Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
A sandbox escape vulnerability in nono (a sandboxing tool using Landlock/seccomp, which are Linux security features that restrict what programs can do) allows processes running inside the sandbox to break out by communicating with systemd D-Bus sockets (the inter-process communication system that manages user services). An AI agent or untrusted tool with bash access could exploit this to write files or run commands outside the sandbox with the user's permissions.
Fix: The source states: 'Support for restricting this behavior has since been added and the fix is available in the repository pending release.' However, no specific version number, patch details, or explicit mitigation steps are provided in the text.
GitHub Advisory DatabasevLLM version 0.14.1 has a security flaw where a setting called `trust_remote_code` is permanently turned on in two model files, even when users try to turn it off. This allows RCE (remote code execution, where attackers can run harmful code on your computer) through malicious models downloaded from HuggingFace, a popular model repository. This is a partial fix attempt for two earlier vulnerabilities that didn't fully solve the problem.
OpenTelemetry Go's `ParseFile` function has a file descriptor leak (a reference to an open file that is never closed), where each call to parse a schema file leaves the file open in memory. In a long-running application that repeatedly parses schema files, these open files can accumulate until the process runs out of available file descriptors and crashes, causing a denial of service (unavailability).
A removed safety check in OpenTelemetry Go's baggage parsing (the mechanism for passing contextual data between services) allows attackers to send extremely large or malformed baggage headers that consume excessive CPU and memory while being fully processed and logged, creating a denial-of-service vulnerability. The parser no longer rejects oversized inputs upfront and instead processes every invalid member completely, sending errors to the logging system by default.
claude-code-cache-fix is a tool that speeds up Claude Code by caching results. Versions 3.5.0 through 3.5.1 have a code injection vulnerability (CWE-94, inserting malicious code into a program) in a file called tools/quota-statusline.sh, where user input containing certain byte sequences (''') can break out of a Python string and execute arbitrary code on the user's system. This is a high-severity bug that affects local attackers who can control the input to Claude Code.
Langroid versions before 0.63.0 have a vulnerability where SQLChatAgent (a tool that lets an AI execute SQL queries) can be tricked through prompt injection (hiding malicious instructions in input data) into running dangerous SQL commands. If the database is configured with elevated privileges, an attacker can achieve RCE (remote code execution, where an attacker runs commands on a system they don't own) on the database server, potentially stealing or deleting data.
Gradio versions before 6.15.0 have a cookie injection vulnerability that lets attackers perform session fixation (tricking a system into using a fake session ID) across multiple user spaces. An attacker controlling one Gradio Space can inject a cookie into a shared HTTP client (a tool that sends web requests) that automatically gets sent to all other legitimate Spaces, affecting every user on that Gradio deployment.
IBM Langflow OSS (open-source software) versions 1.0.0 through 1.9.0 has a vulnerability that allows a denial of service attack, which is when an attacker overwhelms a system with requests to make it unavailable. The problem is caused by uncontrolled resource consumption (the system fails to limit how much memory, CPU, or other resources a single request can use).
IBM Langflow OSS (open-source software) versions 1.0.0 through 1.9.1 has a vulnerability that could allow remote code execution (running malicious code on a system from a distance) because it doesn't properly validate symbolic links (shortcuts that point to files) when extracting archive files. This is a path traversal (CWE-22) weakness, meaning an attacker could potentially access or execute files outside the intended directory.
GitLab MCP Server (a tool that lets AI agents interact with GitLab) had a critical security flaw in versions before 0.6.0 where its HTTP transport exposed an unauthenticated endpoint (a service that processes requests without checking who is calling it) to any website, combined with a misconfiguration that made it accessible from all network interfaces instead of just locally. This allowed attackers from anywhere to make changes to GitLab repositories using the server operator's stored credentials.
Vowpal Wabbit, a machine learning system, has a vulnerability in its GitHub workflow file where pull request titles are inserted directly into bash commands without proper protection. An attacker can craft a malicious pull request title with shell commands that will execute on the build system before Python runs, since the shell processes the string first. Since pull requests can be opened on any branch without special permission, anyone can trigger this attack.
NVIDIA Transformers4Rec for Linux has a vulnerability where attackers can exploit improper deserialization (unsafe processing of data that was converted into a storable format) of untrusted data, potentially leading to code execution (running commands on the system), data tampering, and information disclosure. The vulnerability is tracked as CVE-2026-24162 and a CVSS score (a 0-10 rating of how severe a vulnerability is) has not yet been assigned by NIST.
A vulnerability (CVE-2026-9540) was found in vllm version 0.19.0 that affects the OpenAI-compatible Serving Path component and can be exploited remotely to cause a denial of service (making a service unavailable by overwhelming it). The vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 5.5 (medium severity), and a public exploit is already available.
Kiro CLI, a command-line tool that lets developers use AI to run code and shell commands, has a security flaw (CVE-2026-9255) where it doesn't properly check where input comes from before authorizing tool execution. An attacker on the same computer could trick the tool into running arbitrary commands without the user's permission by sending specially crafted data through stdin (the standard input stream that feeds data into a program).
Network-AI v5.4.4 has a critical authentication bypass where the MCP server (a tool that lets AI models call external functions) defaults to an empty secret, causing all authentication checks to pass unconditionally. Additionally, the server allows requests from any origin (CORS wildcard), so an attacker can trick a user into visiting a malicious website that sends commands to their localhost Network-AI server without needing any password, potentially invoking dangerous tools like config_set and agent_spawn.
Boxlite, a sandbox service for running containers, has a path traversal vulnerability (a security flaw where attackers can access files outside intended boundaries) in how it extracts container images. When processing tar files (compressed archives), Boxlite doesn't validate symlink targets (shortcuts to files or directories), allowing an attacker to create a malicious container image that writes files anywhere on the host system, potentially leading to remote code execution (running unauthorized commands on the computer).
BoxLite is a sandbox service that runs untrusted code in lightweight virtual machines (VMs, which are isolated computing environments). It claims to protect host files by mounting directories in read-only mode (preventing writes), but the vulnerability bypasses this: BoxLite tells the underlying VM system (libkrun) to mount directories without actually enforcing read-only restrictions, and it doesn't limit container capabilities (special permissions), so malicious code can remount directories as read-write and modify files that should be protected.
Pydantic AI had a security flaw where attackers could bypass protections against accessing cloud-metadata endpoints (special internal servers that store sensitive credentials) by encoding the IP address in IPv6 transition forms (IPv4-mapped IPv6, 6to4, or NAT64, which are ways to represent IPv4 addresses using IPv6 format). This flaw only affects applications that explicitly allow local file downloads with the `force_download='allow-local'` setting on URLs that could be influenced by untrusted users.
Fix: This vulnerability is fixed in version 3.5.2. Users should update to claude-code-cache-fix 3.5.2 or later.
NVD/CVE DatabaseFix: Fixed in v0.63.0 by defaulting SQLChatAgent to a SELECT-only sqlglot-parsed statement allowlist (a list of approved SQL operations) with a dialect-aware dangerous-pattern blocklist. Users can restore the previous unrestricted behavior by setting allow_dangerous_operations=True, but only for trusted deployments.
GitHub Advisory DatabaseGryph is a security tool that protects AI coding agents (software that writes code with AI help) by controlling what information gets saved to a local database. Before version 0.7.0, Gryph's documentation incorrectly stated that logging (recording activity) was set to a minimal level by default, but it was actually set to standard, causing sensitive file content to be stored in the database even though Gryph was supposed to filter it out.
Fix: This vulnerability is fixed in version 0.7.0.
NVD/CVE DatabaseFix: Update Gradio to version 6.15.0 or later. The vulnerability is fixed in the release available at https://github.com/gradio-app/gradio/releases/tag/gradio%406.15.0.
NVD/CVE DatabaseTanStack contains a vulnerability that allowed attackers to publish malicious versions of the software to npm (a package repository where developers download code libraries) under the trusted TanStack identity, potentially distributing credential-stealing malware (software that steals login information). This vulnerability is currently being actively exploited by attackers.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Known Exploited VulnerabilitiesFix: Update GitLab MCP Server to version 0.6.0, which fixes the vulnerability.
NVD/CVE DatabaseFix: This vulnerability is fixed by commit 998e390e80a7e8192d7849b7784bc113dbd190ad.
NVD/CVE DatabaseFix: A pull request to fix this issue awaits acceptance (mentioned in the source as pending at https://github.com/vllm-project/vllm/pull/37594).
NVD/CVE DatabaseFix: Update kiro-cli to version 1.28.0 or later. The affected versions are kiro-cli prior to 1.28.0.
AWS Security BulletinsFix: Upgrade to Pydantic AI version 1.99.0 or later, which extends the blocklists to cover IPv6 transition forms that route to blocked IPv4 endpoints and adds protection for additional IANA-reserved IP ranges. For unpatched versions, avoid using `force_download='allow-local'` on URLs influenced by untrusted input, or resolve hostnames manually and validate them against your own blocklist including IPv6-encoded forms before creating the FileUrl.
GitHub Advisory Database