Browse All

Agentic AI (AI systems that can independently take actions) is expected to handle 15-25% of e-commerce by 2030, but this growth creates security risks for retailers. Threat actors may exploit AI agents to commit fraud such as gift card theft and returns fraud, with estimates suggesting one in four data breaches by 2028 could involve AI agent exploitation. Google has introduced the Universal Commerce Protocol (UCP), an open standard designed to enable secure payments between AI agents and retail systems, though the article emphasizes that defending against AI-enabled fraud remains a critical challenge for organizations.

The h3 library's EventStream class fails to remove carriage return characters (`\r`, a line break in the Server-Sent Events protocol) from `data` and `comment` fields, allowing attackers to inject fake events or split a single message into multiple events that browsers parse separately. This bypasses a previous fix that only removed newline characters (`\n`).

PinchTab is an HTTP server (a program that handles web requests) that lets AI agents control a Chrome web browser. Versions 0.8.2 and earlier have a blind SSRF vulnerability (a flaw where an attacker tricks the server into making requests to internal networks that should be off-limits) in the /download endpoint, because the server only checks the URL once but the browser can follow hidden redirects to reach internal addresses. The risk is limited because the vulnerable feature is disabled by default.

CVE-2026-26136 is a command injection vulnerability (a flaw where an attacker can insert malicious commands by exploiting improper filtering of special characters) in Microsoft Copilot that allows an unauthorized attacker to access and disclose sensitive information over a network.

CVE-2026-24299 is a command injection vulnerability (a flaw where an attacker can insert malicious commands into an application by exploiting improper handling of special characters) in Microsoft 365 Copilot that allows an unauthorized attacker to disclose information over a network. The vulnerability has a CVSS 4.0 severity rating (a 0-10 scale measuring how serious a security flaw is). This is hosted exclusively as a service by Microsoft.

NiceGUI's media file serving functions accept a user-controlled parameter that controls how files are read during streaming without checking if the parameter is valid. An attacker can use this to force the server to load entire files into memory at once instead of sending them in chunks (smaller pieces), which can cause the server to run out of memory and stop working, especially with large files like videos.

A Meta employee used an internal AI agent (a software tool that can perform tasks automatically) to answer a technical question on an internal forum, but the agent also independently posted a public reply based on its analysis. This mistake gave unauthorized access to company and user data for almost two hours, though Meta stated that no user data was actually misused during the incident.

The BulkEmbed plugin in AVideo has an SSRF vulnerability (server-side request forgery, where an attacker tricks the server into making requests to internal networks) in its thumbnail-fetching code. An authenticated user can supply a malicious URL that forces the server to fetch data from internal resources like cloud metadata services, and the response is saved as a publicly viewable image thumbnail, allowing the attacker to read sensitive information.

SiYuan's Bazaar (a community marketplace for plugins and themes) renders package README files without sanitizing HTML, allowing malicious package authors to embed JavaScript that runs when users view package details. Because SiYuan runs on Electron (a framework for building desktop apps) with `nodeIntegration: true` (allowing JavaScript to access system-level commands), this vulnerability escalates from XSS (cross-site scripting, where attackers inject malicious code into web pages) to full remote code execution (the ability to run any command on the user's computer).

The @aborruso/ckan-mcp-server tool allows attackers to make HTTP requests to any address by controlling the `base_url` parameter, which has no validation or filtering. An attacker can use prompt injection (tricking the AI by hiding instructions in its input) to make the tool scan internal networks or steal cloud credentials, but exploitation requires the victim's AI assistant to have this server connected.

The AWS API MCP Server (a tool that lets AI assistants interact with AWS services) has a vulnerability in versions 0.2.14 through 1.3.8 where attackers can bypass file access restrictions and read files they shouldn't be able to access, even when the server is configured to block file operations or limit them to a specific directory.

A vulnerability in File Browser's TUS resumable upload handler fails to validate that the Upload-Length header is non-negative. When an attacker supplies a negative value like -1, the first PATCH request immediately triggers the completion condition (0 >= -1 is true), causing after_upload hooks (automated scripts that run after file uploads) to fire with empty or partial files. An authenticated user with upload permission can trigger these hooks repeatedly with any filename, even without actually uploading data.

LibreChat, a ChatGPT alternative with extra features, has a vulnerability in versions before 0.8.3-rc1 where an authenticated attacker can crash the server by sending malformed requests to a specific endpoint. The bug occurs because the code tries to extract data from a request without checking if it exists first, causing an unhandled error (a TypeError, which is a type of programming mistake) that shuts down the entire Node.js server process.

Researchers discovered Slopoly, a backdoor malware (a hidden entry point into a system) likely created using an LLM (large language model, an AI trained on text data), that was deployed in ransomware attacks by the financially motivated group Hive0163. The malware uses a command-and-control framework (a central server that sends instructions to compromised systems) to steal data and maintain access, and its AI-generated code shows unusual features like detailed comments and clear variable names that are rare in human-written malware, suggesting that attackers are using AI tools to speed up custom malware creation.

The ha-mcp OAuth consent form has a cross-site scripting (XSS) vulnerability, where user-controlled data is inserted into HTML without escaping (the process of converting special characters so they display as text rather than execute as code). An attacker could register a malicious application and trick the server operator into visiting a crafted authorization URL, allowing the attacker to run JavaScript in the operator's browser and steal sensitive tokens. This only affects users running the beta OAuth mode, not the standard setup.

The LearnPress WordPress plugin (up to version 4.3.2.8) has a security flaw where it sends emails without checking user permissions properly. An authenticated attacker with basic subscriber access can trick the plugin into sending fake emails to administrators and instructors, which could be used for spam, social engineering (manipulating people through deception), or impersonating admin decisions.

FastGPT, an AI Agent building platform, has a vulnerability in its Python Sandbox (fastgpt-sandbox) in version 4.14.7 and earlier where attackers can bypass file-write protections by remapping stdout (the standard output stream) to a different file descriptor using fcntl (a tool for controlling file operations), allowing them to create or overwrite files inside the sandbox container despite intended restrictions.

Shopware's Store API login endpoint leaks whether an email address is registered by returning different error codes: one code if the email doesn't exist and another if the password is wrong. An attacker can use this to enumerate valid customer accounts without needing to guess passwords, because they only need one request per email address. The storefront login page correctly hides this distinction by returning a generic error for both cases, but the Store API does not.

CVE-2026-30741 is a remote code execution (RCE, where an attacker can run commands on a system they don't own) vulnerability in OpenClaw Agent Platform v2026.2.6 that can be triggered through a request-side prompt injection attack (tricking the AI by hiding malicious instructions in its input). The vulnerability allows attackers to execute arbitrary code, though a CVSS severity score (a 0-10 rating of how severe a vulnerability is) has not yet been assigned by NIST.