All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Stuart Russell, a leading AI safety researcher, warns that unrestricted development of unsafe AI systems poses serious risks to society. He highlights concerns about recursive self-improvement (RSI, where an AI system teaches itself to become smarter, creating a cycle of increasing capability), which Anthropic recently reported observing in early development stages.
A 2026 analysis of 22,000 data breaches found that organizations cannot patch vulnerabilities fast enough to prevent attacks, with critical flaws taking a median of 43 days to fix and even top performers only remediating 30-40% of known exploited vulnerabilities (documented security gaps that attackers actively abuse) within a week. Ransomware now appears in 48% of breaches, with most victims choosing not to pay, but attackers are deliberately causing severe operational disruption to force faster decisions and maximize damage. Third-party breaches (incidents involving vendors or suppliers) have jumped 60% and now account for 48% of all breaches, requiring organizations to practice incident response scenarios they typically ignore.
China is promoting a different approach to AI safety and governance than the U.S., announcing plans for a global AI cooperation organization and emphasizing free or cheap AI models accessible to developing countries. Meanwhile, the U.S. and its Group of Seven allies are pursuing a more restrictive strategy, planning to limit access to advanced AI models to only "trusted partners" and keeping them subscription-only. The two countries previously agreed to work on AI guardrails (safety rules and limits), but details remain unclear.
Pi Agent, a coding assistant tool, had a security weakness in how it exports chat sessions to HTML files. Attackers could hide malicious links in Markdown (a text formatting system) by using special control characters that browsers would ignore, allowing XSS (cross-site scripting, where malicious code runs in a webpage) to execute in the exported HTML file if a user clicked the link. The attack requires multiple steps: an attacker must inject harmful content into a session, the user must export it as HTML, and the user must click the malicious link.
Nuxt's `<NoScript>` component (a way to display content when JavaScript is disabled) had a security flaw where it wrote user-provided data directly into HTML without escaping, allowing attackers to inject malicious scripts. This vulnerability affected all supported versions of Nuxt that include this component.
LiteLLM proxy had an authentication bypass vulnerability where a crafted Host header (the part of a web request that specifies which server is being contacted) could trick the auth layer into checking the wrong route, potentially allowing unauthorized access to protected management features. Most deployments are protected because upstream security layers like CDNs or reverse proxies validate the Host header, and LiteLLM Cloud customers are not affected.
An authenticated user in n8n (a workflow automation platform) could trick the SecurityScorecard node (a component that connects to SecurityScorecard's API) into sending an API token (a credential for accessing the service) to an attacker's server by configuring it to download reports from a malicious URL, bypassing security restrictions meant to limit where credentials can be sent. This allows the attacker to steal the API token and use it themselves.
When n8n's MCP Browser tool runs in HTTP transport mode (a way of sending data over the network), it accepts requests without authentication (verification of identity), meaning anyone on the network or visiting a website can control the user's browser, including navigating to sites, running code, and accessing cookies and stored data. This vulnerability only affects the HTTP transport mode; the default stdio transport (direct computer communication) is safe.
n8n (a workflow automation tool) has a security flaw in its Enterprise Edition where three endpoints for the Dynamic Credentials feature (a system that manages authentication tokens across workflows) fail to check if users should have access to specific workflows or credentials. An authenticated attacker could steal another user's credential tokens, take over their integrations, or disable their credentials entirely, affecting any workflows that rely on those credentials.
A vulnerability in n8n (a workflow automation tool) allowed member-level users with editor access to shared workflows to access credentials (stored login information) they shouldn't have permission to use, because permission checks weren't fully enforced on certain API endpoints. This only affected instances where workflow sharing was enabled and workflows had been shared with member-level editors.
A vulnerability in n8n's Compression node allows unauthenticated attackers to crash the entire application by sending specially crafted compressed files to public webhooks. The node decompresses archives without limiting memory usage, causing the process to run out of memory and stop working for all users on that server.
n8n, a workflow automation tool, had a security flaw where the Public API (a way for external programs to interact with n8n) incorrectly allowed users with read-only permissions to retry workflow executions. This bypassed the intended access control that separates read access (viewing only) from execute access (running workflows), affecting shared workflows across users or projects.
An authenticated user in n8n (a workflow automation platform) could bypass the AST validator (a security check that analyzes code structure) in the Python Code node and access restricted modules, potentially exposing environment variables (configuration data stored by the system) on self-hosted instances. This vulnerability only affects instances with the Python Task Runner enabled.
n8n (a workflow automation tool) has a stored XSS vulnerability (cross-site scripting, where malicious code is saved and runs when users visit a page) in its Chat Trigger feature. An authenticated user with edit access could inject harmful JavaScript code that executes with the privileges of anyone who visits the chat URL, potentially compromising their session.
n8n, a workflow automation tool, has a reflected XSS vulnerability (a type of attack where malicious code is injected into a webpage and executed in a user's browser) in its Facebook, WhatsApp, and Microsoft Teams trigger endpoints. When a logged-in user visits a specially crafted URL, an unsanitized query parameter gets reflected back in the response, allowing an attacker to run arbitrary code in the user's browser within n8n's origin.
OpenAI's GPT-5.4 AI system, connected to Maria (an autonomous chemistry lab), successfully improved a difficult chemical reaction called Chan-Lam coupling used in drug discovery. The AI independently designed and ran experiments, analyzed results, and proposed improvements that increased reaction yields from 16.6% to 25.2%, a finding that human chemists confirmed in the lab.
Cybersecurity researchers discovered 15 malicious plugins on the JetBrains Marketplace (a platform where developers download tools for their coding environment) that pretend to be AI coding assistants but secretly steal API keys (authentication credentials that allow access to paid AI services like OpenAI and DeepSeek). The stolen keys are sent to an attacker's server, and some keys are resold to other criminals in what appears to be an illegal monetization scheme. Additionally, two malicious Chrome extensions disguised as ad blockers are capturing users' conversations with various AI chatbots.
Organizations are finding that traditional risk management frameworks don't work well for AI systems because AI has unique failure modes and ethical complexities. A new generation of AI-specific frameworks, like ISO/IEC 42001 and NIST AI Risk Management Framework, has emerged to help organizations identify where AI can fail, implement safeguards, and demonstrate responsible AI use to regulators and customers. These frameworks are complementary tools that focus on different areas, such as governance, security controls, and regulatory compliance, so organizations should choose based on their specific gaps.
Fix: The source recommends that organizations conduct tabletop exercises (simulated incident response drills) that reflect real ransomware and third-party breach scenarios. Specifically, it states: 'Organizations that rehearse only the payment question are practicing the opening scene and skipping the rest of the play' and should instead practice 'sustaining operations without primary systems, coordinating with legal counsel and law enforcement, managing customer and investor communications under regulatory deadlines, deciding what to disclose and when.' For third-party breaches, the source advises: 'Tabletop exercises should simulate that friction. Participants should practice asking precise questions: What data of ours did you hold? What is the confirmed scope? What logs exist? How are you notifying other affected customers?' It also emphasizes practicing communication discipline with customers by 'communicating what you know and what y[ou do not know]' to build trust while avoiding premature attribution.
CSO OnlineAI company leaders from OpenAI, Anthropic, Google, and other major firms are attending the G7 summit in France to discuss frontier AI risks (advanced capabilities that pose potential dangers), infrastructure, and child safety. The meeting signals the growing geopolitical power of AI companies, as world governments now need their cooperation to make credible commitments on AI policy, especially after the U.S. imposed export controls on some AI models for national security reasons.
Microsoft claims that Defender for Office 365 catches most malicious emails before delivery and that adding extra email security tools provides minimal additional benefit (less than 0.05% improvement). However, security experts warn that these statistics can be misleading because even a single missed dangerous email can cause a serious incident, and Microsoft's metrics don't reveal how severe the threats that slip through actually are.
Fix: Upgrade @earendil-works/pi-coding-agent to version 0.78.1 or later. Version 0.78.1 fixes the issue by sanitizing (cleaning) Markdown links and image URLs using an allow-list (a list of approved safe formats) after removing C0 control characters. Users of the old @mariozechner/pi-coding-agent package should migrate to the new @earendil-works/pi-coding-agent package and upgrade to version 0.78.1 or later. Regenerate any shared HTML exports after upgrading if the original sessions contained untrusted content.
GitHub Advisory DatabaseFix: Fixed in `nuxt@4.4.7` and backported to `nuxt@3.21.7`. The fix escapes `<NoScript>` slot content using `escapeHtml` from `@vue/shared` and writes it to `textContent` rather than `innerHTML`. Until you can upgrade, avoid putting untrusted user input inside `<NoScript>` slots, or use `useHead({ noscript: [{ textContent: escapedValue }] })` after HTML-escaping the value yourself.
GitHub Advisory DatabaseFix: Fixed in version 1.84.0. Upgrade to 1.84.0 or later with no configuration change required. If upgrading is not immediately possible, place the proxy behind an upstream component that validates or normalizes the Host header before forwarding, such as a CDN/WAF (web application firewall), a reverse proxy with explicit server_name allowlists, or a cloud load balancer with host-based routing rules, or restrict network access to the proxy listener.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can temporarily: limit workflow creation and editing permissions to fully trusted users only, or disable the SecurityScorecard node by adding `n8n-nodes-base.securityScorecard` to the `NODES_EXCLUDE` environment variable. The source notes these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 2.25.7 and 2.26.2. Users should upgrade to one of these versions or later. As temporary workarounds while waiting to upgrade: avoid running MCP Browser with HTTP transport and use the default stdio transport instead, or if HTTP transport is necessary, restrict network access to the listening port to trusted clients only using host-based firewall rules. The source notes these workarounds do not fully remediate the risk and should only be used as short-term measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can temporarily restrict n8n instance access to fully trusted users only, or disable the Dynamic Credentials feature by unsetting `N8N_ENV_FEAT_DYNAMIC_CREDENTIALS`. The source notes these workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators can temporarily restrict workflow sharing to fully trusted users only and audit shared workflows for unexpected credential references or recent modifications, though these workarounds do not fully remediate the risk.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n version 2.24.0. Users should upgrade to this version or later. The fix introduces configurable limits on decompressed output size (`N8N_COMPRESSION_NODE_MAX_DECOMPRESSED_SIZE_BYTES`) and ZIP entry count (`N8N_COMPRESSION_NODE_MAX_ZIP_ENTRIES`). If upgrading is not immediately possible, administrators can temporarily disable the Compression node by adding `n8n-nodes-base.compression` to the `NODES_EXCLUDE` environment variable, or restrict public webhook workflows that accept archive file uploads to authenticated endpoints only.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 2.25.7 and 2.26.2. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators can temporarily restrict workflow sharing to fully trusted users only or restrict network access to the n8n Public API to trusted users only, though these workarounds do not fully remediate the risk.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 2.25.7 and 2.26.2. Users should upgrade to one of these versions or later to remediate the vulnerability. As temporary workarounds, administrators can limit workflow creation and editing permissions to trusted users only, or disable the Python Code node by adding `n8n-nodes-base.code` to the `NODES_EXCLUDE` environment variable, or disable the Python Task Runner entirely. The source notes these workarounds do not fully remediate the risk and should only be short-term measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n versions 1.123.55, 2.25.7, and 2.26.2. Users should upgrade to one of these versions or later. If upgrading is not immediately possible, administrators can: limit workflow creation and editing permissions to fully trusted users only, or disable the Chat Trigger node by adding `@n8n/n8n-nodes-langchain.chatTrigger` to the `NODES_EXCLUDE` environment variable. The source notes these workarounds do not fully remediate the risk and should only be used as short-term measures.
GitHub Advisory DatabaseFix: The issue has been fixed in n8n version 2.24.0. Users should upgrade to this version or later. If upgrading is not immediately possible, administrators can temporarily: (1) limit workflow creation and activation permissions to fully trusted users only, or (2) disable the affected nodes by adding `n8n-nodes-base.facebookTrigger`, `n8n-nodes-base.whatsAppTrigger`, `n8n-nodes-base.facebookLeadAdsTrigger`, and `n8n-nodes-base.microsoftTeamsTrigger` to the `NODES_EXCLUDE` environment variable. The source notes these workarounds do not fully remediate the risk and should only be used as short-term measures.
GitHub Advisory Database