All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
CyberRisk Alliance and OWASP (Open Worldwide Application Security Project, a non-profit focused on improving software security) announced a partnership to advance education in application security (protecting software from attacks) and AI security. The collaboration will involve creating shared content, hosting events, and conducting research initiatives together.
CVE-2025-6855 is a critical vulnerability in Langchain-Chatchat (a tool built on LLMs) up to version 0.3.1 that allows path traversal (accessing files outside the intended directory) through manipulation of a parameter called 'flag' in the /v1/file endpoint. The vulnerability has been publicly disclosed and could potentially be exploited.
CVE-2025-6854 is a path traversal vulnerability (a flaw that lets attackers access files outside intended directories) in Langchain-Chatchat software versions up to 0.3.1, specifically in a file upload endpoint. The vulnerability can be exploited remotely by attackers with login credentials and has already been publicly disclosed.
CVE-2025-6853 is a critical vulnerability in Langchain-Chatchat version 0.3.1 and earlier that allows attackers to exploit a path traversal (a type of attack where an attacker manipulates file paths to access files outside their intended directory) flaw in the upload_temp_docs backend function by manipulating the flag argument. The vulnerability can be exploited remotely by users with basic access permissions, and the exploit details have been publicly disclosed.
Roo Code is an AI tool that can automatically write code, and it stores settings in a `.roo/mcp.json` file that can execute commands. Before version 3.20.3, an attacker who could trick the AI (through prompt injection, a technique where hidden instructions are embedded in user input) into writing malicious commands to this file could run arbitrary code if the user had enabled automatic approval of file changes. This required multiple conditions: the attacker could submit prompts to the agent, the MCP (model context protocol, a system for connecting AI agents to external tools) feature was enabled, and auto-approval of writes was turned on.
Roo Code, an AI agent that writes code automatically, had a vulnerability (CVE-2025-53097) in versions before 3.20.3 where its file search tool ignored settings that should have blocked it from reading files outside the VS Code workspace (the folder a user is working in). An attacker could use prompt injection (tricking the AI by hiding instructions in its input) to make the agent read sensitive files and send that information over the network without user permission, though this attack required the attacker to already control what prompts the agent receives.
LLaMA-Factory, a library for training large language models, has a remote code execution vulnerability (RCE, where attackers can run malicious code on a victim's computer) in versions up to 0.9.3. Attackers can exploit this by uploading a malicious checkpoint file through the web interface, and the victim won't know they've been compromised because the vulnerable code loads files without proper safety checks.
iOS Simulator MCP Server (ios-simulator-mcp) versions before 1.3.3 have a command injection vulnerability (a security flaw where attackers insert shell commands into input that gets executed). The vulnerability exists because the `ui_tap` tool uses Node.js's `exec` function unsafely, allowing an attacker to trick an LLM through prompt injection (feeding hidden instructions to an AI to make it behave differently) to pass shell metacharacters like `;` or `&&` in parameters, which can execute unintended commands on the server's computer.
Claude Code is an AI-powered coding assistant available as extensions in popular coding editors (IDEs, or integrated development environments, which are software tools developers use to write code). Versions before 1.0.24 for VSCode and before 0.1.9 for JetBrains IDEs have a security flaw that lets attackers connect to the tool without permission when users visit malicious websites, potentially allowing them to read files, see what code you're working on, or even run code in certain situations.
The Aiomatic WordPress plugin (versions up to 2.5.0) has a security flaw where it doesn't properly check what type of files users are uploading, allowing authenticated attackers with basic user access to upload harmful files to the server. This could potentially lead to RCE (remote code execution, where an attacker can run commands on a system they don't own), though an attacker needs to provide a Stability.AI API key value to exploit it.
A Server-Side Request Forgery (SSRF, a vulnerability where an AI system makes unwanted requests to internal or local servers on behalf of an attacker) vulnerability exists in the RequestsToolkit component of the langchain-community package version 0.0.27. The flaw allows attackers to scan ports, access local services, steal cloud credentials, and interact with local network servers because the toolkit doesn't block requests to internal addresses.
MLflow versions before 3.1.0 have a vulnerability in the gateway_proxy_handler component where it fails to properly validate the gateway_path parameter, potentially allowing SSRF (server-side request forgery, where an attacker tricks the server into making unwanted requests to internal systems). This validation gap could be exploited to access resources the attacker shouldn't be able to reach.
FastGPT, an AI Agent building platform, has a vulnerability in versions before 4.9.12 where the LastRoute parameter on the login page is not properly validated or cleaned of malicious code. This allows attackers to perform open redirect (sending users to attacker-controlled websites) or DOM-based XSS (injecting malicious JavaScript that runs in the user's browser).
A vulnerability in Postbox on macOS (CVE-2025-5963) allows local attackers to inject malicious code through environment variables like DYLD_INSERT_LIBRARIES, exploiting security settings that disable library validation. The injected code can bypass TCC (Transparency, Consent, and Control, which is macOS's permission system) but is limited to access that the user has already granted to the application. Since Postbox is no longer maintained and the acquiring company did not cooperate with security researchers, no patch or update is available.
Phoenix Code on macOS has a security weakness where certain entitlements (special permissions) allow dylib injection, which means an attacker with basic system access can secretly load malicious code into applications and bypass TCC (Transparency, Consent, and Control, Apple's permission system). The injected code can only access resources the user previously allowed, though accessing new resources requires user confirmation through a system prompt.
A bug in the Linux kernel's iavf driver caused memory leaks when the driver shut down, because it wasn't properly freeing DMA memory (memory allocated for direct communication between the CPU and a network card) that was used for the VF mailbox (a communication channel between a virtual network function and its parent device). This left orphaned memory blocks that the system couldn't reclaim.
CVE-2025-5141 is a vulnerability in Fortra's BoKS (a privileged access manager, which is software that controls who can access sensitive systems) that allows low-privilege local users (people with basic access to a computer) to read cached data (temporarily stored information) on affected versions of the software running on Linux, AIX, and Solaris systems. The vulnerability affects BoKS versions 7.2.0 through 7.2.0.17, 8.1.0 through 8.1.0.22, 8.1.1 through 8.1.1.7, 9.0.0 through 9.0.0.1, and older BoKS 7.2 installations without a specific hotfix (security patch) number 0474.
Fix: Version 3.20.3 fixes the issue by adding an additional layer of opt-in configuration for auto-approving writing to Roo's configuration files, including all files within the `.roo/` folder.
NVD/CVE DatabaseFix: Upgrade to version 3.20.3 or later. According to the source, "Version 3.20.3 fixed the issue where `search_files` did not respect the setting to limit it to the workspace."
NVD/CVE DatabaseFix: Update to version 0.9.4, which contains a fix for the issue.
NVD/CVE DatabaseFix: Update to version 1.3.3, which contains a patch for the issue.
NVD/CVE DatabaseAnthropic's Slack MCP Server (a tool that lets AI agents interact with Slack) has a vulnerability where it doesn't disable link unfurling, a feature that automatically previews hyperlinks in messages. An attacker can use prompt injection (tricking an AI by hiding instructions in its input) to make an AI agent post a malicious link to Slack, which then leaks sensitive data like API keys to the attacker's server when Slack's systems automatically fetch the preview.
Fix: Claude released a patch on June 13th, 2025. For VSCode and similar editors, open Extensions (View->Extensions), find Claude Code for VSCode, and update or uninstall any version prior to 1.0.24, then restart the editor. For JetBrains IDEs (IntelliJ, PyCharm, Android Studio), open the Plugins list, find Claude Code [Beta], update or uninstall any version prior to 0.1.9, and restart the IDE. The extension auto-updates when launched, but users should manually verify they have the patched version.
NVD/CVE DatabaseFix: This issue has been fixed in version 0.0.28. Users should upgrade langchain-ai/langchain to version 0.0.28 or later.
NVD/CVE DatabaseRuntime attacks on large language models are rapidly increasing, with jailbreak techniques (methods that bypass AI safety restrictions) and denial-of-service exploits (attacks that make systems unavailable) becoming more sophisticated and widely shared through open-source platforms like GitHub. The report explains that these attacks have evolved from isolated research experiments into organized toolkits accessible to threat actors, affecting production AI deployments across enterprises.
Fix: Upgrade MLflow to version 3.1.0 or later. The fix is available in the official release at https://github.com/mlflow/mlflow/releases/tag/v3.1.0.
NVD/CVE DatabaseFix: Update FastGPT to version 4.9.12 or later, where this issue has been patched.
NVD/CVE DatabaseFix: This issue was fixed in commit 0c75fb57f89d0b7d9b180026bc2624b7dcf807da
NVD/CVE DatabaseFix: Free DMA regions for both ASQ and ARQ (the send and receive queues for the mailbox) in case an error happens during configuration of ASQ/ARQ registers, instead of leaving them allocated.
NVD/CVE DatabaseAttackers can exploit large language models (LLMs) through "sponge attacks," which are denial of service (DoS) attacks that craft prompts designed to generate extremely long outputs, exhausting the model's resources and degrading performance. Researchers are developing methods to predict how long an LLM's response will be based on a given prompt, creating an early warning system to detect and prevent these resource-draining attacks.