Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
CVE-2026-38950 is a vulnerability in ESA AnomalyMatch before version 1.3.1 that allows attackers to run arbitrary code by uploading malicious model checkpoint files. The problem occurs because the software uses torch.load() with unrestricted deserialization (a process that converts saved data back into code without safety checks), which can execute malicious code hidden in crafted model files.
Fix: Update to ESA AnomalyMatch version 1.3.1 or later.
NVD/CVE DatabaseThe `PATCH /workspaces/{id}` endpoint in praisonai-platform allows any workspace member to change the workspace's name, description, and settings (a free-form JSON configuration object) because it only checks that the user is a member, not that they have owner-level permissions. This is dangerous because attackers could inject malicious settings that could redirect API calls to attacker-controlled servers, disable logging, or change other critical configurations depending on what the platform reads from the settings field.
A vulnerability called OS command injection (a flaw that lets attackers run unauthorized system commands) was found in the Bash Tool component of chatgpt-on-wechat software versions up to 2.0.8. The vulnerability exists in the _get_safety_warning function and can be exploited remotely, meaning an attacker doesn't need direct access to the affected system. This weakness has been publicly disclosed and could be actively exploited.
PraisonAI (a framework for building AI agents) versions 4.6.37 and earlier have a vulnerability where hidden metadata in webpages can trick AI agents into writing files to any location on a system. The bug happens because the `write_file` function skips path validation (checking whether a file path is safe) when the workspace parameter is `None`, which is the default in production environments.
PraisonAI's example A2A server (a type of agent-to-agent communication system) has a critical vulnerability where unauthenticated remote clients can execute arbitrary Python code. The vulnerability exists because the example exposes the server without authentication, binds it to all network interfaces (0.0.0.0), and registers a 'calculate' tool that uses Python's eval() function (which executes any code passed to it as a string). An attacker can send a specially crafted request that tricks the AI model into calling this unsafe tool, leading to RCE (remote code execution).
PraisonAI has a security vulnerability where unauthenticated users can read any file on the system through multiple handlers like `workflow.show`, `workflow.validate`, and `deploy.validate`. The problem exists because these file-handling tools don't validate or restrict file paths before reading them, and the dispatcher that calls these tools doesn't enforce security checks on incoming requests.
PraisonAI's `execute_code()` function has a critical sandbox escape vulnerability that allows attackers to execute arbitrary commands on the host system. The vulnerability exploits four gaps in security validation: the `__self__` attribute (which retrieves the real Python builtins module) is not blocked, the `vars()` function is not restricted, attribute-based function calls bypass checks, and string concatenation bypasses string constant filters. An attacker can use these gaps to access the `__import__` function and run OS commands, completely defeating the sandbox protection.
PraisonAI's CLI automatically expands @url mentions in prompts by making HTTP requests to any URL without restrictions, including localhost addresses. This allows an attacker to embed a malicious prompt with `@url:http://localhost:8766/` to make the user's machine fetch local-only HTTP resources (like metadata services or internal APIs) and inject the response into the model's context, creating a local SSRF (server-side request forgery, where a system is tricked into making requests to internal networks) vulnerability.
PraisonAI version 4.6.33 generates a Flask API server with authentication disabled by default when users run `praisonai deploy --type api`. The server exposes endpoints like `/chat` and `/agents` that accept unauthenticated requests and can execute user-supplied commands with access to API keys stored in the environment.
PraisonAI versions up to 4.6.37 contain a critical vulnerability where two functions in `agents_generator.py` use `spec.loader.exec_module` (a method that loads and runs Python code from a file) without any security checks or validation. An attacker can exploit this by providing a malicious Python file path through YAML configuration, either by modifying shared config files, submitting a crafted recipe via GitHub, or using prompt injection (tricking the AI into loading code from a malicious path), resulting in arbitrary code execution (the ability to run any commands on the system).
Ouroboros (an AI tool) has a remote code execution vulnerability where loading a `.env` file (a configuration file with environment variables) from a cloned repository could let an attacker run malicious code on your system. The flaw occurs because Ouroboros reads execution-controlling settings like CLI paths directly from the project directory's `.env` file without checking if they're trustworthy, allowing an attacker to point these paths to their own malicious scripts.
FastGPT, an AI Agent building platform, had a vulnerability in its JavaScript sandbox worker that failed to properly block dynamic imports (a way to load code at runtime). An attacker could bypass the security filter using a comment syntax (import/**/("child_process")) that the filter didn't recognize, allowing them to execute arbitrary commands inside the sandbox container.
FastGPT, an AI Agent building platform, had a Server-Side Request Forgery (SSRF) vulnerability (a flaw that lets attackers trick a server into making requests to internal systems it shouldn't access) in versions before 4.15.0-beta1. An authenticated attacker could bypass security protections and make unauthorized requests to internal network services by exploiting an incomplete fix in the dataset preview endpoint when using the externalFile data import type.
SillyTavern, a locally installed tool for interacting with AI text and image generation models, had a vulnerability in versions before 1.18.0 where the /api/search/searxng endpoint allowed authenticated users to trick the server into making requests to internal or hidden services (SSRF, or server-side request forgery, where an attacker manipulates a server into accessing resources it shouldn't). An attacker could use this to access data from services that should only be available internally.
SillyTavern is a locally installed interface for interacting with text generation AI models and other AI tools. Versions before 1.18.0 had a vulnerability where the corsProxyMiddleware (a component that handles web requests) would forward user-supplied URLs directly to the fetch function without proper security checks, allowing SSRF (server-side request forgery, where an attacker tricks the server into making requests to unintended targets) attacks.
SillyTavern is a locally installed interface for interacting with text generation AI models and related tools. Prior to version 1.18.0, the software had a cross-site scripting vulnerability (XSS, where attackers inject malicious code into web pages), because user-controlled URLs were displayed in error messages without being HTML-escaped (made safe for web display), allowing attackers to inject harmful scripts.
SillyTavern is a locally installed interface for interacting with text generation AI models, image generators, and voice tools. Prior to version 1.18.0, a vulnerability allowed attackers to delete the entire user extensions directory without authentication by sending a specially crafted request to the delete endpoint that bypassed filename validation (a security check that prevents malicious file paths).
SillyTavern, a locally installed interface for interacting with AI language models and image generators, had a vulnerability in versions before 1.18.0 where it trusted HTTP headers (Remote-User and X-Authentik-Username) used by single sign-on systems without verifying they came from a trusted source. This meant anyone who could connect directly to SillyTavern could fake these headers to log in as any user, including administrators, without a password, but only if SSO was explicitly enabled in the configuration.
SillyTavern is a locally installed interface for interacting with text generation AI models. Before version 1.18.0, it had a security flaw where changing a password or recovering an account didn't log out existing sessions, because all session information was stored in a signed cookie (a small piece of data the browser keeps) rather than on the server, making it impossible to revoke access even after a password change.
RAGFlow, an open-source RAG (retrieval-augmented generation, where an AI pulls in external documents to answer questions) engine, has a Jinja2 template injection vulnerability (a flaw where untrusted data gets processed as code in a templating system) in version 0.24.0 and earlier. Any registered user can exploit this flaw in the prompt generator to run arbitrary OS commands (any commands they want) on the server by creating a Canvas workflow with specific components.
Fix: Upgrading to version 2.0.9 is capable of addressing this issue. The patch is identified as 16d9b449c9aa53ccee44144a762a2737d7ba4fc4.
NVD/CVE DatabaseFix: Set a default workspace directory and validate that file paths stay within it. The fix involves: (1) replacing `None` workspace with the current working directory using `workspace = os.getcwd()`, and (2) checking that the absolute path stays within the workspace using `is_path_within_directory(abs_path, workspace)` before writing, returning an error if the path is outside the workspace.
GitHub Advisory DatabaseFix: Enable authentication by explicitly setting `APIConfig(auth_enabled=True, auth_token=...)` when deploying the API server.
GitHub Advisory DatabaseFix: The vulnerability has been patched in version 0.39.0 via PR #1078. The fix applies a denylist that blocks execution-affecting environment variables from being loaded from the project directory's `.env` file, while still allowing trusted configurations from the user's home directory (`~/.ouroboros/.env`). Users are strongly advised to upgrade to version 0.39.0 or later. If upgrading is not immediately possible, users must carefully inspect any `.env` file inside cloned repositories before running Ouroboros commands to ensure it does not contain unexpected `OUROBOROS_*_CLI_PATH` or `OPENCODE_CLI_PATH` overrides.
GitHub Advisory DatabaseFix: This vulnerability is fixed in version 4.15.0-beta1.
NVD/CVE DatabaseFix: Update FastGPT to version 4.15.0-beta1 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 1.18.0.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 1.18.0.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 1.18.0. Users should update SillyTavern to 1.18.0 or later.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 1.18.0. Users should update SillyTavern to 1.18.0 or later.
NVD/CVE DatabaseFix: Update SillyTavern to version 1.18.0 or later, which fixes the vulnerability.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 1.18.0.
NVD/CVE Database