Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
Langfuse, an open source platform for managing large language models, has a vulnerability in versions 2.95.0–2.95.11 and 3.17.0–3.130.x where attackers could take over user accounts if certain security settings are not configured. The attack works by tricking an authenticated user into clicking a malicious link (via CSRF, which is cross-site request forgery where an attacker tricks your browser into making unwanted requests, or phishing).
Fix: Update to Langfuse version 2.95.12 or 3.131.0, where the issue has been patched. Alternatively, as a workaround, set the AUTH_<PROVIDER>_CHECK configuration parameter.
NVD/CVE DatabaseThe S2B AI Assistant WordPress plugin (a tool that adds AI chatbot features to websites) has a vulnerability in versions up to 1.7.8 where it fails to check what type of files users are uploading. This allows editors and higher-level users to upload malicious files that could potentially let attackers run commands on the website server (remote code execution, or RCE).
MLX is an array framework for machine learning on Apple silicon that has a vulnerability where loading malicious GGUF files (a machine learning model format) causes a segmentation fault (a crash where the program tries to access invalid memory). The problem occurs because the code dereferences an untrusted pointer (uses a memory address without checking if it's valid) from an external library without validation.
MLX is an array framework (a software library for handling arrays of data in machine learning) for Apple silicon computers. Before version 0.29.4, the software had a heap buffer overflow (a memory safety bug where the program reads beyond allocated memory) in its file-loading function when processing malicious NumPy .npy files (a common data format in machine learning), which could crash the program or leak sensitive information.
vLLM is a tool that runs large language models and serves them to users. In versions 0.5.5 through 0.11.0, two API endpoints accept a parameter called chat_template_kwargs that isn't properly checked before being used, allowing attackers to send specially crafted requests that freeze the server and prevent other users' requests from being processed.
vLLM (an inference and serving engine for large language models) versions 0.5.5 through 0.11.0 have a vulnerability where users can crash the engine by sending multimodal embedding inputs (data that combines multiple types of information, like images and text) with incorrect shape parameters, even if the model doesn't support such inputs. This bug has a CVSS score of 8.3 (a 0-10 scale measuring vulnerability severity), indicating it's a high-severity issue.
vLLM versions 0.10.2 through 0.11.0 have a vulnerability in how they process user-supplied prompt embeddings (numerical representations of text). An attacker can craft malicious data that bypasses safety checks and causes memory corruption (writing data to the wrong location in computer memory), which can crash the system or potentially allow remote code execution (RCE, where an attacker runs commands on the server).
Claude Code is an agentic coding tool (a program that can write code automatically) that had a vulnerability before version 2.0.31 where a mistake in how it parsed sed commands (a tool for editing text) allowed attackers to bypass safety checks and write files anywhere on a computer system. This vulnerability has been fixed.
CVE-2025-64660 is a vulnerability in GitHub Copilot and Visual Studio Code that involves improper access control (a flaw in how the software checks who is allowed to do what), allowing an authorized attacker to execute code over a network. The vulnerability has a CVSS 4.0 severity rating (a 0-10 scale measuring how serious a vulnerability is). This means someone with legitimate access to these tools could potentially run malicious code remotely.
Claude Code, an agentic coding tool (software that can write and execute code), had a vulnerability before version 1.0.39 where it could run code from yarn plugins (add-ons for the Yarn package manager) before asking the user for permission, but only on machines with Yarn 3.0 or newer. This attack required tricking a user into opening Claude Code in an untrusted directory (a folder with malicious code).
PyTorch versions 2.5 and 2.7.1 have a bug where forgetting to call profiler.stop() can cause torch.profiler.profile (a Python tool that measures code performance) to crash or hang, resulting in a Denial of Service (DoS, where a system becomes unavailable). The underlying issue involves improper locking (a mechanism that controls how multiple processes access shared resources).
A flaw in the Observability Operator allows an attacker with limited namespace-level permissions to escalate their access to the entire cluster by creating a MonitorStack resource and then impersonating a highly-privileged ServiceAccount (a Kubernetes identity that the Operator automatically creates). This privilege escalation (gaining unauthorized higher-level access) could let an attacker take control of the entire Kubernetes cluster.
The WP Import – Ultimate CSV XML Importer plugin for WordPress has a security flaw in versions up to 7.33 where the showsetting() function is missing an authorization check (a verification that the person accessing it has permission). This allows authenticated attackers with Author-level access or higher to extract sensitive information, including OpenAI API keys (secret credentials used to access the OpenAI service) that are configured through the plugin's admin interface.
CVE-2025-33202 is a stack overflow vulnerability (a memory safety bug where a program writes too much data into a reserved area of memory) in NVIDIA's Triton Inference Server for Linux and Windows. An attacker could exploit this by sending extremely large data payloads, potentially crashing the service and making it unavailable to users (denial of service).
CVE-2025-62453 is a vulnerability in GitHub Copilot and Visual Studio Code where improper validation of generative AI output (not properly checking what the AI generates) allows an authorized attacker to bypass a security feature on their local computer. The vulnerability is classified as a protection mechanism failure (CWE-693, a flaw in how security controls are designed).
A path traversal vulnerability (CWE-22, where an attacker manipulates file paths to access files outside their intended directory) was discovered in Visual Studio Code's CoPilot Chat Extension that allows an authorized attacker to bypass a security feature on their local computer. The vulnerability is tracked as CVE-2025-62449 and was reported by Microsoft Corporation.
CVE-2025-62222 is a command injection vulnerability (where an attacker tricks software into running unintended commands) in the Visual Studio Code CoPilot Chat Extension that allows an unauthorized attacker to execute code over a network. The vulnerability stems from improper neutralization of special elements in commands and inadequate input validation (checking that data is safe before using it).
Milvus, an open-source vector database (a specialized database that stores and searches data based on similarity patterns, used in AI applications), has a critical vulnerability in older versions that allows attackers to skip authentication and gain full admin control over the database without needing a password. This means attackers could read, change, or delete any data and perform administrative tasks like managing databases.
Langfuse, an open source platform for managing large language models, had a vulnerability in versions 2.70.0 through 2.95.10 and 3.x through 3.124.0 where the server didn't properly check which organization a user belonged to, allowing any authenticated user to see names and email addresses of members in other organizations if they knew the target organization's ID. The vulnerability required the attacker to have a valid account on the same Langfuse instance and knowledge of the target organization's ID, and no customer data like traces, prompts, or evaluations were exposed.
A WordPress plugin called Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI has a SQL injection vulnerability (a security flaw where attackers can insert harmful database commands into the plugin's code) in versions up to 3.40.0. Attackers with Editor-level access or higher can exploit the 'post_types' parameter to extract sensitive information from the website's database because the plugin doesn't properly clean up user input before using it in database queries.
Fix: This issue has been patched in version 0.29.4. Users should update MLX to version 0.29.4 or later.
NVD/CVE DatabaseFix: Update MLX to version 0.29.4 or later. The vulnerability has been patched in this version.
NVD/CVE DatabaseFix: Update to vLLM version 0.11.1 or later, where this issue has been patched.
NVD/CVE DatabaseFix: This issue has been patched in version 0.11.1. Users should upgrade to vLLM version 0.11.1 or later.
NVD/CVE DatabaseFix: Update to vLLM version 0.11.1 or later. The source states: 'This issue has been patched in version 0.11.1.'
NVD/CVE DatabaseFix: Update to version 2.0.31 or later. The issue has been patched in version 2.0.31.
NVD/CVE DatabaseFix: Update Claude Code to version 1.0.39 or later. The source states: 'This issue has been patched in version 1.0.39.'
NVD/CVE DatabaseFix: Upgrade to Milvus versions 2.4.24, 2.5.21, or 2.6.5. Alternatively, if upgrading immediately is not possible, remove the sourceID header from all incoming requests at the gateway, API gateway, or load balancer level before requests reach the Milvus Proxy component. This prevents attackers from exploiting the authentication bypass.
NVD/CVE DatabaseFix: Upgrade to patched versions: v2.95.11 for major version 2 or v3.124.1 for major version 3. According to the source, 'there are no known workarounds' and 'upgrading is required to fully mitigate this issue.'
NVD/CVE Database