All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
CosyVoice (a speech synthesis tool) has an insecure deserialization vulnerability (CWE-502, a flaw where untrusted data is converted back into executable code) in its gRPC server (a framework for building networked services). The vulnerability occurs because the server uses torch.load() without the weights_only=True parameter to load speech models, allowing an attacker to execute arbitrary code by placing malicious model files in a directory that a victim then loads.
CosyVoice, a voice synthesis tool, has a vulnerability in its model averaging feature where it loads PyTorch checkpoint files (serialized machine learning model files) using an unsafe method that can execute arbitrary code. An attacker can create malicious checkpoint files that, when processed by the tool, will run code on the victim's computer without permission.
CosyVoice (a text-to-speech AI tool) has a vulnerability in how it loads PyTorch model files (machine learning data files containing voice embeddings and tokens). The tool uses an unsafe loading method that allows attackers to execute arbitrary code (run any commands they want) on a victim's computer if the victim processes a directory containing a malicious .pt file.
GPT-Pilot has a command injection vulnerability (CWE-78, a type of security flaw where attackers insert malicious commands into a program) in its Executor.run() method that allows attackers to execute arbitrary shell commands. When the system asks users to confirm or modify a command before running it, it doesn't properly validate the user input before passing it to the shell execution function, letting an attacker replace the intended command with malicious code and run it with GPT-Pilot's privileges.
Google discovered and blocked a zero-day exploit (a previously unknown security flaw) that was created with AI assistance, which criminals planned to use for mass attacks on a web administration tool. Researchers identified AI involvement by finding signs in the Python script like artificial CVSS scores (severity ratings) and text patterns typical of AI language models.
OpenAI's Q1 2026 data shows ChatGPT adoption expanded beyond early adopters, with growing usage among older age groups, users with typically feminine names, and people in emerging markets across Latin America, Asia-Pacific, and Africa. Workplace use evolved to focus on specialized tasks like content creation and health documentation rather than just general writing. Overall, ChatGPT became a more mainstream tool used by diverse people in more countries for recurring tasks.
go-git (a Git implementation in Go) may parse malformed Git objects differently than upstream Git, which could cause commits or tags with ambiguous headers to be interpreted inconsistently. This is especially problematic for commit signing and verification, since go-git signs or verifies commits based on its own parsed representation rather than the original raw bytes, potentially making invalid signatures appear valid when the commit's displayed content differs from what was actually signed.
According to Google's threat intelligence group, AI-powered hacking (using AI models to help create and scale cyberattacks) has rapidly grown from a minor issue to a large, organized threat in just three months. Criminal groups and state-sponsored actors are now using commercial AI models to write code and find vulnerabilities (weaknesses in software that can be exploited) more effectively and at a much larger scale.
A malformed HTTP request can crash any Node.js application using the OpenTelemetry Prometheus exporter because the metrics endpoint (a server that collects application performance data) doesn't properly validate incoming URLs before processing them. Since this endpoint is unauthenticated and exposed by default, any network user can send a specially crafted request to crash the entire application.
A vulnerability in BentoML allows command injection through environment variable names in bentofile.yaml files. When a user runs `bentoml containerize` (the command that builds a container image) on a malicious bento configuration, unquoted environment variable names get inserted into the generated Dockerfile, allowing attackers to execute arbitrary commands on the build host during the `docker build` process. This is a sibling vulnerability to two earlier command injection bugs (CVE-2026-33744 and CVE-2026-35043) that were patched for a different field but missed this one.
BentoML has a command injection vulnerability where the `docker.base_image` field in a bento.yaml configuration file is inserted directly into a Dockerfile template without any validation or escaping. An attacker can supply a malicious bento.yaml with newlines in the `docker.base_image` value to inject arbitrary Dockerfile commands (like `RUN` directives that execute code) which get executed when a victim runs `bentoml containerize` to build a container image.
Open WebUI has an authorization flaw in standard channels (regular channels, not group or direct message channels) where the message update endpoint incorrectly allows access with read permission only. This means any authenticated user can modify other users' messages if they know the message ID, violating data integrity (the guarantee that information stays accurate and unchanged by unauthorized parties).
This is a podcast interview transcript where tech journalist Joanna Stern discusses her new book 'I Am Not a Robot,' in which she spent a year integrating AI into every aspect of her life to evaluate the technology's current state. She found that many hyped AI products, especially humanoid robots (physical machines designed to look and act like humans), are not yet ready for real-world use, though she is optimistic about wearable AI (AI embedded in portable devices like smartwatches) as a potential breakthrough application.
Cerebras Systems, an AI chipmaker, increased its IPO (initial public offering, when a private company sells shares to the public for the first time) price range to $150-$160 per share, up from $115-$125, potentially raising $4.8 billion. The company makes specialized chips that compete with Nvidia's GPUs (graphics processing units, hardware that processes AI calculations) and claims its chips are faster and cheaper, with major backing from OpenAI.
Attackers are increasingly using large language models (AI systems trained on vast amounts of text that can generate human-like responses) to create exploits (tools that take advantage of software vulnerabilities) and automate complex attacks. While adversaries have used AI for a while, this represents a shift toward more sophisticated automation of the attack development process.
Fix: Users should upgrade to a patched version. Versions prior to v5 are likely affected, and users are recommended to upgrade to a supported go-git version.
GitHub Advisory DatabaseFix: Update @opentelemetry/exporter-prometheus and @opentelemetry/sdk-node to version 0.217.0 or later, and update @opentelemetry/auto-instrumentations-node to version 0.75.0 or later. This release adds proper error handling around the URL constructor, returning an HTTP 400 response on parse failure rather than crashing the process. Run: npm install @opentelemetry/exporter-prometheus@latest. As a temporary mitigation if immediate updating is not feasible: bind the endpoint to localhost only by setting the host option to 127.0.0.1, use a firewall or network policy to restrict access to port 9464 to only trusted Prometheus scrape hosts, or place the endpoint behind a reverse proxy that filters or validates incoming requests.
GitHub Advisory DatabaseFix: The source suggests two fixes in `base_v2.j2` lines 71-73: (1) Apply the `bash_quote` filter to `env.name` in both the `ARG` and `ENV` lines: `ARG {{ env.name | bash_quote }}{% if env.value %}={{ env.value | bash_quote }}{% endif %}` and `ENV {{ env.name | bash_quote }}=${{ env.name | bash_quote }}`; or (2) Better approach: validate at the schema level by adding `attr.validators.matches_re(r"^[A-Za-z_][A-Za-z0-9_]*$")` to the `name` field in `bentoml/_internal/bento/build_config.py:BentoEnvSchema` to reject newline and shell-metacharacter values when the config is loaded.
Hugging Face Security AdvisoriesFix: Validate `DockerOptions.base_image` at the config layer by rejecting any value containing newline characters (`\n`, `\r`) or whitespace beyond a single space-separated tag. The source suggests using a regex like `^[A-Za-z0-9._/-]+(:[A-Za-z0-9._-]+)?(@sha256:[a-f0-9]{64})?$` to enforce practical Docker reference format. The same hardening should be extended to other unvalidated fields in the Dockerfile template: `__options__build_include[*]`, `bento__user`, `bento__uid_gid`, `bento__path`, `bento__home`, and `bento__entrypoint`.
GitHub Advisory DatabaseFix: Update the permission check in `backend/open_webui/routers/channels.py:1451–1456` by changing the authorization requirement from `has_access(..., type="read")` to `has_access(..., type="write")`, ensuring only administrators, message owners, or users with write permission (the ability to create or modify content) can update messages.
GitHub Advisory DatabaseThreat actors are increasingly using AI and large language models (LLMs, systems trained on massive amounts of text to generate human-like responses) to discover vulnerabilities, create malware, and conduct cyberattacks at industrial scale, with groups linked to China, North Korea, and Russia demonstrating significant AI-enabled capabilities. AI is being used both as an attack tool (for generating exploits, evading defenses, and creating deepfakes) and as a target for compromise, with attackers seeking unauthorized access to AI systems through supply chain attacks and illicit model access. Google's Threat Intelligence Group reports these threats are advancing from experimental to mature operations, including autonomous malware like PROMPTSPY that can dynamically adapt to victim systems.
Fix: Google mitigates AI model abuse by disabling malicious accounts accessing Gemini. Additionally, Google employs AI agents like Big Sleep to identify software vulnerabilities and uses Gemini's reasoning capabilities through CodeMender to automatically fix vulnerabilities, while enhancing product safeguards to offer scaled protections to users.
Google Threat IntelligenceOTT Cybersecurity LLC announced that its product Lyrie.ai has been accepted into Anthropic's Cyber Verification Program, and released the Agent Trust Protocol (ATP), an open cryptographic standard (a set of math-based rules for secure communication) that allows systems to verify the identity, permissions, and integrity of autonomous AI agents operating on the internet. ATP addresses a security gap by letting organizations confirm who an AI agent is, what it's authorized to do, and whether it has been tampered with.
This research develops a privacy-preserving method for face recognition systems using the Privacy Funnel model, which balances the usefulness of facial data against protecting sensitive information like identity or demographic attributes. The authors introduce new versions of this model, including the Generative Privacy Funnel (GenPF) and deep variational Privacy Funnel (DVPF), and demonstrate that their approach works with modern face recognition systems while reducing information leakage about sensitive attributes.
This paper proposes a new image sharing method that uses compressive sensing (a technique that compresses and encrypts data simultaneously) with multiple privacy levels, so different users can access only the information they need without seeing sensitive details. The method uses an algorithm called T-ℓ1-B2DLDA to compress images in a way that allows some users to classify or analyze images without reconstructing the original, while others with higher access levels can fully reconstruct them.
Google's Threat Intelligence Group discovered the first confirmed AI-crafted zero-day exploit (a previously unknown security flaw) in the wild, which was a Python script that bypassed two-factor authentication (a security method requiring two forms of verification) on a web-based system administration tool. The exploit exploited a logic flaw that the AI model found by understanding the developers' intent rather than just finding basic coding mistakes. As AI models become more advanced at reasoning about complex code, such AI-generated exploits may become more common, and threat actors are also attempting to abuse AI systems like Google's Gemini to discover vulnerabilities in firmware (the low-level software in devices) and other systems.