Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
The Moodle OpenAI Chat Block plugin version 3.0.1 has an IDOR vulnerability (insecure direct object reference, where a user can access resources by directly requesting them without proper permission checks). An authenticated student can bypass validation of the blockId parameter in the plugin's API and impersonate another user's block, such as an administrator's block, allowing them to execute queries with that block's settings, expose sensitive information, and potentially misuse API resources.
CVE-2025-49655 is a vulnerability in Keras (a machine learning framework) versions 3.11.0 through 3.11.2 where deserialization (converting saved data back into usable form) of untrusted data can allow malicious code to run on a user's computer when they load a specially crafted Keras file, even if safe mode is enabled. This vulnerability affects both locally stored and remotely downloaded files.
CVE-2025-62356 is a path traversal vulnerability (a flaw that lets attackers access files outside intended directories) in all versions of Qodo Gen IDE that allows attackers to read any local files on a user's computer, both inside and outside their projects. The vulnerability can be exploited directly or through indirect prompt injection (tricking the AI by hiding malicious instructions in its input).
CVE-2025-62353 is a path traversal vulnerability (a flaw that lets attackers access files outside intended directories) in all versions of Windsurf IDE that allows attackers to read and write any files on a user's computer. The vulnerability can be exploited directly or through indirect prompt injection (tricking the AI by hiding malicious instructions in its input).
A prompt injection vulnerability (tricking an AI by hiding instructions in its input) exists in Windsurf version 1.10.7 when using Write mode with the SWE-1 model. An attacker can create a specially crafted file name that gets added to the user's prompt, causing Windsurf to follow malicious instructions instead of the user's intended commands. The vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 4.6, classified as medium severity.
text-generation-webui (an open-source tool for running large language models through a web interface) versions 3.13 and earlier contain a Local File Inclusion vulnerability (a flaw where an attacker can read files they shouldn't have access to) in the character picture upload feature. An attacker can upload a text file with a symbolic link (a shortcut to another file) pointing to sensitive files, and the application will expose those files' contents through the web, potentially revealing passwords and system settings.
CVE-2025-59286 is a command injection vulnerability (a flaw where an attacker can insert malicious commands by exploiting how special characters are handled) in Copilot that allows an unauthorized attacker to disclose information over a network. The vulnerability stems from improper neutralization of special elements used in commands. A CVSS score (a 0-10 rating of how severe a vulnerability is) has not yet been assigned by NIST.
CVE-2025-59272 is a command injection vulnerability (a flaw where an attacker can insert malicious commands into user input that gets executed by the system) in Copilot that allows an unauthorized attacker to disclose information locally. The vulnerability stems from improper handling of special characters in commands, and it has a CVSS 4.0 severity rating (a moderate severity score on a 0-10 scale).
CVE-2025-59252 is a command injection vulnerability (a flaw where an attacker can insert malicious commands into a system by exploiting improper handling of special characters) in Copilot that allows an unauthorized attacker to disclose information over a network. The vulnerability stems from improper neutralization of special elements used in commands. The CVSS severity score (a 0-10 rating of vulnerability severity) has not yet been assigned by NIST.
Flowise is a visual tool for building custom LLM (large language model) workflows, but versions before 3.0.8 have a path traversal vulnerability (a security flaw where attackers can access files outside intended directories) in its file read and write tools. Authenticated attackers could exploit this to read and write any files on the system, potentially leading to remote code execution (running malicious commands on the server).
Kilo Code versions up to 4.86.0 contain a vulnerability in the ClineProvider function that allows prompt injection (tricking an AI by hiding instructions in its input) through improper handling of special characters. The vulnerability can be exploited remotely and has already been made public.
A Server-Side Request Forgery (SSRF) vulnerability, a weakness that lets attackers trick a server into making unwanted requests to internal resources, exists in the MediaConnector class of the vLLM project's multimodal feature set. The vulnerability occurs in the load_from_url and load_from_url_async methods, which fetch media from user-provided URLs without properly checking which hosts are allowed, potentially allowing attackers to access internal network resources through the vLLM server.
LLaMA-Factory, a library for customizing large language models, has a vulnerability in versions before 0.9.4 that allows authenticated users to exploit SSRF (server-side request forgery, where the server is tricked into making requests to unintended destinations) and LFI (local file inclusion, where attackers can read files directly from the server) by providing malicious URLs to the chat API. The vulnerability exists because the code doesn't validate URLs before making HTTP requests, allowing attackers to access sensitive internal services or read arbitrary files from the server.
vLLM, a system for running and serving large language models, had a security weakness in how it checked API keys (secret codes that authenticate users) before version 0.11.0rc2. The validation used a basic string comparison that took longer to complete the more correct characters an attacker guessed, allowing them to figure out the key one character at a time through a timing attack (analyzing how long the system takes to respond). This weakness could let attackers bypass authentication and gain unauthorized access.
The HTMLSectionSplitter class in langchain-text-splitters version 0.3.8 has a vulnerability where it unsafely parses XSLT stylesheets (instructions that transform XML data), allowing attackers to read sensitive files like SSH keys or environment configurations without needing special access. This XXE (XML External Entity, a type of injection attack that exploits how XML parsers handle external files) attack works by default in older versions of the underlying lxml library and can still work in newer versions unless specific security controls are added.
Flowise version 3.0.7 has a file upload vulnerability that lets authenticated users (people with login access) upload any file type without proper checks. Attackers can upload malicious Node.js web shells (programs that let someone run commands on a server remotely), which stay on the server and could lead to RCE (remote code execution, where an attacker runs commands on a system they don't own) if activated through admin mistakes or other vulnerabilities.
SillyTavern, a locally installed interface for interacting with text generation AI models and other AI tools, has a vulnerability in versions before 1.13.4 that allows DNS rebinding (a network attack where an attacker tricks your computer into connecting to a malicious server by manipulating domain name lookups) to let attackers install harmful extensions, steal chat conversations, or create fake login pages. The vulnerability affects the web-based user interface and could be exploited especially when the application is accessed over a local network without SSL (encrypted connections).
Mastra (a TypeScript framework for building AI agents and assistants) versions 0.13.8 through 0.13.20-alpha.0 have a directory traversal vulnerability, which means an attacker can bypass security checks to list files and folders in any directory on a user's computer, potentially exposing sensitive information. The flaw exists because while the code tries to prevent path traversal (unauthorized access to files through manipulated file paths) for reading files, a separate part of the code that suggests directories can be exploited to work around this protection.
Cursor is a code editor designed for programming with AI help. Versions 1.6.23 and below have a security flaw where they use case-sensitive checks (checking uppercase and lowercase letters as different) to protect sensitive files, which allows attackers to use prompt injection (tricking the AI with hidden instructions) to modify these files and gain remote code execution (the ability to run commands on the victim's computer) on case-insensitive filesystems (systems that treat uppercase and lowercase letters the same).
Fix: Update Keras to version 3.11.3 or later. The GitHub pull request at https://github.com/keras-team/keras/pull/21575 contains the fix.
NVD/CVE DatabaseFix: Update to version 3.14, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Upgrade to Flowise version 3.0.8, which fixes this vulnerability. The patch is available at https://github.com/FlowiseAI/Flowise/releases/tag/flowise%403.0.8.
NVD/CVE DatabaseCVE-2025-5009 is a privacy bug in Google's Gemini iOS app where sharing a snippet of a conversation accidentally shared the entire conversation history through a public link instead of just the selected part. This exposed users' full conversation data, including private information they didn't intend to share.
Fix: Applying a patch is the recommended action to fix this issue, as stated in the source material.
NVD/CVE DatabaseFix: Update to version 0.9.4 or later, which fixes the underlying issue.
NVD/CVE DatabaseFix: Update vLLM to version 0.11.0rc2 or later, which fixes the issue.
NVD/CVE DatabaseFix: The vulnerability has been patched in version 1.13.4. Users should update to this version. The fix includes a new server configuration setting called `hostWhitelist.enabled` in the config.yaml file or the `SILLYTAVERN_HOSTWHITELIST_ENABLED` environment variable that validates hostnames in incoming HTTP requests against an allowed list. The setting is disabled by default for backward compatibility, but users are encouraged to review their server configurations and enable this protection, especially if hosting over a local network without SSL.
NVD/CVE DatabaseFix: This issue is fixed in version 0.13.20.
NVD/CVE DatabaseFix: This issue is fixed in version 1.7. Users should upgrade to version 1.7 or later.
NVD/CVE Database