All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
OpenAI is preparing to confidentially file documents for an IPO (initial public offering, when a private company becomes publicly traded) as soon as this week, working with major investment banks like Goldman Sachs and Morgan Stanley. The company, valued at over $850 billion, is planning this public debut as part of normal strategic planning, though leadership hasn't confirmed a specific timeline.
Google has introduced a new YouTube Shorts Remix feature that uses Gemini (Google's AI model) to let users restyle or modify other people's videos. Users can transform clips into different art styles like pixel art or anime, or digitally alter content by changing appearances, adding people, or inserting themselves into videos. Creators can choose whether to allow or block others from remixing their videos.
Google is integrating its Gemini AI model into search ads, which will now display recommended products with AI-generated explanations of why you should buy them. This update is part of Google's broader shift toward AI-powered search results, including a new conversational search box and AI-generated content alongside traditional search results.
GitHub confirmed that attackers compromised an employee's device through a poisoned VS Code extension (a malicious add-on program for a code editor), leading to the theft of code from around 3,800 internal repositories. The breach was detected and contained quickly, and GitHub is investigating the incident while validating that no customer data was affected, only internal GitHub code.
Flowise has a security flaw in its `/api/v1/chatflows/apikey` endpoint that allows a user with a valid API key to view chatflow configurations (including system prompts, workflow graphs, and credential IDs) from other workspaces, as long as those chatflows don't have an API key assigned. The endpoint returns both the user's own chatflows and all unprotected chatflows across the entire system without filtering by workspace, breaking the isolation between workspaces.
Flowise has a mass assignment vulnerability in its PUT /api/v1/user endpoint that lets authenticated users directly change their password hash without verifying their old password. An attacker with a stolen session token can send a crafted request that overwrites the credential field, bypassing password verification, hashing enforcement, and policy validation, which gives them permanent access to the account.
Flowise, an AI tool, has a hardcoded setting that allows any webpage on the internet to make requests to its text-to-speech (TTS, a feature that converts written text into spoken audio) endpoint using your stored credentials. This bypasses the server's normal cross-origin request protection (CORS, which controls what websites can access a server's data), letting malicious webpages secretly generate speech on your behalf.
Wger, a fitness tracking application, has a security flaw where gym staff members with `gym.manage_gym` permission but no assigned gym (gym = None) can delete, deactivate, or reactivate any other users who also have no assigned gym. This happens because the authorization check uses a comparison that treats two `None` values as equal, bypassing the intended access control. Three views in the application were not fixed when this bug was patched elsewhere.
The `diffusers` package has a TOCTOU (time-of-check-time-of-use, where a security check happens at one moment but the actual data used comes from a different moment) vulnerability in its `DiffusionPipeline.from_pretrained` function that loads models from HuggingFace Hub. An attacker can bypass the `trust_remote_code` security check by updating a repository between two separate download calls, allowing arbitrary code to execute without the user explicitly approving it.
RTK (Rust Token Killer, a tool that filters sensitive data before showing command output to an LLM) had a vulnerability where it automatically loaded filter configuration files from a project directory without asking the user first, allowing attackers to secretly modify what an LLM sees. An attacker could place a malicious filter file in a repository to hide or alter command output (like file contents or security scan results) without any warning, potentially concealing malicious code during development.
1Password partnered with OpenAI to protect credentials from being leaked by AI coding agents, which are AI systems that can write and deploy software automatically. The companies created an Environments MCP Server (a module that connects different systems together) for Codex that gives AI agents access to credentials only when needed, without storing them in code, prompts, or the AI model's memory where they could be stolen. Credentials are issued just-in-time, scoped to specific tasks, and kept encrypted in 1Password's vault rather than exposed where attackers could find them.
Tech companies have long promised AI assistants but delivered disappointing results until recently, with OpenClaw, an open-source AI agent platform (software that can perform tasks autonomously), gaining popularity. Google has now announced new AI agents at I/O 2026 that can perform various tasks like gathering information and planning events, running continuously in the background with claimed seamless integration.
Microsoft released two open-source tools to help developers test AI agent security during development. RAMPART is a testing framework (built on PyRIT, an earlier tool) that lets developers write test cases to find safety problems like cross-prompt injections (when untrusted data reaches an AI indirectly through sources like emails or files) and data exfiltration (unauthorized data leakage). Clarity is a planning tool that guides developers through design decisions early in a project, before coding begins, so potential issues can be addressed cheaply rather than fixed later.
Fix: Microsoft provides RAMPART and Clarity as open-source tools. According to the source: RAMPART is 'a Pytest-native safety and security testing framework for writing and running safety and security tests for AI agents' that 'evaluates the outcome of those tests and reports the results.' Clarity helps developers 'arrive at the right approach even before writing a single line of code' by 'guiding them through problem clarification, solution exploration, failure analysis, and decision tracking.' Microsoft states that using these tools 'move[s] AI safety from a one-time review to a set of living artifacts that developers can use throughout the lifecycle.'
The Hacker NewsFix: Remove the hardcoded CORS wildcard headers from the TTS endpoint. Specifically, delete these lines from `packages/server/src/controllers/text-to-speech/index.ts` at line 83: `res.setHeader('Access-Control-Allow-Origin', '*')` and `res.setHeader('Access-Control-Allow-Headers', 'Cache-Control')`. This allows the server's standard CORS middleware to handle access control instead.
GitHub Advisory DatabaseFix: The maintainer's suggested patch is to replace the vulnerable `userprofile.gym_id !=` comparisons in `wger/core/views/user.py` (affecting UserDeactivateView at line 405, UserActivateView at line 442, and the delete view at line 131) with the `is_same_gym()` helper function that explicitly excludes `None` comparisons (`gym_a is not None and gym_a == gym_b`). This helper was already successfully applied to views in `wger/gym/views/{admin_notes,document,contract,gym}.py` but must also be applied to the three unpatched views in `wger/core/views/user.py`.
GitHub Advisory DatabaseGoogle announced Gemini Spark, an upcoming AI agent product that connects with Google apps like Gmail and Drive, which runs on Gemini 3.5 Flash and a tool called Antigravity. To address prompt injection risks (tricking an AI by hiding instructions in its input), Google stated that Spark operates in isolated virtual environments with encrypted credentials, data loss prevention policies, and a secure gateway, though the author expresses concern about whether these protections are sufficient given the sensitive data users may process through it.
Fix: According to Google's documentation, Gemini Spark implements the following security measures: 'Spark operates in a fully managed, secure runtime on Google Cloud' with 'every task executes in a fresh, strictly isolated, ephemeral VM to help ensure data never overlaps between sessions.' Additionally, 'all traffic routes through our secure Agent Gateway that enforces Data Loss Prevention (DLP) policies, while user credentials remain fully encrypted and are never exposed directly to the agent.'
Simon Willison's WeblogFix: Fixed in v0.32.0 (PRs #623, #625): the `.rtk/filters.toml` file is now blocked by default with a visible warning stating '[rtk] WARNING: untrusted project filters — Filters NOT applied. Run rtk trust to review and enable.' The patch also adds SHA-256 hash verification (a cryptographic check ensuring the file hasn't changed) to re-block filters if the file is modified after being trusted, and introduces new `rtk trust` and `rtk untrust` commands to let users explicitly approve configuration files.
GitHub Advisory DatabaseA UK study by the thinktank Demos found that AI chatbots like ChatGPT gave voters false information in response to 34% of questions about the Scottish election, including made-up scandals and invented candidates. The Electoral Commission has called for new legal controls to regulate AI platforms and prevent this kind of misinformation (false information spread to deceive people).
AI, particularly agentic AI (AI systems that can plan and take actions independently), is making attacks on applications faster, cheaper, and more widespread than ever before. Attackers are now targeting all apps as primary threats rather than some being less important, and apps face hostile attacks within hours of being published online instead of days. Critical sectors like medical devices and automotive apps are seeing the steepest increases in attacks because AI tools have made it easier to reverse engineer (understand how software works by analyzing it) the complex, specialized code that once protected these systems.
Simply using security and privacy benchmarks (standardized tests that measure how well a system performs) is not enough to ensure AI is truly secure, because benchmarks don't accurately measure AI capabilities. Instead of relying on benchmarks alone, organizations should apply proven security engineering practices, such as process-driven standards like BSIMM (Building Security In Maturity Model, a framework that guides companies through security best practices), while staying extra vigilant since AI systems don't have a single reliable security measurement like software does.
Google and other companies are expanding AI labeling systems like SynthID (invisible watermarking that tags AI-generated images) and C2PA Content Credentials to help people identify fake or AI-generated content online. These technologies aim to combat deepfakes (manipulated videos or images made to look realistic) and other misleading AI content that has been deceiving people on social media.
Fix: 1Password introduced an Environments MCP Server for Codex that implements just-in-time credential access. According to the source, the solution works by: (1) issuing credentials only when needed and scoped to the specific task, (2) keeping secrets outside the model's context window, (3) providing a secure runtime environment where secrets are mounted, used, and discarded with user authentication required at access time, (4) using 1Password's vault technology to keep secrets end-to-end encrypted and centrally managed, (5) limiting access through custom permissions, and (6) injecting required variables directly into the application process at runtime so credentials exist in memory only for the authorized process and only as long as needed. The source states: 'The credentials never appear in code, terminals, or model context.'
SecurityWeekIndustrial Internet of Things (IIoT, which is the network of physical devices and machines used in factories and industries) faces unique security challenges that make existing vulnerability analysis techniques difficult to apply directly. Researchers developed TS-VulA, a framework that uses machine learning (ModernBERT, a neural network trained on text) and network analysis to identify vulnerabilities in three stages: assessing individual device risks, calculating which devices are most important to protect, and prioritizing which vulnerabilities to fix based on both risk and device importance.
This research presents a method to detect deepfakes (AI-generated fake videos or images of faces) by identifying inconsistencies in how image quality degrades between the background and the manipulated face regions. The approach uses a framework that learns to spot these degradation differences through two connected neural networks (deep learning models), one that creates fake images and another that detects them, working together in an adversarial process similar to a GAN (generative adversarial network, where two AI systems compete to improve each other). The method shows better performance when detecting deepfakes created by new, unseen manipulation techniques.