All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Twig (a template engine) versions 3.24.0 and later had a vulnerability where object-destructuring assignment (a syntax for extracting values from objects) bypassed the sandbox security feature (a restriction system that controls what properties and methods templates can access). An attacker who could write to a sandboxed template could read any public property or call any public method, defeating the security restrictions that should have prevented this.
Fix: The destructuring compiler was updated to correctly forward the active sandbox flag to the getAttribute() function so that property and method allowlists are enforced during destructuring operations.
GitHub Advisory DatabaseChromaDB, a popular vector database used in AI applications, has a critical vulnerability (CVE-2026-45829) that allows unauthenticated attackers to run arbitrary code on servers. The flaw exists because ChromaDB checks authentication after it has already downloaded and executed a malicious model from Hugging Face, meaning attackers can trick the system into running their code by uploading a malicious model and requesting ChromaDB to use it.
Twig (a PHP template engine) has a vulnerability where template names in `{% use %}` tags aren't properly escaped, allowing attackers to inject arbitrary PHP code that executes when the template cache loads. This bypasses Twig's security sandbox, giving attackers remote code execution (the ability to run commands on the server).
LiteLLM versions before 1.83.10 have a vulnerability where users can change their own role to proxy_admin (an administrative role) through the /user/update endpoint, giving them full control over the system including all users, teams, and API keys. Even users with org_admin privileges can exploit this flaw without needing to chain it with other attacks.
LiteLLM versions before 1.83.14 have a privilege escalation vulnerability (a security flaw that lets someone gain higher-level permissions than they should have) where authenticated internal users can create API keys (credentials for accessing the system) that grant access to admin-only routes without proper verification. This allows attackers to bypass role-based access controls (the system that restricts what different users can do) and gain full admin privileges.
This is a discussion panel about how AI companies are working to build systems that understand the physical world, moving beyond the current limitations of LLMs (large language models, which are AI systems trained on text). The conversation explores recent developments in world models, which are AI systems designed to understand and predict how the physical world works.
The `mcp-server-kubernetes` tool had a security flaw where access control settings (environment variables that limit which Kubernetes operations are available) only worked when listing tools, but not when actually running them. This meant an attacker or misconfigured AI agent could bypass these restrictions and run any Kubernetes command, like deleting pods or accessing containers, even if they were supposed to be blocked.
Microsoft is negotiating to supply its custom Maia AI chips to Anthropic, a company that makes Claude, a popular AI assistant. This deal would help Microsoft compete with Amazon and Google in providing specialized AI hardware to clients, while Anthropic seeks to address its computing capacity challenges after experiencing rapid growth in demand for its AI tools.
Amazon SageMaker Python SDK has a vulnerability where it stores an HMAC signing key (a cryptographic secret used to verify that model files haven't been tampered with) in plaintext as an environment variable that can be read by anyone with access to certain AWS APIs. An attacker with the right permissions could steal this key, use it to forge valid model files, and run malicious code on the system running the model.
LMDeploy, a model serving tool, hardcodes `trust_remote_code=True` (a setting that allows executing custom Python code from downloaded models) when loading models from HuggingFace. An attacker who can control which model path the system loads could point it to a malicious model repository, causing arbitrary code execution (running any commands they want) with the privileges of the LMDeploy server process. This affects LMDeploy version 0.12.3 and earlier.
Wiz has integrated with Anthropic's Claude Compliance API to give organizations visibility into how Claude Enterprise is being used across their environment. The integration lets security teams see Claude users, projects, permissions, and connected datasets mapped into Wiz's Security Graph (a centralized system for tracking and connecting all resources), helping with compliance audits and governance.
Polyend has released the Endless, a $299 guitar pedal that uses AI to create audio effects based on text prompts (instructions you type in). The pedal runs on an ARM processor (the type of chip commonly found in smartphones) and works with software called Playground, which contains interconnected AI agents that interpret your written descriptions and generate corresponding guitar effects.
OpenAI's AI model has made progress on the planar unit distance problem, a math question posed 80 years ago asking how many pairs of dots on a sheet can be the same distance apart. The AI disproved the long-standing assumption that square grids provided the best solution by discovering a new family of mathematical arrangements that perform better, though the broader problem remains unsolved. While mathematicians have validated this work, humans were significantly involved in improving and refining the AI's original proof.
Spotify Studio is a new AI application that creates personalized daily podcasts and briefings by analyzing your Spotify listening history and connected apps like email and calendar. The AI can perform actions like web searches and task organization on your behalf, with generated content savable to your Spotify library.
At Anthropic's Code with Claude developer conference, nearly half of attendees reported shipping pull requests (code updates submitted for review) entirely written by Claude, an LLM (large language model, an AI trained on vast amounts of text to generate responses), with many not even reading the code themselves. Anthropic is pushing automation further by having Claude check and correct its own work through self-prompting and a new feature called "dreaming," where Claude agents write notes to themselves to learn from past errors and improve on shared codebases without requiring human developers to review intermediate steps.
This article covers a lawsuit where Elon Musk sued Sam Altman and OpenAI, claiming that OpenAI's shift from a nonprofit to a for-profit company violated a charitable trust that Musk had funded. The jury ruled against Musk because he filed the lawsuit after the statute of limitations (the legal deadline for filing) had expired. While the case was officially about OpenAI's structure change, it appeared to be mainly about Musk's frustration with Altman and OpenAI's success.
Anthropic, an AI company, agreed to pay SpaceX $1.25 billion per month (totaling $15 billion annually) through May 2029 for access to SpaceX's Colossus data centers in Memphis, Tennessee, which are used for AI training. This deal was revealed in SpaceX's IPO filing (a document companies file when offering stock to the public for the first time).
Fix: Until a patch becomes available, researchers advise: (1) deploy ChromaDB using the Rust implementation instead of the Python FastAPI server, as the Rust version is not affected, and (2) restrict network access to the ChromaDB port to trusted IP addresses only.
CSO OnlineFix: `Compiler::string()` now escapes single quotes in addition to the characters it previously escaped, preventing template names from breaking out of the surrounding PHP string context.
GitHub Advisory DatabaseFix: Update LiteLLM to version 1.83.10 or later.
NVD/CVE DatabaseFix: Update LiteLLM to version 1.83.14 or later.
NVD/CVE DatabaseThis article discusses how security leaders (CISOs, or Chief Information Security Officers) should prepare for AI systems that can take independent actions (agentic AI). The key challenge is creating an AI bill of materials (AI BOM, a detailed list of all components and dependencies in an AI system) that documents both what components make up the AI system and how those components actually behave when running.
Fix: The fix applies the same filtering logic from the tool listing layer to the tool execution layer in the `CallToolRequestSchema` handler, so that restricted tools return an error when called directly. This was fixed in v3.6.0.
GitHub Advisory DatabaseFix: Upgrade to Amazon SageMaker Python SDK v2.257.2 or v3.8.0. According to the source: 'AWS recommend upgrading to the latest version and rebuilding any models previously created with ModelBuilder using the updated SDK.' As a temporary workaround if upgrading is not immediately possible: 'users can manually remove the SAGEMAKER_SERVE_SECRET_KEY environment variable from existing SageMaker models by recreating the model without this variable in the container environment configuration.'
GitHub Advisory DatabaseApple's Memory Integrity Enforcement (MIE, a hardware-based protection against memory corruption attacks, where attackers modify data in a computer's RAM to take control) was bypassed by researchers using AI systems, who developed a working exploit for macOS on M5 chips in under a week. The article argues that while defense-in-depth (layering multiple security barriers in hardware and software) can slow attackers down, AI-assisted exploration of vulnerabilities now happens faster than traditional human-only methods, making older security designs insufficient.
Companies are increasingly deploying AI agents (software programs that can act independently to complete tasks), and these agents need identity management, security, and governance like human users do. New research shows that budgeting and planning for AI agent identity security works differently than it does for traditional IAM (identity and access management, the systems that control who can access what resources) projects.