All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
CVE-2026-41614 is a vulnerability in Microsoft 365 Copilot for Desktop caused by improper access control (a weakness where the software fails to properly restrict who can do what), allowing an unauthorized attacker to perform spoofing (making something appear to come from someone else) on a local computer. The vulnerability has a CVSS 4.0 severity rating, though a full assessment from NIST has not yet been provided.
CVE-2026-41109 is a security flaw in GitHub Copilot and Visual Studio that allows an attacker to bypass a security feature by improperly handling special characters in output, which are then processed by another component (injection, where untrusted data is inserted into code or commands). The vulnerability can be exploited over a network by unauthorized attackers.
CVE-2026-41100 is a vulnerability in Microsoft 365 Copilot where improper access control (weak rules that don't properly check who should be allowed to do something) allows an authorized attacker to perform spoofing (impersonating someone or something else) on a local system. The vulnerability has a CVSS 4.0 severity rating (a moderate security concern on a 0-10 scale).
CVE-2026-33833 is a vulnerability in Azure Machine Learning where special characters in output are not properly filtered before being used by another component, allowing an attacker to perform spoofing (pretending to be someone or something else) over a network. The vulnerability has a CVSS score (a 0-10 severity rating) of 4.0, indicating moderate severity. This type of flaw is known as an injection vulnerability (CWE-74), where untrusted data can be used to manipulate downstream processes.
The mamba language model framework (versions up to 2.2.6) has a vulnerability in how it loads pre-trained models from HuggingFace Hub (a platform where AI models are shared). When loading models, it uses an unsafe method called torch.load() without the weights_only=True security parameter, which allows attackers to sneak malicious code into model files. An attacker could upload a compromised model to HuggingFace Hub, and when someone downloads and loads it, the attacker's code runs on their computer.
The Ludwig framework (a machine learning tool) versions up to 0.10.4 has a vulnerability where it unsafely loads model files using a method that can execute arbitrary code. When someone runs the ludwig serve command to host a model, an attacker can provide a malicious model file that tricks the system into running their code, potentially taking over the server.
The CosyVoice project has an insecure deserialization vulnerability (CWE-502, a weakness where untrusted data is converted back into executable objects) in how it loads model files. When users load model files (.pt files, which are PyTorch model formats) from a directory they specify, the code uses torch.load() without security protections, allowing attackers to execute arbitrary code by hiding malicious instructions in crafted model files that get executed when loaded.
The Adversarial Robustness Toolbox (ART) up to version 1.20.1 has a vulnerability in its Kubeflow component where it uses eval() (a function that runs text as if it were code) unsafely to process command-line arguments like --clip_values and --input_shape. An attacker can inject malicious Python code through these arguments, which will execute when eval() processes them, potentially giving the attacker full control over the system running ART if they can control those arguments.
The Adversarial Robustness Toolbox (ART) version 1.20.1 and earlier has a vulnerability in how it loads AI model files, specifically in its Kubeflow component (a system for running machine learning workflows). When loading model weights using torch.load() without the weights_only=True security parameter, the software deserializes arbitrary Python objects via Pickle (a Python serialization library), allowing attackers to execute malicious code by uploading a crafted model file or manipulating the model location parameter.
This article describes a legal dispute where OpenAI CEO Sam Altman testified that Elon Musk tried to gain control of OpenAI, the company behind ChatGPT, including suggesting the company could pass to his children when he dies. Altman and other co-founders rejected Musk's control demands because they believed that no single person should control AGI (artificial general intelligence, an AI system that could outperform humans at most tasks). Musk eventually left OpenAI in 2018 and declined to invest when the company restructured into a for-profit entity.
LLM version 0.32a2 is a command-line tool update that adds support for OpenAI's newer /v1/responses endpoint, which allows reasoning-capable models to show their thinking process across multiple steps. Users can now see summarized reasoning tokens displayed in a different color, or hide them using the -R or --hide-reasoning flags.
OpenAI CEO Sam Altman testified that Elon Musk's management style, which involved ranking researchers and cutting staff aggressively, caused significant damage to the company's culture and morale. Altman stated that Musk's approach was incompatible with running a successful research lab, highlighting a clash between different management philosophies at the AI startup.
Exaforce, a company building an agentic SOC (security operations center, where AI agents automate security tasks) platform, raised $125 million in funding to expand its technology. The platform uses autonomous AI agents called Exabots and a real-time knowledge graph (a connected database of security events and relationships) to automatically detect, investigate, and respond to security threats in cloud and SaaS environments without needing traditional SIEM (security information and event management, a tool that collects and analyzes security data) rules.
JunoClaw, an AI platform built on Juno Network, had a security flaw in its WAVS bridge where the computeDataVerify function would fetch data from URLs supplied by AI agents without properly checking if those URLs were safe (SSRF, or server-side request forgery, meaning an attacker could trick the system into making requests to internal or unintended servers). This vulnerability allowed attackers to potentially access restricted resources by manipulating which URLs the system would contact.
CVE-2026-43992 is a vulnerability in JunoClaw, an agentic AI platform (a system where AI makes decisions and takes actions) built on Juno Network. Before version 0.x.y-security-1, the platform's MCP write tools (functions that send tokens or execute contracts) required users to provide a BIP-39 seed (a cryptographic key used to generate wallet credentials) as a plain text parameter, which exposed this sensitive information to logs, telemetry, and other systems between the AI provider and the MCP process.
JunoClaw is an agentic AI platform (a system where AI makes decisions and takes actions automatically) built on Juno Network that had a security flaw in its plugin-shell's command-safety check prior to version 0.x.y-security-1. The vulnerability allowed attackers to bypass the substring-based blocklist (a filter that blocks certain text patterns) by crafting tricky command arguments, which could lead to unauthorized command execution on the host system. The flaw occurred because the safety check looked at the raw command string instead of just the first parsed token (the initial instruction).
JunoClaw, an agentic AI platform (a system where AI agents can perform tasks autonomously) built on Juno Network, had a vulnerability in its plugin-shell component where commands supplied by agents were wrapped in shell interpreters without proper sanitization. This allowed shell metacharacters (special characters like pipes or semicolons that have meaning to the shell) in agent-supplied arguments to be interpreted as actual commands rather than plain text, potentially letting attackers run unintended commands. The vulnerability was fixed in version 0.x.y-security-1.
JunoClaw, an agentic AI platform (a system where AI makes decisions and takes actions) built on Juno Network, had a vulnerability in its upload_wasm MCP tool (a component that lets the AI upload compiled code). The tool accepted file paths from the AI without checking if the path was valid, if it pointed to unintended locations through shortcuts, or if the file was the right type, allowing it to upload any file on the system. This was fixed in version 0.x.y-security-1.
TeamPCP compromised 170 npm (Node Package Manager, a repository where JavaScript developers share code) and PyPI (Python Package Index, the equivalent for Python) packages in May 2024, including popular libraries like TanStack Router and Mistral AI's SDK. The attackers exploited weak GitHub Actions configurations (automated tools that run code during development) to inject malware called Mini Shai-Hulud that steals developer credentials like tokens (digital keys that prove identity) and API keys, and can destructively delete files if stolen credentials are revoked.
Google announced free upgrades coming to Android phones throughout the year, including a new Gemini Intelligence AI system (an AI assistant built into phones) and a tool to help users avoid distracting apps. These features will roll out in waves to high-end devices from multiple manufacturers, including Samsung and Pixel phones, along with new laptops launching in autumn.
Fix: This vulnerability is fixed in version 0.x.y-security-1. Users should upgrade to this patched version.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 0.x.y-security-1. Users should upgrade to this version.
NVD/CVE DatabaseFix: Update to version 0.x.y-security-1 or later, which fixes the vulnerability.
NVD/CVE DatabaseFix: Update JunoClaw to version 0.x.y-security-1 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Update to version 0.x.y-security-1, which contains the fix for this vulnerability.
NVD/CVE DatabaseFix: According to SafeDep, recommended actions are to check the lockfile (a file listing exact package versions used) for known compromised versions, pin dependencies to known good versions, and check for evidence of malware files. If an infected version is suspected, credentials in use at the time of import should be rotated (replaced with new ones).
CSO Online