All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
PraisonAI's `execute_code()` function has a critical sandbox escape vulnerability that allows attackers to execute arbitrary commands on the host system. The vulnerability exploits four gaps in security validation: the `__self__` attribute (which retrieves the real Python builtins module) is not blocked, the `vars()` function is not restricted, attribute-based function calls bypass checks, and string concatenation bypasses string constant filters. An attacker can use these gaps to access the `__import__` function and run OS commands, completely defeating the sandbox protection.
PraisonAI's CLI automatically expands @url mentions in prompts by making HTTP requests to any URL without restrictions, including localhost addresses. This allows an attacker to embed a malicious prompt with `@url:http://localhost:8766/` to make the user's machine fetch local-only HTTP resources (like metadata services or internal APIs) and inject the response into the model's context, creating a local SSRF (server-side request forgery, where a system is tricked into making requests to internal networks) vulnerability.
PraisonAI version 4.6.33 generates a Flask API server with authentication disabled by default when users run `praisonai deploy --type api`. The server exposes endpoints like `/chat` and `/agents` that accept unauthenticated requests and can execute user-supplied commands with access to API keys stored in the environment.
PraisonAI versions up to 4.6.37 contain a critical vulnerability where two functions in `agents_generator.py` use `spec.loader.exec_module` (a method that loads and runs Python code from a file) without any security checks or validation. An attacker can exploit this by providing a malicious Python file path through YAML configuration, either by modifying shared config files, submitting a crafted recipe via GitHub, or using prompt injection (tricking the AI into loading code from a malicious path), resulting in arbitrary code execution (the ability to run any commands on the system).
Ouroboros (an AI tool) has a remote code execution vulnerability where loading a `.env` file (a configuration file with environment variables) from a cloned repository could let an attacker run malicious code on your system. The flaw occurs because Ouroboros reads execution-controlling settings like CLI paths directly from the project directory's `.env` file without checking if they're trustworthy, allowing an attacker to point these paths to their own malicious scripts.
FastGPT, an AI Agent building platform, had a vulnerability in its JavaScript sandbox worker that failed to properly block dynamic imports (a way to load code at runtime). An attacker could bypass the security filter using a comment syntax (import/**/("child_process")) that the filter didn't recognize, allowing them to execute arbitrary commands inside the sandbox container.
FastGPT, an AI Agent building platform, had a Server-Side Request Forgery (SSRF) vulnerability (a flaw that lets attackers trick a server into making requests to internal systems it shouldn't access) in versions before 4.15.0-beta1. An authenticated attacker could bypass security protections and make unauthorized requests to internal network services by exploiting an incomplete fix in the dataset preview endpoint when using the externalFile data import type.
Koel, a podcast player, has a vulnerability where it validates the main podcast feed URL for safety but fails to validate individual episode URLs extracted from the RSS feed (the XML file that lists episodes). When a user plays an episode, the server downloads content from these unvalidated URLs, allowing an attacker to trick it into accessing internal services like AWS metadata endpoints and stealing credentials or sensitive data.
SillyTavern, a locally installed tool for interacting with AI text and image generation models, had a vulnerability in versions before 1.18.0 where the /api/search/searxng endpoint allowed authenticated users to trick the server into making requests to internal or hidden services (SSRF, or server-side request forgery, where an attacker manipulates a server into accessing resources it shouldn't). An attacker could use this to access data from services that should only be available internally.
SillyTavern is a locally installed interface for interacting with text generation AI models and other AI tools. Versions before 1.18.0 had a vulnerability where the corsProxyMiddleware (a component that handles web requests) would forward user-supplied URLs directly to the fetch function without proper security checks, allowing SSRF (server-side request forgery, where an attacker tricks the server into making requests to unintended targets) attacks.
SillyTavern is a locally installed interface for interacting with text generation AI models and related tools. Prior to version 1.18.0, the software had a cross-site scripting vulnerability (XSS, where attackers inject malicious code into web pages), because user-controlled URLs were displayed in error messages without being HTML-escaped (made safe for web display), allowing attackers to inject harmful scripts.
SillyTavern is a locally installed interface for interacting with text generation AI models, image generators, and voice tools. Prior to version 1.18.0, a vulnerability allowed attackers to delete the entire user extensions directory without authentication by sending a specially crafted request to the delete endpoint that bypassed filename validation (a security check that prevents malicious file paths).
SillyTavern, a locally installed interface for interacting with AI language models and image generators, had a vulnerability in versions before 1.18.0 where it trusted HTTP headers (Remote-User and X-Authentik-Username) used by single sign-on systems without verifying they came from a trusted source. This meant anyone who could connect directly to SillyTavern could fake these headers to log in as any user, including administrators, without a password, but only if SSO was explicitly enabled in the configuration.
SillyTavern is a locally installed interface for interacting with text generation AI models. Before version 1.18.0, it had a security flaw where changing a password or recovering an account didn't log out existing sessions, because all session information was stored in a signed cookie (a small piece of data the browser keeps) rather than on the server, making it impossible to revoke access even after a password change.
Attackers are abusing ChatGPT's share feature (which lets users publish rendered content on legitimate OpenAI URLs) to display fake outage pages that trick users into downloading malware disguised as the ChatGPT desktop application. The "LLMShare" campaign uses Google ads to direct people to these malicious shared pages, which appear to come from OpenAI's domain but actually deliver malware-infected downloads through a fake installation portal.
The Linux Foundation is promoting DNS-AID, a new standard that allows AI agents (autonomous programs that can act independently) to find and communicate with each other using DNS (the system that translates website names into IP addresses) instead of requiring separate proprietary registries. DNS-AID enables agents and MCP (Model Context Protocol, a standard for how agents exchange information) servers to use the existing internet infrastructure as a vendor-neutral directory, with domain owners creating a special DNS address at _index._agents.{domain} as a discovery point.
Anthropic, an AI company, recently achieved a $965 billion valuation after securing $65 billion in funding, and analyst Dan Ives believes investor interest in AI is far from peaked and will expand to data layer companies (companies that manage and organize data). Ives predicts a major market rally with several large public offerings planned for 2026, though some analysts warn this could signal a market peak similar to the dot-com bubble of the late 1990s.
Fix: Enable authentication by explicitly setting `APIConfig(auth_enabled=True, auth_token=...)` when deploying the API server.
GitHub Advisory DatabaseFix: The vulnerability has been patched in version 0.39.0 via PR #1078. The fix applies a denylist that blocks execution-affecting environment variables from being loaded from the project directory's `.env` file, while still allowing trusted configurations from the user's home directory (`~/.ouroboros/.env`). Users are strongly advised to upgrade to version 0.39.0 or later. If upgrading is not immediately possible, users must carefully inspect any `.env` file inside cloned repositories before running Ouroboros commands to ensure it does not contain unexpected `OUROBOROS_*_CLI_PATH` or `OPENCODE_CLI_PATH` overrides.
GitHub Advisory DatabaseFix: This vulnerability is fixed in version 4.15.0-beta1.
NVD/CVE DatabaseFix: Update FastGPT to version 4.15.0-beta1 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 1.18.0.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 1.18.0.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 1.18.0. Users should update SillyTavern to 1.18.0 or later.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 1.18.0. Users should update SillyTavern to 1.18.0 or later.
NVD/CVE DatabaseFix: Update SillyTavern to version 1.18.0 or later, which fixes the vulnerability.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 1.18.0.
NVD/CVE DatabaseChatGPhish is a vulnerability in ChatGPT that allows attackers to embed malicious instructions in web pages, which ChatGPT then processes and renders as clickable phishing links and images inside its trusted interface when users ask it to summarize the page. The vulnerability works because ChatGPT automatically trusts and fetches Markdown links and images from summarized web pages, potentially leaking user information like IP addresses or tricking users into scanning malicious QR codes that bypass desktop security filters.
Elon Musk's social media post about SpaceX's deal with AI company Anthropic contradicts details in SpaceX's IPO (initial public offering, when a private company sells shares to the public) filing, creating confusion for investors. The filing says Anthropic will pay SpaceX $1.25 billion per month through May 2029, but Musk claimed the lease is only 180 days with a 90-day cancellation option, potentially worth far less. This discrepancy matters because it affects how much revenue SpaceX can expect from this new compute capacity (computing power) business.
An attacker exploited CVE-2026-39987, a critical vulnerability in Marimo (a notebook software) that allows unauthenticated remote code execution, to break into a system and then used an LLM agent (an AI system that can plan and execute tasks autonomously) to steal cloud credentials and database information. The attacker's use of an AI agent made the attack more flexible and adaptive compared to traditional scripted attacks, allowing it to handle unexpected obstacles in real-time.
Fix: The vulnerability CVE-2026-39987 was addressed in Marimo version 0.23.0, released in April 2026. All versions prior to and including 0.20.4 are affected and should be updated to version 0.23.0 or later.
The Hacker News