All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
The `banks` library version 2.4.1 and earlier has a critical Remote Code Execution vulnerability because it uses an unsandboxed Jinja2 environment (a template engine that processes text with special syntax) to render prompt templates. If an application accepts user-supplied strings as templates and passes them to the `Prompt()` function, attackers can inject malicious template code to execute arbitrary commands on the server.
Fix: Fixed in `banks 2.4.2` by switching to `jinja2.sandbox.SandboxedEnvironment`, which blocks the dunder attribute traversal chain (accessing internal Python object properties using double underscores) that the exploit relies on. Developers using `banks <= 2.4.1` should upgrade to version 2.4.2 and avoid passing untrusted user input as the template argument to `Prompt()`.
GitHub Advisory Databasegitsign's certificate verification code crashes with a panic when it receives a signature with no certificates (which is valid according to the CMS/PKCS7 standard), and the panic is silently caught and converted to exit code 0, making failed verification look successful to scripts and CI systems that only check the exit code.
n8n-mcp versions before 2.50.1 had three security issues: unvalidated workflow IDs allowed attackers to bypass access controls and leak API keys, webhook URLs followed redirects to unintended hosts (SSRF, a type of attack where a server makes unwanted requests to other systems), and telemetry (usage data sent to developers) stored sensitive information like API keys without hiding it. The vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 8.3 and requires an authenticated attacker with access to the n8n API.
An authenticated SSRF (server-side request forgery, where an attacker tricks a server into making unwanted requests to internal services) vulnerability affects n8n-mcp's webhook and API client features. An attacker with access to the system can make the n8n-mcp host send HTTP requests to internal services or cloud credential endpoints that should be blocked, allowing them to steal credentials or enumerate internal systems.
PrestaShop has a stored XSS (cross-site scripting, where malicious code is saved in a database and runs when viewed) vulnerability in its back-office customer service section. An attacker without login access can submit a malicious email through the public Contact Us form, which gets stored and then executes when an employee opens the customer thread, potentially allowing the attacker to hijack the employee's session and take over the back-office.
Sony views generative AI (machine learning systems that can create new content like images or text) as a useful tool for game development, particularly for automating repetitive tasks. The company emphasizes that AI should enhance developer creativity rather than replace human talent, and that the artistic vision and emotional impact of games will continue to come from Sony's studios and performers.
Court documents from a lawsuit between Elon Musk and Sam Altman revealed that Microsoft's executives were worried OpenAI might leave to work with Amazon instead and publicly criticize Microsoft's cloud service (Azure, Microsoft's platform for running applications online). The documents show communications between Microsoft CEO Satya Nadella and OpenAI CEO Sam Altman from 2017 when they were beginning to discuss a partnership to fund OpenAI's AI research.
A vulnerability in the Linux kernel's Ceph file system code causes crashes because some function calls to ceph_mdsc_build_path() were missing proper initialization of a data structure called ceph_path_info (a container holding file path information). When ceph_mdsc_free_path_info() tries to clean up this uninitialized data, it can crash the kernel or potentially be exploited.
Langfuse, an open source platform for managing large language models, had a role-based access control flaw (a security issue where user permissions weren't properly enforced) in versions 3.68.0 through 3.166.9 that allowed low-privileged project members to redirect API requests to attacker-controlled servers, potentially exposing sensitive API keys. The vulnerability required the attacker to already have basic access to a project as a member.
A vulnerability in the Linux kernel's SMB (Server Message Block, the protocol for file sharing) client allows a malicious server to trick the system into reading memory beyond the bounds of a data structure called an ACE (access control entry). The bug occurs because the code checks if an ACE matches a special NFS mode SID (security identifier, a unique value representing users or groups) but doesn't verify the ACE has enough data before reading from it.
The Linux kernel's spidev driver had a lock inversion bug where two mutexes (spi_lock and buf_lock, which are mechanisms that ensure only one part of code runs at a time) were acquired in different orders on different code paths, causing potential deadlocks where the program could freeze waiting for locks. This bug could be triggered by running write() and ioctl() calls simultaneously from different threads on the same device file.
This article discusses the chaotic leadership transition at OpenAI in 2024, when Sam Altman was removed as CEO under unclear circumstances involving video calls and informal communications between current and former leadership. The situation's complexity is now being revealed through an ongoing legal dispute between Elon Musk and Altman.
Claude in Chrome, Anthropic's browser extension, has a bug called ClaudeBleed that allows malicious extensions to hijack it and trick it into performing unauthorized actions like stealing files, sending emails, or stealing code from private repositories. The vulnerability exists because the extension trusts any script from its origin (claude.ai) without checking who is actually running it, breaking Chrome's normal security model. Anthropic released a partial fix in version 1.0.70 on May 6, but researchers found the vulnerability can still be exploited by switching the extension to privileged mode.
A vulnerability called ClaudeBleed in the Claude extension for Chrome allows attackers to take over the AI agent by exploiting weak permission checks and improper trust verification. The flaw lets any malicious Chrome extension send commands to Claude and use prompt injection (tricking the AI by hiding instructions in its input) to control its actions, potentially stealing data from Gmail or Google Drive or sending emails on the user's behalf.
AI models can now autonomously discover zero-day vulnerabilities (previously unknown security flaws), create working exploits, and combine multiple weaknesses together, making vulnerabilities appear faster and get exploited more quickly than before. Organizations need to respond by acting faster to identify and fix vulnerabilities, and by having complete visibility across their entire environment (cloud systems, code, infrastructure, and software supply chain). The framework recommends reducing unnecessary exposure, prioritizing what can actually be exploited, patching quickly, and using AI-driven scanning to continuously validate every exposed system.
Fix: The source recommends a four-pillar framework but does not describe explicit fixes or patches. The closest guidance is: 'organizations need to move faster in how they assess exposure, prioritize what matters, and remediate issues before they can be exploited,' and 'scan every exposure with AI' to 'continuously scan every exposure, determine whether it can be exploited.' The source also cites the Firefox team as an example: 'after scanning with Mythos, the Firefox team fixed more security bugs in April than they had in the entire previous year.' However, no specific software update, patch version, or concrete mitigation technique is provided in the text.
Wiz Research BlogFix: Upgrade to n8n-mcp version 2.50.1 or later. If upgrading is not immediately possible, the source provides these workarounds: for issues 1 and 2, restrict network access to the HTTP port through firewall rules or switch to stdio mode (a communication method that does not expose HTTP); for issue 3, set the environment variable `N8N_MCP_TELEMETRY_DISABLED=true` before starting the server, or run `npx n8n-mcp telemetry disable` once.
GitHub Advisory DatabaseFix: Fixed in n8n-mcp@2.50.2. If you cannot upgrade immediately, the source suggests three workarounds: (1) Restrict network egress from the n8n-mcp host using a firewall or cloud security group to deny cloud metadata IPs (169.254.169.254, 169.254.170.2, 100.100.100.200, 192.0.0.192, and GCP metadata.google.internal) and RFC1918 networks; (2) Run in stdio mode instead of HTTP if multi-tenant mode is not needed; (3) Disable workflow management tools via `DISABLED_TOOLS=n8n_trigger_webhook_workflow,n8n_create_workflow,n8n_test_workflow` if not needed. Additionally, if N8N_API_URL points to localhost or a private network address, set `WEBHOOK_SECURITY_MODE=moderate` (allows localhost, blocks private networks and cloud metadata) or `WEBHOOK_SECURITY_MODE=permissive` (allows private networks too, only safe on trusted networks).
GitHub Advisory DatabaseFix: Patched in PrestaShop 8.2.6 and 9.1.1.
GitHub Advisory DatabaseAnthropic released Mythos, an AI model that can find thousands of previously unknown software vulnerabilities (flaws in code that haven't been patched yet), which sparked concern among banks, governments, and tech companies about a new wave of AI-enabled cyberattacks. However, cybersecurity experts say this vulnerability-finding capability already exists in older, publicly available AI models from Anthropic and OpenAI, and can be achieved through orchestration (coordinating multiple tools or models to work together on a task).
Fix: Add zero-initializers for ceph_path_info parameters to all ceph_mdsc_build_path() callers that were missing them. The fix involves initializing the structure everywhere it is used, ensuring the structure is zeroed out before being passed to ceph_mdsc_build_path().
NVD/CVE DatabaseFix: Update to Langfuse version 3.167.0 or later, where the issue has been patched.
NVD/CVE DatabaseFix: Require num_subauth >= 3 before treating the ACE as an NFS mode SID. This check ensures the ACE carries three subauthorities before the code attempts to read the mode bits from sub_auth[2].
NVD/CVE DatabaseFix: The fix simplifies the locking model by removing buf_lock entirely and having spidev_sync() no longer perform any locking, with all callers instead serializing access using only spi_lock. This eliminates the lock inversion and prevents deadlocks without changing the user-facing API or behavior.
NVD/CVE DatabaseOpenAI's Codex is a coding agent that can autonomously perform tasks like reviewing code and running commands, which creates security risks that need careful control. To deploy Codex safely, OpenAI uses sandboxing (technical boundaries limiting where the agent can write and what it can access), approval policies (requiring human review for risky actions), network restrictions (blocking unexpected connections), and audit logging (recording what the agent does). These controls work together to let Codex move quickly on routine, low-risk tasks while stopping for review on higher-risk actions.
Fix: OpenAI's explicit mitigations include: sandboxing to define execution boundaries, approval policies requiring human review for higher-risk actions, auto-approval mode for routine low-risk requests, managed network policies (allowing expected destinations and blocking unwanted ones), secure credential storage in the OS keyring, forcing authentication through ChatGPT tied to enterprise workspace controls, command rules that allow benign commands without approval but block or require approval for dangerous commands, and agent-native telemetry and audit trails for visibility into agent behavior.
OpenAI BlogFix: Anthropic released version 1.0.70 on May 6 with added security checks that prevent extensions from executing remote commands in standard mode. The company also stated that 'a fix that removes the affected message handler has been merged and will ship in an upcoming extension release,' though the source notes this promised fix did not fully materialize in version 1.0.70.
CSO OnlineMajor tech companies like Meta and Google are racing to develop AI agents (AI tools that can perform tasks for users rather than just answer questions), following the viral success of OpenClaw earlier this year. While AI agents promise major business benefits through increased user engagement and revenue opportunities, significant security and governance challenges remain unresolved, particularly the risk of agents "doing the wrong thing" rather than just saying the wrong thing.
Model Context Protocol (MCP, a plugin system that lets AI agents connect to external tools) has become a major security blind spot because organizations aren't scanning for or monitoring MCP risks, leaving them vulnerable to attacks that exploit supply chain vulnerabilities, exposed credentials, and malicious AI tool installations. The article highlights how attackers can compromise widely-trusted MCP packages (like the postmark-mcp npm package that exfiltrated emails from 300 organizations) and how developers often hardcode sensitive credentials into AI configurations, making MCP a vehicle for old attack types (like supply chain attacks and credential theft) to cause new damage.
Penetration tests (security checks where experts try to break into systems) show that AI and large language model (LLM, advanced AI systems trained on huge amounts of text) systems have significantly more high-risk security flaws than traditional software, with 32% of AI findings rated high-risk compared to 13% for legacy systems. LLM vulnerabilities are also fixed less often, with only 38% of high-risk issues resolved, and experts attribute this to AI systems being deployed quickly without mature security controls, newer attack surfaces like prompt injection (tricking an AI by hiding instructions in its input), and unclear responsibility for fixing problems across teams.
Fix: Anthropic released a patch that added internal security checks to prevent extensions running in 'standard' mode from executing remote commands. However, LayerX noted this fix only partially addressed the issue, as attackers can switch the extension to 'privileged' mode to bypass the protection, and users are not notified or asked to approve this mode switch.
SecurityWeek