Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
A vulnerability in oobabooga text-generation-webui (CVE-2025-12488) allows attackers to execute arbitrary code (running any commands they want on a system) by exploiting the trust_remote_code parameter in the load endpoint. The flaw occurs because the software doesn't properly validate user input before using it to load a model, and no authentication is required to exploit it.
A vulnerability in oobabooga text-generation-webui allows attackers to run arbitrary code (unauthorized commands) on the system without needing to log in. The flaw occurs because the software doesn't properly check user input for the trust_remote_code parameter before using it to load a model, letting attackers execute code with the same permissions as the service.
A vulnerability in Ays Pro AI ChatBot with ChatGPT and Content Generator (version 2.6.6 and earlier) allows sensitive information to be exposed when data is sent. The flaw, called CWE-201 (insertion of sensitive information into sent data), means attackers could potentially retrieve embedded sensitive data from the plugin.
The Better Find and Replace plugin for WordPress (versions up to 1.7.7) has a security flaw where a function called rtafar_ajax() doesn't properly check user permissions, allowing low-level authenticated users (Subscriber-level access) to trigger OpenAI API key usage and consume quota, potentially costing money. This happens because the code is missing a capability check (a permission verification system that controls what users can do).
Cursor, a code editor designed for programming with AI, has a logic bug in versions 1.7.23 and below that allows attackers to bypass cursorignore (a file that protects sensitive files from being read). An attacker who has already performed prompt injection (tricking an AI by hiding instructions in its input) or controls a malicious AI model could create a new cursorignore file to override existing protections and access protected files.
Cursor, a code editor designed for AI-assisted programming, has a vulnerability in versions 1.7.44 and below where attackers can exploit NTFS path quirks (special behaviors of Windows file systems) to bypass file protection rules and overwrite files that normally require human approval, potentially leading to RCE (remote code execution, where an attacker can run commands on a system they don't own). This attack requires chaining with prompt injection (tricking an AI by hiding instructions in its input) or a malicious AI model, and only affects Windows systems using NTFS.
Cursor, a code editor designed for AI-assisted programming, had a security flaw in versions 1.7.52 and below where attackers could bypass safety checks on Windows machines. While the software blocked path manipulation (tricks to access files in unintended ways) using forward slashes and required human approval, the same trick using backslashes was not detected, potentially allowing an attacker with prompt injection access (hidden malicious instructions in AI inputs) to run arbitrary code and overwrite important files without permission.
CVE-2025-64320 is a code injection vulnerability in Salesforce Agentforce Vibes Extension that occurs because the software doesn't properly filter user input before sending it to an LLM (large language model), allowing attackers to inject malicious code. The vulnerability affects versions before 3.2.0 of the extension.
CVE-2025-10875 is a vulnerability in Salesforce Mulesoft Anypoint Code Builder that allows improper neutralization of input used for LLM prompting (a technique where attackers manipulate AI system instructions through user input), leading to code injection (inserting malicious code into a system). This vulnerability affects versions of the software before 1.11.6.
CVE-2025-12695 is a vulnerability in DSPy (a framework for building AI agents) where an overly permissive sandbox configuration (a restricted environment meant to limit what code can do) allows attackers to steal sensitive files when users build an AI agent that takes user input and uses the PythonInterpreter class (a tool that runs Python code). The vulnerability stems from improper isolation, meaning the sandbox doesn't adequately separate the untrusted code from the rest of the system.
A WordPress plugin called 'Ai Auto Tool Content Writing Assistant' (versions 2.0.7 to 2.2.6) has a security flaw where it doesn't properly check user permissions before allowing the save_post_data() function (a feature that stores post information) to run. This means even low-level users (Subscriber level and above) can create and publish posts they shouldn't be able to, allowing unauthorized modification of website content.
Keras, a machine learning library, has a vulnerability in its keras.utils.get_file function when extracting tar archives (compressed file collections). An attacker can create a malicious tar file with special symlinks (shortcuts to files) that, when extracted, writes files anywhere on the system instead of just the intended folder, giving them unauthorized access to overwrite important system files.
LiteLLM, a tool that helps developers use different AI models through one interface, has a vulnerability where the health endpoint (a checking tool that monitors system status) improperly exposes API_KEY information (secret credentials used to authenticate requests) to attackers who are already authenticated. An attacker with access could steal these stored credentials and use them to compromise the system further.
MLflow Tracking Server contains a directory traversal (a vulnerability where an attacker uses special path characters like '../' to access files outside the intended directory) vulnerability that allows unauthenticated attackers to execute arbitrary code on the server. The flaw stems from insufficient validation of file paths when handling model creation, letting attackers run commands with the privileges of the service account running MLflow.
CVE-2025-11200 is a vulnerability in MLflow that allows remote attackers to bypass authentication (gain access without logging in) because the system has weak password requirements (passwords that are too easy to guess or crack). Attackers can exploit this flaw to access MLflow installations without needing valid credentials.
CVE-2025-12058 is a vulnerability in Keras (a machine learning library) where the load_model method can be tricked into reading files from a computer's local storage or making network requests to external servers, even when the safe_mode=True security flag is enabled. The problem occurs because the StringLookup layer (a component that converts text into numbers) accepts file paths during model loading, and an attacker can craft a malicious .keras file (a model storage format) to exploit this weakness.
A SQL injection vulnerability (a type of attack where an attacker inserts malicious SQL code into an application) exists in LangGraph's SQLite storage system, specifically in version 2.0.10 of langgraph-checkpoint-sqlite. The vulnerability happens because the code directly combines user input with SQL commands instead of safely separating them, allowing attackers to steal sensitive data like passwords and API keys, and bypass security protections.
FastGPT, an AI Agent building platform, had a vulnerability in its workflow file reading node where network links were not properly verified, creating a risk of SSRF attacks (server-side request forgery, where an attacker tricks the server into making unwanted requests to other systems). The vulnerability affected versions before 4.11.1.
Hugging Face Smolagents version 1.20.0 has an XPath injection vulnerability (a security flaw where attackers can inject malicious code into XPath queries, which are used to search and navigate document structures) in its web browser function. The vulnerability exists because user input is directly inserted into XPath queries without being cleaned, allowing attackers to bypass search filters, access unintended data, and disrupt automated web tasks.
A vulnerability (CVE-2025-53066) exists in Oracle Java SE and related products, affecting multiple versions including Java 8, 11, 17, 21, and 25. An attacker with network access can exploit this flaw in the JAXP component (a Java library for processing XML data) without needing to log in, potentially gaining unauthorized access to sensitive data. The vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 7.5, indicating it is a serious threat.
Fix: Update to version 2.0, where this issue is fixed.
NVD/CVE DatabaseFix: This issue is fixed in version 2.0. Users should upgrade to version 2.0 or later.
NVD/CVE DatabaseFix: This issue is fixed in version 2.0.
NVD/CVE DatabaseFix: Update Salesforce Agentforce Vibes Extension to version 3.2.0 or later.
NVD/CVE DatabaseFix: Update Mulesoft Anypoint Code Builder to version 1.11.6 or later.
NVD/CVE DatabaseFix: Upgrade Keras to version 3.12 or later. The source notes that upgrading Python alone (even to versions like Python 3.13.4 that fix the underlying CVE-2025-4517 vulnerability) is not sufficient; the Keras upgrade is also required.
NVD/CVE DatabaseFix: A patch is available at the following GitHub commit: https://github.com/mlflow/mlflow/commit/1f74f3f24d8273927b8db392c23e108576936c54
NVD/CVE DatabaseFix: Update FastGPT to version 4.11.1 or later, as this issue has been patched in that version.
NVD/CVE DatabaseFix: The issue is fixed in version 1.22.0. Users should upgrade Hugging Face Smolagents to version 1.22.0 or later.
NVD/CVE Database