All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
A vulnerability in the Google Gemini connector allows an authenticated attacker with connector-creation privileges to read arbitrary files on the server by sending a specially crafted JSON configuration. The flaw combines two weaknesses: improper control over file paths (CWE-73, where user input is used unsafely to access files) and server-side request forgery (SSRF, where a server is tricked into making unintended network requests). The server fails to validate the configuration before processing it, enabling both unauthorized file access and arbitrary network requests.
Enclave is a JavaScript sandbox (a restricted environment for running untrusted code safely) designed to isolate AI agent code execution. Before version 2.7.0, it had a critical vulnerability where attackers could escape the sandbox by triggering an error, climbing the prototype chain (the sequence of objects that inherit properties from each other) to reach the host Function constructor, and then executing arbitrary code on the underlying Node.js system with access to sensitive data like environment variables and files.
A vulnerability (OOB, or out-of-bounds memory access, where code reads memory it shouldn't) exists in the Linux kernel's e1000 network driver in the e1000_tbi_should_accept() function. When processing incoming network data, the function tries to read the last byte of a frame without checking if the reported frame length is valid, potentially accessing memory outside the allocated buffer and crashing the system.
A race condition (a bug where multiple processes access the same data simultaneously without proper coordination) existed in ksmbd, a Linux kernel component that handles file sharing, where different parts of the code accessed delete-on-close and pending-delete flags inconsistently, sometimes using locks (protective mechanisms that prevent simultaneous access) and sometimes not, potentially causing files to disappear unexpectedly or remain on disk when they shouldn't.
Ollama versions 0.11.5-rc0 through 0.13.5 have a null pointer dereference vulnerability (a crash caused by the software trying to use a memory address that doesn't exist) in their image processing code. An attacker can send specially crafted fake image data to the /api/chat endpoint (the interface for chat requests), which causes the application to crash and become unavailable until manually restarted, affecting all users.
LangChain versions up to 0.3.1 have a ReDoS vulnerability (a type of bug where a poorly written pattern-matching rule can be tricked into consuming huge amounts of CPU time) in a parser that extracts tool actions from AI model output. An attacker can exploit this by injecting malicious text, either directly or through prompt injection (tricking an AI by hiding instructions in its input), causing the parser to slow down dramatically or stop working entirely.
LlamaIndex versions up to 0.12.2 have a vulnerability where the VannaPack VannaQueryEngine takes user prompts, converts them to SQL statements, and runs them without limits on how much computing power they use. An attacker can exploit this by submitting prompts that trigger expensive SQL operations, causing the system to run out of CPU or memory (a denial-of-service attack, where a service becomes unavailable).
LlamaIndex versions up to 0.11.6 contain a vulnerability where the BGEM3Index.load_from_disk() function uses pickle.load() (a Python method that converts stored data back into objects) to read files from a user-provided directory without checking if they're safe. An attacker could provide a malicious pickle file that executes arbitrary code (runs any commands they want) when a victim loads the index from disk.
LibreChat, a ChatGPT clone with extra features, has a vulnerability in versions before v0.8.2-rc2 where its MCP stdio transport (a communication method for connecting components) accepts commands without checking if they're safe, letting any logged-in user run shell commands as root inside a container with just one API request. This is a serious authorization flaw because it bypasses permission checks.
OpenCode, an open source AI coding agent, has a vulnerability in its markdown renderer that allows arbitrary HTML to be inserted into the web interface without proper sanitization (blocking of malicious code). Because there is no protection like DOMPurify (a tool that removes dangerous HTML) or CSP (content security policy, rules that restrict what code can run), an attacker who controls what the AI outputs could execute JavaScript (code that runs in the browser) on the local web interface.
OpenCode is an open source AI coding agent that, before version 1.0.216, automatically started an unauthenticated HTTP server (a service that accepts web requests without requiring a password or login). This allowed any local process or website with permissive CORS (a web setting that controls which websites can access a server) to execute arbitrary shell commands with the user's privileges, meaning someone could run malicious commands on the affected computer.
MLFlow versions up to 3.4.0 have a vulnerability where the REST server (the interface that external programs use to communicate with MLFlow) doesn't properly validate Origin headers, which are security checks that prevent unauthorized websites from making requests. This allows attackers to use DNS rebinding attacks (tricks where malicious websites disguise their identity to bypass security protections) to query, modify, or delete experiments, potentially stealing or destroying data.
vLLM is a serving engine for running large language models, and versions 0.6.4 through 0.11.x have a vulnerability where attackers can crash the server by sending a tiny 1x1 pixel image to models using the Idefics3 vision component, causing a dimension mismatch (a size incompatibility between data structures) that terminates the entire service.
The Autogen Headers Menu WordPress plugin (all versions up to 1.0.1) has a stored cross-site scripting vulnerability (XSS, where attackers inject malicious scripts into web pages) in the 'head_class' parameter of the 'autogen_menu' shortcode. Authenticated attackers with Contributor-level access or higher can exploit insufficient input sanitization and output escaping to inject arbitrary scripts that execute when users view affected pages.
The BetterDocs plugin for WordPress (all versions up to 4.3.3) has a vulnerability that exposes sensitive information, allowing authenticated attackers with contributor-level access or higher to extract data including OpenAI API keys stored in the plugin settings through the scripts() function. This affects any WordPress site using the plugin where users have contributor-level permissions or above.
LibreChat version 0.8.1-rc2 has a server-side request forgery vulnerability (SSRF, where an attacker tricks a server into making requests to unintended targets) because the Actions feature allows agents to access any remote service without restrictions, including internal components like the RAG API (retrieval-augmented generation system that pulls in external documents). This means attackers could potentially use LibreChat to access internal systems they shouldn't reach.
LibreChat version 0.8.1-rc2 has an access control vulnerability where authenticated attackers (users who have logged in) can read permissions of any agent (a predefined AI assistant with specific instructions) without proper authorization, even if they shouldn't have access to that agent. If an attacker knows an agent's ID number, they can view permissions that other users have been granted for that agent.
LibreChat version 0.8.1-rc2 has a missing authorization (a failure to check if a user has permission to do something) vulnerability that allows an authenticated attacker to upload files to any agent's file storage if they know the agent's ID, even without proper permissions. This could let attackers change how agents behave by adding malicious files.
Fix: This vulnerability is fixed in version 2.7.0.
NVD/CVE DatabaseFix: The fix rejects frames early if the length is zero or exceeds adapter->rx_buffer_len before attempting to read the last byte. This prevents the out-of-bounds read while preserving the TBI workaround (a workaround for a hardware quirk) for valid frames.
NVD/CVE DatabaseFix: The fix involves: (1) Making ksmbd_query_inode_status() check the flags under ci->m_lock (a lock protecting the data) after releasing inode_hash_lock; (2) Adding ci->m_lock protection to all helper functions that read or modify the flags (ksmbd_inode_pending_delete(), ksmbd_set_inode_pending_delete(), ksmbd_clear_inode_pending_delete(), ksmbd_fd_set_delete_on_close()); (3) Keeping existing ci->m_lock protection in __ksmbd_inode_close() while moving the actual file deletion outside the lock to unify locking around these flags and remove the data race.
NVD/CVE DatabaseAgentic browsers (web browsers with embedded AI agents) lack proper isolation mechanisms, allowing attackers to exploit them in ways similar to cross-site scripting (XSS, where malicious code runs on websites you visit) and cross-site request forgery (CSRF, where attackers trick your browser into making unwanted requests). Because AI agents have access to the same sensitive data that users trust browsers with, like bank accounts and passwords, inadequate isolation between the AI agent and websites creates old security vulnerabilities that the web community thought it had solved decades ago.
Fix: The key recommendation for developers of agentic browsers is to extend the Same-Origin Policy (a security rule that keeps different websites' data separate in browsers) to AI agents, building on proven principles that successfully secured the web.
Trail of Bits BlogFix: Update to v0.8.2-rc2 or later. According to the source, 'This vulnerability is fixed in v0.8.2-rc2.'
NVD/CVE DatabaseFix: This vulnerability is fixed in version 1.1.10.
NVD/CVE DatabaseFix: Update to version 1.0.216 or later. The vulnerability is fixed in 1.0.216.
NVD/CVE DatabaseFix: The issue is resolved in version 3.5.0.
NVD/CVE DatabaseUnlearnable examples are protective noises added to private data to prevent AI models from learning useful information from them, but this paper shows that data augmentation (a common technique that creates variations of training data to improve model performance) can undo this protection and restore learnability from 21.3% to 66.1% accuracy. The researchers propose Armor, a defense framework that adds protective noise while accounting for data augmentation effects, using a surrogate model (a practice model used to simulate the real training process) and smart augmentation selection to keep private data unlearnable even after augmentation is applied.
Fix: The paper proposes Armor, a defense framework that works by: (1) designing a non-local module-assisted surrogate model to better capture the effect of data augmentation, (2) using a surrogate augmentation selection strategy that maximizes distribution alignment between augmented and non-augmented samples to choose the optimal augmentation strategy for each class, and (3) using a dynamic step size adjustment algorithm to enhance the defensive noise generation process. The authors state that 'Armor can preserve the unlearnability of protected private data under data augmentation' and plan to open-source the code upon publication.
IEEE Xplore (Security & AI Journals)Fix: This issue has been patched in version 0.12.0. Users should upgrade to vLLM version 0.12.0 or later.
NVD/CVE DatabaseFix: Update to version 4.3.4 or later, as indicated by the WordPress plugin repository changeset reference showing the fix was applied in that version.
NVD/CVE DatabaseFix: This issue is fixed in version 0.8.2-rc2.
NVD/CVE DatabaseFix: This issue is fixed in version 0.8.2-rc2. Users should update to this version or later.
NVD/CVE Database