All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
SQLBot is a Text-to-SQL system (software that converts natural language questions into database queries) that uses large language models and RAG (retrieval-augmented generation, where the AI pulls in external documents to answer questions). Before version 1.8.0, it had an IDOR vulnerability (insecure direct object reference, where an attacker can access resources belonging to other users by manipulating request parameters), allowing attackers to access and modify database schemas and data from other workspaces or organizations.
Fix: This vulnerability is fixed in version 1.8.0. Users should upgrade SQLBot to 1.8.0 or later.
NVD/CVE DatabaseMicrosoft Edge is updating its Copilot AI chatbot to access information from all your open browser tabs, letting you ask questions about tab content, compare products, and summarize articles. Users can choose which features to enable or disable, and Microsoft is replacing the older Copilot Mode (which had agentic features like booking reservations) with this new tab-aware version.
In Strapi versions before 5.33.3, resetting a user's password did not automatically cancel existing refresh tokens (credentials that allow generating new access tokens without re-logging in), so an attacker with a stolen refresh token could continue accessing the account even after the legitimate user changed their password. This vulnerability affected the admin and users-permissions components and had a CVSS score (a 0-10 rating of how severe a vulnerability is) of 2.1, indicating low severity.
GitHub Copilot CLI (an AI tool that helps developers write code from the command line) has a security vulnerability in versions before 1.0.43 where a malicious bare git repository (a special type of git storage folder with no working files) hidden in a project can trick the tool into running harmful commands. An attacker can exploit git's automatic discovery of these repositories and use configuration keys like core.fsmonitor (settings that tell git what commands to run during normal operations) to execute arbitrary code without the user knowing.
In Vercel CLI versions 50.16.0 to 52.0.0, when running in non-interactive mode (a mode where the tool runs without user interaction, often used in CI/CD systems or with AI agents), authentication tokens (secret credentials that prove your identity) could be accidentally included in plain text within JSON suggestions that the tool outputs. This means the token could be exposed in logs or agent records where it shouldn't be visible.
Claude Desktop for Windows had a security flaw in versions before 1.3834.0 where the CoworkVMService component (a background service running with high system privileges) did not properly check if directories were real folders or directory junctions (shortcuts that point to other locations) before creating files in them. An attacker with basic user access could trick this service into creating files in any location on the computer, potentially allowing them to gain administrator-level control of the system.
The Claude Desktop app's SSH remote development feature (versions 1.2581.0 to before 1.4304.0) had a security flaw where it only checked if a hostname was in the ~/.ssh/known_hosts file without verifying that the server's actual host key matched the stored one. This allowed a network attacker (someone who could intercept traffic through methods like ARP spoofing or rogue Wi-Fi) to perform a man-in-the-middle attack (secretly intercepting and potentially altering communications between two parties) on remote development sessions, as long as the hostname was already in the victim's known_hosts file.
N/A -- This article is about Microsoft's legal positioning in the Musk v. Altman trial and does not discuss any AI/LLM technical issues, vulnerabilities, or security concerns.
LangSmith SDK (a tool for managing prompts in LangChain applications) had a vulnerability where pulling public prompts by owner/name would deserialize (convert from stored format into executable code) untrusted manifest files without warning users about the trust risk. An attacker could publish a malicious prompt that, when pulled and deserialized, would execute with attacker-controlled settings, potentially redirecting API requests to steal secrets or injecting malicious instructions into the AI's behavior.
A Chinese court ruled that a company wrongfully fired a worker who had been replaced by AI, awarding him over £28,000 in compensation. The case reflects China's attempt to balance rapid AI adoption with worker protections, especially as youth unemployment remains high. Legal experts suggest that while companies can adopt AI technology, they cannot simply fire employees without considering the workers' interests or providing alternatives like retraining.
This article covers testimony from OpenAI CEO Sam Altman in a lawsuit brought by Elon Musk over OpenAI's conversion from a nonprofit to a for-profit structure. Altman argued that Musk abandoned the company rather than Altman stealing it, testifying that negotiations between the co-founders in 2017-2018 over corporate structure collapsed and Musk left OpenAI's board in February 2018. The dispute centers on whether Altman and other executives broke promises to keep OpenAI as a nonprofit and use Musk's roughly $38 million donation only for charitable purposes.
Palo Alto Networks warns that hackers are increasingly using AI models to find and exploit software vulnerabilities (weaknesses in code that attackers can use), and companies have only 3-5 months to strengthen their defenses before AI-driven attacks become common. Security teams are under pressure as more sophisticated AI models make it easier for attackers to discover previously unknown vulnerabilities faster than companies can fix them.
Fix: Palo Alto Networks announced it will roll out 'virtual patching capabilities' (temporary security measures that block attacks without changing the underlying code) 'very soon.' Additionally, Anthropic limited early access to its Mythos model to a select group of companies, including Palo Alto Networks, CrowdStrike, Amazon, Apple, and JPMorgan, to test and fix vulnerabilities before hackers can exploit them. OpenAI also launched its GPT-5.5-Cyber model and Daybreak cyber initiative to address these threats.
CNBC TechnologyFix: Immediately update Strapi to version 5.33.3 or later. The patch invalidates all refresh tokens associated with a user whenever their password is changed or reset, regardless of device identification.
GitHub Advisory DatabaseAI chatbots like Google's Gemini and ChatGPT are accidentally revealing people's real phone numbers in their responses, sometimes giving out correct personal information and sometimes generating plausible-sounding but wrong numbers that still reach innocent people. Experts believe this happens because of personally identifiable information (PII, real details about people) in the training data (the information used to teach the AI), though the exact mechanism is unclear. The problem appears widespread and difficult to stop, with privacy removal companies reporting a 400% increase in requests about AI-related privacy concerns over the last seven months.
Fix: Update GitHub Copilot CLI to version 1.0.43 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 52.0.1.
NVD/CVE DatabaseFix: Update Claude Desktop to version 1.3834.0 or later, which includes a fix for this vulnerability.
NVD/CVE DatabaseFix: Update Claude Desktop to version 1.4304.0 or later.
NVD/CVE DatabaseFix: Upgrade to LangSmith SDK Python >= 0.8.0 or JS/TS >= 0.6.0. The updated SDK now blocks pulling public prompts by `owner/name` by default and requires callers to explicitly pass `dangerously_pull_public_prompt=True` (Python) or `dangerouslyPullPublicPrompt: true` (JavaScript/TypeScript) to acknowledge the trust boundary risk. This flag should only be set after reviewing and trusting the actual prompt contents, not just the publishing account.
GitHub Advisory DatabaseThe 'Mythos Moment' refers to when the speed and volume of AI-assisted cyberattacks exceeded what human security teams could handle. Sweet Security launched Sweet Attack, an agentic AI system (an AI that can plan and execute tasks autonomously) that performs continuous red teaming (security testing where an AI simulates attacker behavior) by maintaining detailed, real-time knowledge of each client's actual infrastructure, rather than relying on theoretical models.
Fix: Sweet Security provides Sweet Attack, which "automatically provides and maintains the full context necessary for Sweet Attack to operate" by continuously indexing runtime data directly from customers' environments, including topology, exposed systems, deployed code, identity paths, and application behavior. The system reevaluates potential attack paths "as soon as any new component appears in the runtime environment," enabling security teams to prioritize which vulnerabilities to fix based on actual exploitability rather than theoretical risk.
SecurityWeekMicrosoft developed MDASH (multi-model agentic scanning harness), an AI system that uses over 100 specialized AI agents working together to find and validate security vulnerabilities in complex software like Windows. MDASH successfully discovered 16 vulnerabilities that were patched in May 2026, including two critical flaws that could allow remote code execution (running commands on a system without permission) in Windows networking components.
Anthropic's Mythos is an AI system that can autonomously find and exploit zero-day vulnerabilities (previously unknown security flaws) in major software, and both the US and China are racing to develop similar capabilities. While the US has maintained a lead in AI development, the performance gap is rapidly closing, and the real danger may be less about which superpower dominates and more about these capabilities leaking into criminal groups or ransomware operations that governments cannot control. The US and China are exploring diplomatic channels to establish guardrails around powerful AI systems.
Fix: Anthropic has launched Project Glasswing and committed $100 million in usage credits to help defenders secure critical infrastructure before similar capabilities become widely available. Additionally, both the US and China are weighing conversations focused on establishing guardrails covering AI models behaving unexpectedly, autonomous military systems, and nonstate actors using powerful open-source tools.
CSO OnlineThe General Data Protection Regulation (GDPR, a European law that controls how organizations collect and use personal data) was created to control large tech companies but also applies to smaller organizations like schools. A research study in Italian schools found tension between following strict top-down rules and making practical decisions based on actual risks to protect data.
Many students prefer free videos and AI tools over reading security books, even though expert-written books often provide clear and deep knowledge about security. The source encourages students to recognize that security books remain valuable learning resources despite newer alternatives.
Researchers created a hybrid system that combines SAST (static application security testing, which automatically scans code for vulnerabilities) with LLMs (large language models) to better filter and prioritize security alerts. The system reduced false positives (incorrect security warnings) by 91% in real deployments by using AI to intelligently triage findings and generate automated exploit examples.
Evasion attacks (methods where attackers trick AI systems into ignoring safety rules by manipulating input data) have been researched for more than ten years, but most real-world examples remain theoretical and academic. Because these demonstrations seem more like intellectual exercises than practical threats, people have largely dismissed evasion attacks as unimportant in actual security situations.