Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
Twig (a PHP template engine) has a vulnerability where template names in `{% use %}` tags aren't properly escaped, allowing attackers to inject arbitrary PHP code that executes when the template cache loads. This bypasses Twig's security sandbox, giving attackers remote code execution (the ability to run commands on the server).
Fix: `Compiler::string()` now escapes single quotes in addition to the characters it previously escaped, preventing template names from breaking out of the surrounding PHP string context.
GitHub Advisory DatabaseLiteLLM versions before 1.83.10 have a vulnerability where users can change their own role to proxy_admin (an administrative role) through the /user/update endpoint, giving them full control over the system including all users, teams, and API keys. Even users with org_admin privileges can exploit this flaw without needing to chain it with other attacks.
LiteLLM versions before 1.83.14 have a privilege escalation vulnerability (a security flaw that lets someone gain higher-level permissions than they should have) where authenticated internal users can create API keys (credentials for accessing the system) that grant access to admin-only routes without proper verification. This allows attackers to bypass role-based access controls (the system that restricts what different users can do) and gain full admin privileges.
The `mcp-server-kubernetes` tool had a security flaw where access control settings (environment variables that limit which Kubernetes operations are available) only worked when listing tools, but not when actually running them. This meant an attacker or misconfigured AI agent could bypass these restrictions and run any Kubernetes command, like deleting pods or accessing containers, even if they were supposed to be blocked.
Amazon SageMaker Python SDK has a vulnerability where it stores an HMAC signing key (a cryptographic secret used to verify that model files haven't been tampered with) in plaintext as an environment variable that can be read by anyone with access to certain AWS APIs. An attacker with the right permissions could steal this key, use it to forge valid model files, and run malicious code on the system running the model.
LMDeploy, a model serving tool, hardcodes `trust_remote_code=True` (a setting that allows executing custom Python code from downloaded models) when loading models from HuggingFace. An attacker who can control which model path the system loads could point it to a malicious model repository, causing arbitrary code execution (running any commands they want) with the privileges of the LMDeploy server process. This affects LMDeploy version 0.12.3 and earlier.
MLflow versions up to 3.9.0 have a security flaw in the SearchModelVersions feature (an API endpoint that retrieves information about different versions of machine learning models) that fails to check user permissions properly. This allows any logged-in user to see all model versions and sensitive details across the entire system, which is dangerous in shared environments where different teams should only access their own models.
Flowise has a security flaw in its `/api/v1/chatflows/apikey` endpoint that allows a user with a valid API key to view chatflow configurations (including system prompts, workflow graphs, and credential IDs) from other workspaces, as long as those chatflows don't have an API key assigned. The endpoint returns both the user's own chatflows and all unprotected chatflows across the entire system without filtering by workspace, breaking the isolation between workspaces.
Flowise has a mass assignment vulnerability in its PUT /api/v1/user endpoint that lets authenticated users directly change their password hash without verifying their old password. An attacker with a stolen session token can send a crafted request that overwrites the credential field, bypassing password verification, hashing enforcement, and policy validation, which gives them permanent access to the account.
Flowise, an AI tool, has a hardcoded setting that allows any webpage on the internet to make requests to its text-to-speech (TTS, a feature that converts written text into spoken audio) endpoint using your stored credentials. This bypasses the server's normal cross-origin request protection (CORS, which controls what websites can access a server's data), letting malicious webpages secretly generate speech on your behalf.
The `diffusers` package has a TOCTOU (time-of-check-time-of-use, where a security check happens at one moment but the actual data used comes from a different moment) vulnerability in its `DiffusionPipeline.from_pretrained` function that loads models from HuggingFace Hub. An attacker can bypass the `trust_remote_code` security check by updating a repository between two separate download calls, allowing arbitrary code to execute without the user explicitly approving it.
RTK (Rust Token Killer, a tool that filters sensitive data before showing command output to an LLM) had a vulnerability where it automatically loaded filter configuration files from a project directory without asking the user first, allowing attackers to secretly modify what an LLM sees. An attacker could place a malicious filter file in a repository to hide or alter command output (like file contents or security scan results) without any warning, potentially concealing malicious code during development.
NVIDIA Triton Inference Server has a vulnerability in its DALI backend (a component that processes data) that allows attackers to cause uncontrolled resource consumption, potentially leading to a denial of service attack (making the service unavailable to legitimate users).
NVIDIA Triton Inference Server has a vulnerability in its DALI backend (a component that processes data) where an attacker could trigger an integer overflow (a bug where a number exceeds the maximum value a system can store). This could allow an attacker to execute malicious code, modify data, or crash the service.
NVIDIA Triton Inference Server contains a vulnerability in the DALI backend (a component that processes data) where an attacker could perform an out-of-bounds read (accessing memory locations outside the intended range). Exploiting this could allow code execution (running malicious commands), data tampering (changing information), denial of service (making the system unavailable), or information disclosure (leaking sensitive data).
NVIDIA Triton Inference Server has a vulnerability where an attacker could cause an integer overflow (a situation where a number exceeds the maximum value a program can store, causing unexpected behavior), potentially leading to denial of service (making a system unavailable to users). The vulnerability has a CVSS 4.0 severity rating (a 0-10 scale measuring how serious a security flaw is).
CVE-2026-24209 is a path traversal vulnerability (a flaw where an attacker manipulates file paths to access files outside their intended directory) in NVIDIA Triton Inference Server that could allow an attacker to cause a denial of service (making a system unavailable to users). The vulnerability has a CVSS 4.0 severity rating, though a full assessment from NIST has not yet been provided.
NVIDIA Triton Inference Server contains a path traversal vulnerability (CWE-22, a flaw where attackers can access files outside the intended directory) that could allow an attacker to cause a denial of service (making the service unavailable). The vulnerability has a CVSS 4.0 severity rating, though a detailed assessment has not yet been provided by NIST.
NVIDIA Triton Inference Server has a vulnerability (CVE-2026-24207) where an attacker could bypass authentication (skip security checks that normally verify who someone is), potentially allowing them to run code, gain higher privileges, change data, crash the service, or steal information. The vulnerability is classified as an authentication bypass using an alternate path or channel (CWE-288, a type of weakness where attackers find different ways to access a system without proper verification).
NVIDIA Triton Inference Server contains a vulnerability (CVE-2026-24206) that allows attackers to bypass authentication (a security check that verifies who you are), potentially leading to privilege escalation (gaining higher-level access), denial of service (making a system unavailable), or information disclosure (unauthorized access to data). The vulnerability is classified as CWE-288, which means it exploits an alternate path to bypass normal authentication checks.
Fix: Update LiteLLM to version 1.83.10 or later.
NVD/CVE DatabaseFix: Update LiteLLM to version 1.83.14 or later.
NVD/CVE DatabaseFix: The fix applies the same filtering logic from the tool listing layer to the tool execution layer in the `CallToolRequestSchema` handler, so that restricted tools return an error when called directly. This was fixed in v3.6.0.
GitHub Advisory DatabaseFix: Upgrade to Amazon SageMaker Python SDK v2.257.2 or v3.8.0. According to the source: 'AWS recommend upgrading to the latest version and rebuilding any models previously created with ModelBuilder using the updated SDK.' As a temporary workaround if upgrading is not immediately possible: 'users can manually remove the SAGEMAKER_SERVE_SECRET_KEY environment variable from existing SageMaker models by recreating the model without this variable in the container environment configuration.'
GitHub Advisory DatabaseFix: The issue is resolved in version 3.10.0.
NVD/CVE DatabaseFix: Remove the hardcoded CORS wildcard headers from the TTS endpoint. Specifically, delete these lines from `packages/server/src/controllers/text-to-speech/index.ts` at line 83: `res.setHeader('Access-Control-Allow-Origin', '*')` and `res.setHeader('Access-Control-Allow-Headers', 'Cache-Control')`. This allows the server's standard CORS middleware to handle access control instead.
GitHub Advisory DatabaseFix: Fixed in v0.32.0 (PRs #623, #625): the `.rtk/filters.toml` file is now blocked by default with a visible warning stating '[rtk] WARNING: untrusted project filters — Filters NOT applied. Run rtk trust to review and enable.' The patch also adds SHA-256 hash verification (a cryptographic check ensuring the file hasn't changed) to re-block filters if the file is modified after being trusted, and introduces new `rtk trust` and `rtk untrust` commands to let users explicitly approve configuration files.
GitHub Advisory Database