All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Claude Opus 4.6, a new AI model, is significantly better at finding zero-day vulnerabilities (security flaws unknown to vendors and the public) than previous models, discovering high-severity bugs in well-tested code that fuzzing tools (programs that test software by sending random inputs) had missed for years. Unlike traditional fuzzing, Opus 4.6 analyzes code like a human researcher would, studying past fixes and code patterns to reason about what inputs would cause failures.
GitLab AI Gateway had a vulnerability in its Duo Workflow Service component where user-supplied data wasn't properly validated before being processed (insecure template expansion), allowing attackers to craft malicious workflow definitions that could crash the service or execute code on the Gateway. This flaw affected multiple versions of the AI Gateway.
Anthropic released a faster version of Claude Opus 4.6 that operates 2.5 times faster, accessible through a /fast command in Claude Code, but costs 6 times more than the standard version ($30/million input tokens and $150/million output tokens versus the normal $5/million and $25/million). The company is offering a 50% discount until February 16th, reducing the cost multiplier to 3x during that period, and users can also extend the context window (the amount of text the AI can process at once) to 1 million tokens for additional charges.
WeKan versions before 8.19 have a bug in the attachment upload API where it doesn't properly check that the identifiers (like boardId, cardId, and listId) match up correctly, allowing attackers to upload attachments that don't belong together. This is an authorization weakness (CWE-863, a flaw in access control), rated as HIGH severity, that requires the attacker to already have login credentials to exploit.
Moltbook, a social network platform for AI agents to interact with each other, had a serious security flaw where a private key (a secret code used to authenticate users) was exposed in its JavaScript code. This exposed thousands of users' email addresses, millions of API credentials (login tokens), and private communications between AI agents, allowing attackers to impersonate any user. The vulnerability is particularly notable because Moltbook's code was entirely written by AI rather than human programmers.
Qdrant (a vector similarity search engine and vector database) has a vulnerability in versions 1.9.3 through 1.15.x where an attacker with read-only access can use the /logger endpoint to append data to arbitrary files on the system by controlling the on_disk.log_file path parameter. This vulnerability allows unauthorized file manipulation with minimal privileges required.
Microsoft's Semantic Kernel SDK (a tool for building AI agents that work together) had a vulnerability before version 1.70.0 that allowed attackers to write arbitrary files (files placed anywhere on a system) through the SessionsPythonPlugin component. The vulnerability has been fixed in version 1.70.0.
Enclave is a secure JavaScript sandbox used to safely run code written by AI agents. Before version 2.10.1, attackers could bypass its security protections in three ways: using dynamic property accesses to skip code validation, exploiting how error objects work in Node.js's vm module (a built-in tool for running untrusted code safely), and accessing functions through host object references to escape sandbox restrictions.
Pydantic AI, a Python framework for building AI applications, has a Server-Side Request Forgery vulnerability (SSRF, where an attacker tricks a server into making requests to unintended internal resources) in versions 0.0.26 through 1.55.x. If an application accepts message history from untrusted users, attackers can inject malicious URLs that make the server request internal services or steal cloud credentials. This only affects apps that take external user input for message history.
Pydantic AI versions 1.34.0 to before 1.51.0 contain a path traversal vulnerability (a flaw where attackers can access files outside intended directories) in the web UI that lets attackers inject malicious JavaScript code by crafting a specially crafted URL. When victims visit this URL or load it in an iframe (an embedded webpage), the attacker's code runs in their browser and can steal chat history and other data, but only affects applications using the Agent.to_web feature or the CLI web serving option.
Claude Code, a tool that uses AI to help write software, had a security flaw in versions before 2.1.2 where its bubblewrap sandboxing mechanism (a security container that isolates code) failed to protect a settings file called .claude/settings.json if it didn't already exist. This allowed malicious code running inside the sandbox to create this file and add persistent hooks (startup commands that execute automatically), which would then run with elevated host privileges when Claude Code restarted.
Claude Code (an AI tool that can write and modify software) before version 2.1.7 had a security flaw where it could bypass file access restrictions through symbolic links (shortcuts that point to other files). If a user blocked Claude Code from reading a sensitive file like /etc/passwd, the tool could still read it by accessing a symbolic link pointing to that file, bypassing the security controls.
Claude Code (an AI tool that can write and run code automatically) had a security flaw before version 2.0.55 where it didn't properly check certain commands, allowing attackers to write files to protected folders they shouldn't be able to access, as long as they could get Claude Code to run commands with the "accept edits" feature turned on.
Claude Code, an agentic coding tool (AI software that can write and execute code), had a security flaw in versions before 2.0.57 where it failed to properly check directory changes. An attacker could use the cd command (change directory, which moves to a different folder) to navigate into protected folders like .claude and bypass write protections, allowing them to create or modify files without the user's approval, especially if they could inject malicious instructions into the tool's context window (the information the AI reads before responding).
N/A -- The provided content appears to be navigation menu text and marketing copy from a GitHub webpage, not technical documentation describing a security issue, bug, or vulnerability related to langchain-anthropic version 1.3.2.
LangChain version 1.2.9 includes several bug fixes and feature updates, such as normalizing raw schemas in middleware response formatting, supporting state updates through wrap_model_call (a function that wraps model calls to add extra behavior), and improving token counting (the process of measuring how many units of text an AI needs to process). The release also fixes issues like preventing UnboundLocalError (a programming error where code tries to use a variable that hasn't been defined yet) when no AIMessage exists.
Fix: Update GitLab AI Gateway to version 18.6.2, 18.7.1, or 18.8.1, depending on which version you are running, as the vulnerability has been fixed in these versions.
NVD/CVE DatabaseOpenClaw has partnered with VirusTotal (a malware analysis service owned by Google) to scan skills uploaded to ClawHub, its marketplace for AI agent extensions. The system creates a unique SHA-256 hash (a digital fingerprint) for each skill and checks it against VirusTotal's database, automatically approving benign skills, flagging suspicious ones, and blocking malicious ones, with daily rescans of active skills. However, OpenClaw acknowledged that this scanning is not foolproof and some malicious skills using concealed prompt injection (tricking the AI by hiding malicious instructions in user input) may still get through.
Fix: OpenClaw announced it will publish a comprehensive threat model, public security roadmap, formal security reporting process, and details about a security audit of its entire codebase. Additionally, the platform added a reporting option that allows signed-in users to flag suspicious skills.
The Hacker NewsFix: Update to WeKan version 8.19 or later. A patch is available at https://github.com/wekan/wekan/commit/1d16955b6d4f0a0282e89c2c1b0415c7597019b8.
NVD/CVE DatabaseFix: Moltbook has fixed the security flaw that was discovered by the security firm Wiz.
Wired (Security)Fix: Update to Qdrant version 1.16.0 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Update to Microsoft.SemanticKernel.Core version 1.70.0. Alternatively, users can create a Function Invocation Filter (a check that runs before function calls) which inspects the arguments passed to DownloadFileAsync or UploadFileAsync and ensures the provided localFilePath is allow listed (checked against an approved list of file paths).
NVD/CVE DatabaseFix: This vulnerability is fixed in version 2.10.1.
NVD/CVE DatabaseFix: Update Pydantic AI to version 1.56.0 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 1.51.0. Update Pydantic AI to 1.51.0 or later.
NVD/CVE DatabaseFix: This issue has been patched in version 2.1.2.
NVD/CVE DatabaseFix: Update Claude Code to version 2.1.7 or later. According to the source: 'This issue has been patched in version 2.1.7.'
NVD/CVE DatabaseFix: This issue has been patched in version 2.0.55.
NVD/CVE DatabaseFix: This issue has been patched in version 2.0.57.
NVD/CVE DatabaseSecurity researchers discovered multiple vulnerabilities in OpenClaw, an AI assistant, including malicious skills (add-on programs that extend the assistant's abilities) and problematic configuration settings that make it unsafe to use. The issues affect both the installation and removal processes of the software.
Differentially private databases (DP-DBs, systems that add mathematical noise to data to protect individual privacy while allowing useful analysis) need auditing services to verify they actually protect privacy as promised, but current approaches don't handle database-specific challenges like varying query sensitivities well. This paper introduces DPAudit, a framework that audits DP-DBs by generating realistic test scenarios, estimating privacy loss parameters, and detecting improper noise injection through statistical testing, even when the database's inner workings are hidden.
Fix: The source presents DPAudit as a framework solution but does not describe a patch, update, or deployment fix for existing vulnerable systems. N/A -- no mitigation discussed in source.
IEEE Xplore (Security & AI Journals)PROTheft is a model extraction attack (a method where attackers steal an AI model's functionality by observing its responses to many input queries) that works on real-world vision systems like autonomous vehicles by projecting digital attack samples onto a device's camera. The attack bridges the gap between digital attacks and physical-world scenarios by using a projector to convert digital inputs into physical images, and includes a simulation tool to predict how well attack samples will work when converted from digital to physical to digital formats.