Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
CosyVoice (a text-to-speech AI tool) has a vulnerability in how it loads PyTorch model files (machine learning data files containing voice embeddings and tokens). The tool uses an unsafe loading method that allows attackers to execute arbitrary code (run any commands they want) on a victim's computer if the victim processes a directory containing a malicious .pt file.
GPT-Pilot has a command injection vulnerability (CWE-78, a type of security flaw where attackers insert malicious commands into a program) in its Executor.run() method that allows attackers to execute arbitrary shell commands. When the system asks users to confirm or modify a command before running it, it doesn't properly validate the user input before passing it to the shell execution function, letting an attacker replace the intended command with malicious code and run it with GPT-Pilot's privileges.
go-git (a Git implementation in Go) may parse malformed Git objects differently than upstream Git, which could cause commits or tags with ambiguous headers to be interpreted inconsistently. This is especially problematic for commit signing and verification, since go-git signs or verifies commits based on its own parsed representation rather than the original raw bytes, potentially making invalid signatures appear valid when the commit's displayed content differs from what was actually signed.
A malformed HTTP request can crash any Node.js application using the OpenTelemetry Prometheus exporter because the metrics endpoint (a server that collects application performance data) doesn't properly validate incoming URLs before processing them. Since this endpoint is unauthenticated and exposed by default, any network user can send a specially crafted request to crash the entire application.
A vulnerability in BentoML allows command injection through environment variable names in bentofile.yaml files. When a user runs `bentoml containerize` (the command that builds a container image) on a malicious bento configuration, unquoted environment variable names get inserted into the generated Dockerfile, allowing attackers to execute arbitrary commands on the build host during the `docker build` process. This is a sibling vulnerability to two earlier command injection bugs (CVE-2026-33744 and CVE-2026-35043) that were patched for a different field but missed this one.
BentoML has a command injection vulnerability where the `docker.base_image` field in a bento.yaml configuration file is inserted directly into a Dockerfile template without any validation or escaping. An attacker can supply a malicious bento.yaml with newlines in the `docker.base_image` value to inject arbitrary Dockerfile commands (like `RUN` directives that execute code) which get executed when a victim runs `bentoml containerize` to build a container image.
Open WebUI has an authorization flaw in standard channels (regular channels, not group or direct message channels) where the message update endpoint incorrectly allows access with read permission only. This means any authenticated user can modify other users' messages if they know the message ID, violating data integrity (the guarantee that information stays accurate and unchanged by unauthorized parties).
Spring AI's MilvusVectorStore#doDelete(List) method has a vulnerability called filter-expression injection (where attackers can manipulate database filter commands by inserting malicious code into document IDs) because document IDs are not properly cleaned before being used. This affects Spring AI versions 1.0.0 through 1.0.x and 1.1.0 through 1.1.x.
FastGPT, a platform for building AI agents, has a vulnerability in versions before 4.14.17 that allows attackers to send requests to internal or private network addresses without needing to log in. The problem is in the fetchData function, which retrieves data from user-provided URLs but doesn't properly check them against a blocklist (isInternalAddress) that's meant to prevent SSRF attacks (where a server is tricked into making requests to systems it shouldn't access).
FastGPT, a platform for building AI agents, had a security flaw in how it protected against SSRF attacks (server-side request forgery, where an attacker tricks a server into connecting to unauthorized internal systems). While some endpoints blocked internal network URLs, the tool creation endpoints did not, allowing an authenticated user to save a malicious internal URL that could later be used without additional checks when running workflows.
FastGPT, an AI platform for building AI agents, has a vulnerability in versions 4.14.11 and earlier where its isInternalAddress() function fails to block access to cloud metadata endpoints (services that store sensitive system information). Attackers can bypass the blocklist using URL encoding techniques (methods to disguise URLs), and because a security check is disabled by default, the metadata endpoint remains accessible without additional protection.
FastGPT versions 4.14.11 and earlier have a DNS rebinding vulnerability (TOCTOU, or Time-of-Check to Time-of-Use, where a check happens at one moment but the actual action uses a different result moments later) in their isInternalAddress() function. The function validates that a hostname resolves to a safe private IP address, but because the actual HTTP request performs a separate DNS lookup afterward, an attacker can change the DNS record between validation and the request, bypassing the security check.
FastGPT, a platform for building AI agents, has a vulnerability in versions 4.14.13 and earlier where its code-sandbox component (a container that safely runs code in isolation) lacks proper resource limits. Attackers can exploit this by sending requests that consume excessive memory or CPU, bypassing the weak 500ms polling interval check and causing the service to crash for legitimate users (a Denial of Service attack). The vulnerability exists because the system relies only on software-level checks instead of operating system-level safeguards like cgroups (Linux tools that restrict resource usage).
New API, an LLM gateway and AI asset management system, has a vulnerability in versions 0.11.9-alpha.1 and earlier where its SSRF protection (safeguards against server-side request forgery, where an attacker tricks a server into making unintended web requests) fails to block the address 0.0.0.0. Any user with a valid API token can exploit this by sending requests with 0.0.0.0 as the image URL, causing the server to make requests to localhost (its own system) and potentially leak sensitive data when using certain AWS configurations.
FastGPT versions 4.14.10 through 4.14.12 have a critical vulnerability in their agent-sandbox component that allows unauthenticated Remote Code Execution (RCE, where attackers can run commands on a system they don't own). The startup script runs code-server (a web-based code editor) with authentication disabled and opens it to all network interfaces, meaning anyone who can reach the server's port 8080 can take complete control of the sandbox environment.
LangChain has a vulnerability where older code paths deserialize (convert serialized data back into objects) untrusted user input too broadly, allowing attackers to inject specially crafted LangChain objects that get instantiated with attacker-controlled arguments. The vulnerability only affects applications that accept untrusted structured input (like JSON), don't validate it first, and use affected APIs like `RunnableWithMessageHistory` or `astream_log()`.
Open WebUI version 0.1.105 has an authorization flaw where users with a 'pending' status (the default for new sign-ups) can still receive authentication tokens (JWT, a standardized way to prove identity in web requests) and make API calls meant only for approved users, bypassing the authorization check (the system that verifies what actions a user is allowed to perform) that is only enforced on the website interface, not in the backend API itself.
The OpenTelemetry.Exporter.Instana NuGet package (a tool for monitoring application performance) disables TLS certificate validation (the security check that verifies a server's identity) when a proxy is configured using the INSTANA_ENDPOINT_PROXY environment variable. This means an attacker who intercepts the network connection could read sensitive telemetry data and steal the Instana API key (a credential that grants access to monitoring systems). The vulnerability only affects systems where a proxy is configured and that proxy is either controlled by an attacker or vulnerable to interception.
The kanban npm package (used by the cline CLI tool) runs a WebSocket server on localhost that accepts connections from any website without checking the Origin header (a validation that confirms the connection came from an authorized source). This allows attackers to leak sensitive data like file paths and AI chat messages, inject commands into running terminals to achieve remote code execution (executing arbitrary code on a developer's machine), and kill running tasks.
The `banks` library version 2.4.1 and earlier has a critical Remote Code Execution vulnerability because it uses an unsandboxed Jinja2 environment (a template engine that processes text with special syntax) to render prompt templates. If an application accepts user-supplied strings as templates and passes them to the `Prompt()` function, attackers can inject malicious template code to execute arbitrary commands on the server.
Fix: Users should upgrade to a patched version. Versions prior to v5 are likely affected, and users are recommended to upgrade to a supported go-git version.
GitHub Advisory DatabaseFix: Update @opentelemetry/exporter-prometheus and @opentelemetry/sdk-node to version 0.217.0 or later, and update @opentelemetry/auto-instrumentations-node to version 0.75.0 or later. This release adds proper error handling around the URL constructor, returning an HTTP 400 response on parse failure rather than crashing the process. Run: npm install @opentelemetry/exporter-prometheus@latest. As a temporary mitigation if immediate updating is not feasible: bind the endpoint to localhost only by setting the host option to 127.0.0.1, use a firewall or network policy to restrict access to port 9464 to only trusted Prometheus scrape hosts, or place the endpoint behind a reverse proxy that filters or validates incoming requests.
GitHub Advisory DatabaseFix: The source suggests two fixes in `base_v2.j2` lines 71-73: (1) Apply the `bash_quote` filter to `env.name` in both the `ARG` and `ENV` lines: `ARG {{ env.name | bash_quote }}{% if env.value %}={{ env.value | bash_quote }}{% endif %}` and `ENV {{ env.name | bash_quote }}=${{ env.name | bash_quote }}`; or (2) Better approach: validate at the schema level by adding `attr.validators.matches_re(r"^[A-Za-z_][A-Za-z0-9_]*$")` to the `name` field in `bentoml/_internal/bento/build_config.py:BentoEnvSchema` to reject newline and shell-metacharacter values when the config is loaded.
Hugging Face Security AdvisoriesFix: Validate `DockerOptions.base_image` at the config layer by rejecting any value containing newline characters (`\n`, `\r`) or whitespace beyond a single space-separated tag. The source suggests using a regex like `^[A-Za-z0-9._/-]+(:[A-Za-z0-9._-]+)?(@sha256:[a-f0-9]{64})?$` to enforce practical Docker reference format. The same hardening should be extended to other unvalidated fields in the Dockerfile template: `__options__build_include[*]`, `bento__user`, `bento__uid_gid`, `bento__path`, `bento__home`, and `bento__entrypoint`.
GitHub Advisory DatabaseFix: Update the permission check in `backend/open_webui/routers/channels.py:1451–1456` by changing the authorization requirement from `has_access(..., type="read")` to `has_access(..., type="write")`, ensuring only administrators, message owners, or users with write permission (the ability to create or modify content) can update messages.
GitHub Advisory DatabaseFix: Upgrade to Spring AI 1.0.7 or greater (for 1.0.x users) or Spring AI 1.1.6 or greater (for 1.1.x users).
NVD/CVE DatabaseFix: Update FastGPT to version 4.14.17 or later, where this issue has been patched.
NVD/CVE DatabaseFix: This issue has been patched in version 4.14.17.
NVD/CVE DatabaseFix: Update to FastGPT version 4.14.13 or later, as this issue has been patched in that version.
NVD/CVE DatabaseFix: LangChain will deprecate the affected APIs (`RunnableWithMessageHistory`, `astream_log()`, and `astream_events(version="v1")`) and recommend migrating to newer streaming and memory patterns like the `stream` API. Additionally, LangChain will update `load()` and `loads()` functions to tighten deserialization behavior so broad object revival is not applied implicitly to untrusted input.
GitHub Advisory DatabaseFix: Pull request #4153 refactors the HttpClient creation so that TLS certificate validation is no longer disabled by default when using a proxy. For environments where disabling certificate validation is necessary (such as local development), the previous behavior can be restored by configuring a custom HttpClientFactory with ServerCertificateCustomValidationCallback set to accept any certificate, as shown in the code example provided in the remediation section.
GitHub Advisory DatabaseFix: Fixed in `banks 2.4.2` by switching to `jinja2.sandbox.SandboxedEnvironment`, which blocks the dunder attribute traversal chain (accessing internal Python object properties using double underscores) that the exploit relies on. Developers using `banks <= 2.4.1` should upgrade to version 2.4.2 and avoid passing untrusted user input as the template argument to `Prompt()`.
GitHub Advisory Database