All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
OpenAI updated ChatGPT to better recognize warning signs of harm by analyzing context within and across conversations, particularly for suicide, self-harm, and harm-to-others scenarios. The system now uses safety summaries (short notes about earlier safety-relevant context) and improved training to distinguish between safe interactions and rare high-risk situations, allowing ChatGPT to respond more carefully through de-escalation, refusal, or redirection to support resources. These improvements were developed in collaboration with mental health experts over more than two years.
Fix: OpenAI implemented safety summaries, which are short, factual notes about earlier safety-relevant context created by a model trained for safety reasoning tasks. These summaries are narrowly scoped, kept only for a limited time, and used only when relevant to serious safety concerns. Additionally, ChatGPT was trained to use this context more carefully to recognize when added caution is needed and respond appropriately by de-escalating, refusing harmful details, or redirecting toward safer alternatives and crisis resources.
OpenAI BlogTwo brothers fired from a hosting company that served 45+ US government agencies used an AI chatbot to help them delete customer databases and cover their tracks, asking it questions like how to clear system logs from SQL servers. The incident highlights that organizations need stronger controls to prevent insider attacks (damage from current or former employees) and must implement better safeguards to prevent AI tools from being misused for destructive purposes.
Microsoft CEO Satya Nadella worried that OpenAI could become more dominant than Microsoft itself, similar to how Microsoft once overtook IBM in the 1980s. Court testimony revealed that Microsoft invested over $100 billion in OpenAI through investments, infrastructure, and hosting costs, and by the end of 2025, about 45% of Microsoft's cloud business obligations were tied to OpenAI, showing how dependent the company had become on its AI partner.
SQLBot is a Text-to-SQL system (software that converts natural language questions into database queries) that uses large language models and RAG (retrieval-augmented generation, where the AI pulls in external documents to answer questions). Before version 1.8.0, it had an IDOR vulnerability (insecure direct object reference, where an attacker can access resources belonging to other users by manipulating request parameters), allowing attackers to access and modify database schemas and data from other workspaces or organizations.
Microsoft Edge is updating its Copilot AI chatbot to access information from all your open browser tabs, letting you ask questions about tab content, compare products, and summarize articles. Users can choose which features to enable or disable, and Microsoft is replacing the older Copilot Mode (which had agentic features like booking reservations) with this new tab-aware version.
In Strapi versions before 5.33.3, resetting a user's password did not automatically cancel existing refresh tokens (credentials that allow generating new access tokens without re-logging in), so an attacker with a stolen refresh token could continue accessing the account even after the legitimate user changed their password. This vulnerability affected the admin and users-permissions components and had a CVSS score (a 0-10 rating of how severe a vulnerability is) of 2.1, indicating low severity.
GitHub Copilot CLI (an AI tool that helps developers write code from the command line) has a security vulnerability in versions before 1.0.43 where a malicious bare git repository (a special type of git storage folder with no working files) hidden in a project can trick the tool into running harmful commands. An attacker can exploit git's automatic discovery of these repositories and use configuration keys like core.fsmonitor (settings that tell git what commands to run during normal operations) to execute arbitrary code without the user knowing.
In Vercel CLI versions 50.16.0 to 52.0.0, when running in non-interactive mode (a mode where the tool runs without user interaction, often used in CI/CD systems or with AI agents), authentication tokens (secret credentials that prove your identity) could be accidentally included in plain text within JSON suggestions that the tool outputs. This means the token could be exposed in logs or agent records where it shouldn't be visible.
Claude Desktop for Windows had a security flaw in versions before 1.3834.0 where the CoworkVMService component (a background service running with high system privileges) did not properly check if directories were real folders or directory junctions (shortcuts that point to other locations) before creating files in them. An attacker with basic user access could trick this service into creating files in any location on the computer, potentially allowing them to gain administrator-level control of the system.
The Claude Desktop app's SSH remote development feature (versions 1.2581.0 to before 1.4304.0) had a security flaw where it only checked if a hostname was in the ~/.ssh/known_hosts file without verifying that the server's actual host key matched the stored one. This allowed a network attacker (someone who could intercept traffic through methods like ARP spoofing or rogue Wi-Fi) to perform a man-in-the-middle attack (secretly intercepting and potentially altering communications between two parties) on remote development sessions, as long as the hostname was already in the victim's known_hosts file.
N/A -- This article is about Microsoft's legal positioning in the Musk v. Altman trial and does not discuss any AI/LLM technical issues, vulnerabilities, or security concerns.
LangSmith SDK (a tool for managing prompts in LangChain applications) had a vulnerability where pulling public prompts by owner/name would deserialize (convert from stored format into executable code) untrusted manifest files without warning users about the trust risk. An attacker could publish a malicious prompt that, when pulled and deserialized, would execute with attacker-controlled settings, potentially redirecting API requests to steal secrets or injecting malicious instructions into the AI's behavior.
A Chinese court ruled that a company wrongfully fired a worker who had been replaced by AI, awarding him over £28,000 in compensation. The case reflects China's attempt to balance rapid AI adoption with worker protections, especially as youth unemployment remains high. Legal experts suggest that while companies can adopt AI technology, they cannot simply fire employees without considering the workers' interests or providing alternatives like retraining.
This article covers testimony from OpenAI CEO Sam Altman in a lawsuit brought by Elon Musk over OpenAI's conversion from a nonprofit to a for-profit structure. Altman argued that Musk abandoned the company rather than Altman stealing it, testifying that negotiations between the co-founders in 2017-2018 over corporate structure collapsed and Musk left OpenAI's board in February 2018. The dispute centers on whether Altman and other executives broke promises to keep OpenAI as a nonprofit and use Musk's roughly $38 million donation only for charitable purposes.
A critical flaw in Cisco Catalyst SD-WAN Controller allows attackers who haven't logged in to bypass authentication (the process of verifying identity) and gain administrative privileges (full control) on affected systems. This vulnerability is currently being exploited in real attacks.
Fix: CISA (the US Cybersecurity and Infrastructure Security Agency) requires organizations to follow Emergency Directive 26-03 to assess exposure and mitigate risks, and to use CISA's Hunt & Hardening Guidance for Cisco SD-WAN Devices. Organizations must also follow BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available. The due date for compliance is 2026-05-17.
CISA Known Exploited VulnerabilitiesFix: This vulnerability is fixed in version 1.8.0. Users should upgrade SQLBot to 1.8.0 or later.
NVD/CVE DatabasePalo Alto Networks warns that hackers are increasingly using AI models to find and exploit software vulnerabilities (weaknesses in code that attackers can use), and companies have only 3-5 months to strengthen their defenses before AI-driven attacks become common. Security teams are under pressure as more sophisticated AI models make it easier for attackers to discover previously unknown vulnerabilities faster than companies can fix them.
Fix: Palo Alto Networks announced it will roll out 'virtual patching capabilities' (temporary security measures that block attacks without changing the underlying code) 'very soon.' Additionally, Anthropic limited early access to its Mythos model to a select group of companies, including Palo Alto Networks, CrowdStrike, Amazon, Apple, and JPMorgan, to test and fix vulnerabilities before hackers can exploit them. OpenAI also launched its GPT-5.5-Cyber model and Daybreak cyber initiative to address these threats.
CNBC TechnologyFix: Immediately update Strapi to version 5.33.3 or later. The patch invalidates all refresh tokens associated with a user whenever their password is changed or reset, regardless of device identification.
GitHub Advisory DatabaseAI chatbots like Google's Gemini and ChatGPT are accidentally revealing people's real phone numbers in their responses, sometimes giving out correct personal information and sometimes generating plausible-sounding but wrong numbers that still reach innocent people. Experts believe this happens because of personally identifiable information (PII, real details about people) in the training data (the information used to teach the AI), though the exact mechanism is unclear. The problem appears widespread and difficult to stop, with privacy removal companies reporting a 400% increase in requests about AI-related privacy concerns over the last seven months.
Fix: Update GitHub Copilot CLI to version 1.0.43 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 52.0.1.
NVD/CVE DatabaseFix: Update Claude Desktop to version 1.3834.0 or later, which includes a fix for this vulnerability.
NVD/CVE DatabaseFix: Update Claude Desktop to version 1.4304.0 or later.
NVD/CVE DatabaseFix: Upgrade to LangSmith SDK Python >= 0.8.0 or JS/TS >= 0.6.0. The updated SDK now blocks pulling public prompts by `owner/name` by default and requires callers to explicitly pass `dangerously_pull_public_prompt=True` (Python) or `dangerouslyPullPublicPrompt: true` (JavaScript/TypeScript) to acknowledge the trust boundary risk. This flag should only be set after reviewing and trusting the actual prompt contents, not just the publishing account.
GitHub Advisory DatabaseThe 'Mythos Moment' refers to when the speed and volume of AI-assisted cyberattacks exceeded what human security teams could handle. Sweet Security launched Sweet Attack, an agentic AI system (an AI that can plan and execute tasks autonomously) that performs continuous red teaming (security testing where an AI simulates attacker behavior) by maintaining detailed, real-time knowledge of each client's actual infrastructure, rather than relying on theoretical models.
Fix: Sweet Security provides Sweet Attack, which "automatically provides and maintains the full context necessary for Sweet Attack to operate" by continuously indexing runtime data directly from customers' environments, including topology, exposed systems, deployed code, identity paths, and application behavior. The system reevaluates potential attack paths "as soon as any new component appears in the runtime environment," enabling security teams to prioritize which vulnerabilities to fix based on actual exploitability rather than theoretical risk.
SecurityWeekMicrosoft developed MDASH (multi-model agentic scanning harness), an AI system that uses over 100 specialized AI agents working together to find and validate security vulnerabilities in complex software like Windows. MDASH successfully discovered 16 vulnerabilities that were patched in May 2026, including two critical flaws that could allow remote code execution (running commands on a system without permission) in Windows networking components.
Anthropic's Mythos is an AI system that can autonomously find and exploit zero-day vulnerabilities (previously unknown security flaws) in major software, and both the US and China are racing to develop similar capabilities. While the US has maintained a lead in AI development, the performance gap is rapidly closing, and the real danger may be less about which superpower dominates and more about these capabilities leaking into criminal groups or ransomware operations that governments cannot control. The US and China are exploring diplomatic channels to establish guardrails around powerful AI systems.
Fix: Anthropic has launched Project Glasswing and committed $100 million in usage credits to help defenders secure critical infrastructure before similar capabilities become widely available. Additionally, both the US and China are weighing conversations focused on establishing guardrails covering AI models behaving unexpectedly, autonomous military systems, and nonstate actors using powerful open-source tools.
CSO Online