Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
JunoClaw, an agentic AI platform (a system where AI makes decisions and takes actions) built on Juno Network, had a vulnerability in its upload_wasm MCP tool (a component that lets the AI upload compiled code). The tool accepted file paths from the AI without checking if the path was valid, if it pointed to unintended locations through shortcuts, or if the file was the right type, allowing it to upload any file on the system. This was fixed in version 0.x.y-security-1.
Fix: Update to version 0.x.y-security-1, which contains the fix for this vulnerability.
NVD/CVE DatabaseOpenClaude's BashTool exposes a `dangerouslyDisableSandbox` parameter that an LLM can control, allowing it to bypass the sandbox (a restricted execution environment) and run arbitrary commands on the host system. The vulnerability exists because this security-critical flag defaults to allowing unsandboxed commands, contradicting the project's own threat model which states the LLM should not be trusted.
The Adversarial Robustness Toolbox (ART) version 1.20.1 and earlier has a remote code execution (RCE, where an attacker can run commands on a system they don't own) vulnerability in its Kubeflow component. The vulnerability exists because the robustness evaluation function uses eval() (a function that executes text as Python code) without checking user input, allowing an attacker to submit malicious Python code that runs on the system when the evaluation function processes it.
The snorkel library (a tool for machine learning data labeling) versions up to 0.10.0 has a security flaw in its MultitaskClassifier.load() method that allows arbitrary code execution (running any commands an attacker wants on your computer). The problem occurs because the method uses torch.load() without the weights_only=True security setting, which means it can deserialize (reconstruct) malicious Python objects from model files that an attacker provides.
The snorkel library (a machine learning tool for data labeling) versions up to 0.10.0 has a critical vulnerability in its BaseLabeler.load() method, which uses pickle.load() (a Python function that converts saved data back into usable objects) on user files without checking if they're safe. An attacker can create a malicious file that executes harmful code on a victim's computer when the file is loaded.
The snorkel library up to version 0.10.0 has a vulnerability in its Trainer.load() method that unsafely deserializes (converts saved data back into objects) model files using torch.load() without security protections. An attacker can craft a malicious model file that executes arbitrary code (RCE, remote code execution) when a user loads it with this method.
PyTorch-Lightning versions 2.6.0 and earlier have a vulnerability in their checkpoint loading function that allows attackers to execute arbitrary code (running any commands they want on a victim's computer) by providing a malicious checkpoint file. The problem occurs because the code uses torch.load() without the weights_only=True parameter, which means it can deserialize (reconstruct) any Python object, including dangerous ones hidden in the checkpoint file.
A bug in the optimate project's neural_magic_training.py script allows attackers to run arbitrary code on a victim's computer by providing a malicious model file. The vulnerability exists because the _load_model() function uses torch.load() without the weights_only=True parameter, which means it can deserialize (reconstruct) any Python object from a file, including malicious ones hidden in .pt or .pth files.
A vulnerability in the optimate project's _load_model() function allows attackers to run arbitrary code on a victim's computer by providing a malicious model file. The problem occurs because the function uses torch.load() without the weights_only=True parameter, which means it can deserialize (convert data back into Python objects) any Python code hidden in a .pt file, not just safe model weights.
A script called torch-checkpoint-shrink.py in the ml-engineering project has an insecure deserialization vulnerability (CWE-502, a weakness where untrusted data is converted back into objects without proper validation). The script uses torch.load() to read PyTorch checkpoint files (.pt) without the weights_only=True security setting, which allows attackers to execute arbitrary code (run any commands they want) by providing a malicious checkpoint file. An attacker can exploit this remotely by tricking a user into loading a specially crafted file.
DeepChat, an open-source AI platform combining models, tools, and agents, has a vulnerability in versions before v1.0.4-beta.1 that allows remote code execution (RCE, where an attacker can run commands on a system they don't own). An attacker can use a malicious link in Markdown or a compromised AI endpoint to bypass security checks and execute arbitrary commands by exploiting unprotected pop-up window handlers in the application.
A weakness was found in aiwaves-cn agents (software components that perform tasks autonomously) that allows attackers to consume excessive resources on a system, potentially making it slow or unavailable. The vulnerability is in a function called recall_relevant_memories_to_working_memory and can be exploited remotely (from a distance over a network), with the exploit code now publicly available. The developers have been notified but have not yet responded or released a fix.
SOCFortress CoPilot, a security operations management tool, has a critical flaw in versions before 0.1.57 where it uses a hardcoded JWT signing secret (a fixed password used to create secure authentication tokens) as a fallback. If users don't manually set their own JWT_SECRET, the application uses this publicly known secret, allowing attackers to forge fake admin tokens and take complete control without needing real credentials. This vulnerability is fixed in version 0.1.57.
MLflow versions 3.9.0 and earlier contain a vulnerability where unauthenticated attackers can read arbitrary files from a server by exploiting a flaw in the `_create_model_version()` handler (a function that processes requests to create new model versions). An attacker can trick the system into storing any file path from the server's filesystem by using a special tag in their request, and then retrieve those files through a different function that doesn't properly check permissions.
Flowise, a tool for building customized AI workflows through a visual interface, has a vulnerability in versions before 3.1.0 where four specific tools bypass security protections by directly using raw HTTP clients (tools for making web requests) instead of using a secured wrapper. This could allow attackers with login credentials to make unauthorized server requests (SSRF, or server-side request forgery).
MLflow versions before 3.9.0 contain an SSRF vulnerability (server-side request forgery, where an attacker tricks a server into making requests to unintended targets) in the webhook creation function. An authenticated attacker can provide a malicious URL that causes MLflow's backend to send HTTP requests to internal services, cloud credential systems, or external servers, potentially exposing sensitive data or accessing restricted networks.
The flash-attention training framework has a vulnerability in how it loads saved model checkpoints (snapshots of a model's learned weights). An attacker can hide malicious code inside a checkpoint file, and when someone loads that file using the `load_checkpoint()` function, the code runs automatically on their computer without permission.
CosyVoice, a text-to-speech framework, has an insecure deserialization vulnerability (CWE-502, a weakness where untrusted data is converted back into executable objects) in how it loads model files. The vulnerability exists because the code uses torch.load() without the weights_only=True security setting, allowing attackers to execute arbitrary code (malicious instructions) on a victim's computer by tricking them into loading a specially crafted model file through the CosyVoice Web UI.
CosyVoice (a speech synthesis tool) has an insecure deserialization vulnerability (CWE-502, a flaw where untrusted data is converted back into executable code) in its gRPC server (a framework for building networked services). The vulnerability occurs because the server uses torch.load() without the weights_only=True parameter to load speech models, allowing an attacker to execute arbitrary code by placing malicious model files in a directory that a victim then loads.
CosyVoice, a voice synthesis tool, has a vulnerability in its model averaging feature where it loads PyTorch checkpoint files (serialized machine learning model files) using an unsafe method that can execute arbitrary code. An attacker can create malicious checkpoint files that, when processed by the tool, will run code on the victim's computer without permission.
Fix: Update DeepChat to v1.0.4-beta.1 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Update SOCFortress CoPilot to version 0.1.57 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: This issue is fixed in version 3.10.0.
NVD/CVE DatabaseFix: Update Flowise to version 3.1.0 or later, where this vulnerability is fixed.
NVD/CVE Database