data (converting unverified data from a network connection back into executable code) in JAX-WS endpoints with WS-Security (web service security features).
CodexBar versions before 0.32.0 have a session cookie leakage vulnerability where attackers on the network can intercept imported browser session cookies by exploiting how the software handles redirects (automatic forwarding between web addresses) for Amp and Ollama providers. An attacker positioned between a user and the network can capture sensitive session cookies (small files that store login information) when they are sent unencrypted over HTTP (the unencrypted version of web communication).
F5-TTS (a text-to-speech software) through version 1.1.20 has a path traversal vulnerability (a flaw where attackers can access files outside the intended directory) in its finetune Gradio handlers (components that process fine-tuning requests). Unauthenticated attackers can exploit this by providing malicious project names that aren't checked, allowing them to write arbitrary files anywhere on the server's filesystem.
A vulnerability in OpenAirInterface5G 2.4.0 allows an attacker to crash a 5G base station by sending many subscription requests through an interface, which causes the system to divide by zero (attempting to divide a number by zero) when calculating radio resource usage metrics, knocking the 5G network offline for all connected devices.
Oracle released its first monthly Critical Security Patch Update (CSPU, a new faster patch cycle for urgent fixes that can't wait for quarterly updates) addressing 35 vulnerabilities, including 11 rated critical and several with publicly available exploit code. The most dangerous flaw is CVE-2026-46840 with a perfect CVSS score (a 0-10 severity rating) of 10, which allows unauthenticated attackers to take over Oracle REST Data Services (a gateway that exposes databases through APIs) via HTTPS.
CVE-2026-38950 is a vulnerability in ESA AnomalyMatch before version 1.3.1 that allows attackers to run arbitrary code by uploading malicious model checkpoint files. The problem occurs because the software uses torch.load() with unrestricted deserialization (a process that converts saved data back into code without safety checks), which can execute malicious code hidden in crafted model files.
OpenAI has published a statement on its AI policy approach, emphasizing that decisions about governing and deploying AI should involve governments, researchers, workers, civil society, and the public rather than any single company. The company states it has not created employee-funded PACs (political action committees, groups that collect money to influence elections), made donations to super PACs, or funded political candidates, though employees are free to engage in politics personally, and OpenAI commits to transparency if this approach changes.
Anthropic, an AI company founded by former OpenAI researchers, has confidentially filed an IPO (initial public offering, the process of offering company stock to the public for the first time) prospectus with the SEC, positioning itself to go public pending market conditions and regulatory review. The company has experienced rapid growth with its Claude AI models and recently announced a $47 billion revenue run rate, giving it a higher valuation than rival OpenAI. Anthropic's public prospectus must be filed at least 15 days before it begins a roadshow (presentations to potential investors) to sell shares.
Anthropic, an AI company, has filed paperwork with the SEC (Securities and Exchange Commission, the U.S. agency that oversees stock markets) to begin the process of going public, meaning it will offer shares of the company for people to buy on the stock market. The company is currently valued at $965 billion, making it more valuable than its competitor OpenAI.
Anthropic, the company behind Claude (a popular AI chatbot), has filed confidentially to become a publicly traded company on the US stock market. The announcement reflects the growing financial competition in the AI industry, with Anthropic's valuation rising dramatically from $380 billion in February to $965 billion after a recent $65 billion funding round.
Microsoft is holding its Build developer conference to showcase new AI capabilities and rebuild trust with developers, who have lost confidence in Windows and GitHub. The company plans to announce new AI models integrated into Windows, a new reasoning model (an AI system designed to work through complex problems step-by-step), and a Copilot super app (a unified interface for multiple AI assistant features).
Fix: Update CodexBar to version 0.32.0 or later. The fix is referenced in commit cdd7e347c1cf616615f18aa2ac52ba2ec9cab332 and release v0.32.0.
NVD/CVE DatabaseFlorida has filed the first state lawsuit against OpenAI, claiming that ChatGPT endangers children, aids mass shooters, and encourages suicide in pursuit of profit. The lawsuit cites specific cases where ChatGPT allegedly provided harmful information, such as questions about disposing of human bodies. OpenAI responded by stating it has implemented industry-leading safety protections, including age detection tools and parental monitoring features.
Fix: Oracle stated that the CSPU "provides targeted, high-priority security fixes in a smaller, more focused format, making them easier to apply with minimal disruption." Oracle will release CSPUs on the third Tuesday of each month, with dates scheduled for June 16, July 21, August 18, and September 15. Oracle cloud customers are patched automatically.
CSO OnlineFlorida's Attorney General filed a lawsuit against OpenAI and CEO Sam Altman, claiming the company knowingly released an unsafe product (ChatGPT, a chatbot that generates human-like text responses) that has contributed to mass shootings, suicides, and addiction in minors. The state is seeking to hold Altman personally liable and force OpenAI to comply with Florida consumer protection laws, with the Attorney General expecting other states to follow.
Fix: Update to ESA AnomalyMatch version 1.3.1 or later.
NVD/CVE DatabaseTwo AI tools designed to find security weaknesses in digital systems, Anthropic's Claude Mythos and OpenAI's GPT-5.5 Cyber, have raised concerns among UK financial regulators about potentially undermining banking security. Anthropic has restricted access to Mythos for UK banks, while OpenAI has now offered its competing tool to nine major UK banks including Lloyds, HSBC, and Nationwide. Both companies are limiting access to these powerful security-testing tools, with Anthropic claiming their model is more capable and therefore requires more caution, while OpenAI argues the tools should be available to 'the right people' who maintain order rather than those seeking to cause disruption.
Fix: Anthropic states it is 'urgently working to expand access to Mythos,' though no specific timeline or conditions for that expanded access are detailed in the source text.
BBC TechnologyAI models can now find software vulnerabilities (weaknesses that attackers can exploit) much faster than humans can fix them, exposing decades of poorly-secured software code. This creates an urgent need for governments, companies, and infrastructure operators to work together on coordinated fixes, patch management (applying software updates), and automated vulnerability repair before attackers use AI to exploit these weaknesses at scale.
Fix: The article calls for 'accelerated remediation, large-scale patch management coordination, and sustained investment in automated vulnerability repair capabilities,' but does not describe specific technical fixes or mitigation steps. N/A -- no explicit patch, version update, or detailed mitigation procedure is provided in the source.
Schneier on SecurityAnthropic is giving the European Union access to Mythos, its most advanced AI model, after months of requests due to cybersecurity concerns. Mythos excels at finding security flaws in software (vulnerabilities, or weaknesses in code), but officials worry bad actors could misuse it to accelerate cybercrimes by exploiting thousands of previously unknown weaknesses. The EU is still working out the exact terms of the deal and discussing AI risks with partner countries.
AI-generated music is becoming widespread in the music industry, with over 50,000 AI-generated songs uploaded daily to streaming platforms, making it harder to identify and filter out. The Recording Academy, which runs the Grammy Awards, currently has rules that exclude AI music from eligibility, but the CEO acknowledges that AI tools like Suno are now omnipresent in music production sessions.