Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
A ReDoS vulnerability (regular expression denial of service, where specially crafted input causes a program's pattern-matching code to consume excessive CPU) was found in the Hugging Face Transformers library's number normalization feature. An attacker could send text with long digit sequences to crash or slow down text-to-speech and number processing tasks. The vulnerability affects versions up to 4.52.4.
Fix: Fixed in version 4.53.0 of the Hugging Face Transformers library.
NVD/CVE DatabaseLangchaingo, a library for working with language models, uses jinja2 syntax (a templating language) to parse prompts, but the underlying gonja library it relies on supports file-reading commands like 'include' and 'extends'. This creates a server-side template injection vulnerability (SSTI, where an attacker tricks a server into executing unintended code by injecting malicious template syntax), allowing attackers to insert malicious statements into prompts to read sensitive files like /etc/passwd.
Flowise, a tool for building custom AI workflows through a visual interface, has a critical security flaw in versions 3.0.5 and earlier where the password reset endpoint leaks sensitive information like reset tokens without requiring authentication. This allows attackers to take over any user account by generating a fake reset token and changing the user's password.
A ReDoS vulnerability (regular expression denial of service, where specially crafted input causes a program to use excessive CPU by making regex matching extremely slow) was found in Hugging Face Transformers library version 4.52.4, specifically in the MarianTokenizer's `remove_language_code()` method. The bug is triggered by malformed language code patterns that force inefficient regex processing, potentially crashing or freezing the system.
CVE-2025-55319 is a command injection vulnerability (a type of attack where an attacker inserts malicious commands into a program's input) in Agentic AI (an AI system that can perform tasks independently) and Visual Studio Code that allows an unauthorized attacker to execute code over a network. The vulnerability stems from improper handling of special characters in commands, which lets attackers run arbitrary code on affected systems.
Claude Code, an agentic coding tool (software that can write and execute code with some autonomy), had a vulnerability where a maliciously configured git user email could trigger arbitrary code execution (running unintended commands on a system) when the tool started up, before the user approved workspace access. This affected all versions before 1.0.105.
Claude Code is a tool that helps AI write and run code, but versions before 1.0.105 had a bug in how it parsed commands that let attackers bypass the safety prompt (the confirmation step that checks if code is safe to run). An attacker would need to sneak malicious content into the conversation with Claude Code to exploit this.
MONAI, an AI toolkit for medical imaging, has a deserialization vulnerability (unsafe unpickling, where untrusted data is converted back into executable code) in versions up to 1.5.0 when loading pre-trained model checkpoints from external sources. While one part of the code uses secure loading (`weights_only=True`), other parts load checkpoints insecurely, allowing attackers to execute malicious code if a checkpoint contains intentionally crafted harmful data.
Roo Code is an AI tool that helps developers write code directly in their editors, but versions 3.25.23 and older have a security flaw where npm install (a command that downloads and sets up code packages) is automatically approved without asking the user first. If a malicious repository's package.json file contains a postinstall script (code that runs automatically during package installation), it could execute harmful commands on the user's computer without their knowledge or consent.
Roo Code is an AI tool that helps developers write code directly in their editor, but versions 3.25.23 and earlier have a security flaw where attackers can bypass .rooignore (a file that tells Roo Code which files to ignore) using symlinks (shortcuts that point to other files). This allows someone with write access to the workspace to trick Roo Code into reading sensitive files like passwords or configuration files that should have been hidden.
Roo Code is an AI tool that automatically writes code in your editor, but versions 3.25.23 and earlier have a security flaw where workspace configuration files (.code-workspace files that store project settings) aren't properly protected. An attacker using prompt injection (tricking the AI by hiding malicious instructions in its input) could trick the agent into writing harmful settings that execute as code when you reopen your project, potentially giving the attacker control of your computer.
Roo Code is an AI tool that helps developers write code automatically within their editors. In versions 3.26.6 and earlier, a Github workflow (an automated process that runs tasks in a repository) used unsanitized pull request metadata (information that wasn't checked for malicious content) in a privileged context, allowing attackers to execute arbitrary commands on the Actions runner (a computer that runs automated tasks) through RCE (remote code execution, where an attacker can run commands on a system they don't own). This could let attackers steal secrets, modify code, or completely compromise the repository.
Roo Code is an AI tool that automatically writes code in your editor, but versions before 3.26.0 have a security flaw in how it parses commands (reads and interprets instructions). If someone configures the tool to automatically run commands without checking them first, an attacker could trick it into running extra harmful commands by manipulating the input the AI receives.
A server-side request forgery vulnerability (SSRF, a flaw where an attacker tricks a server into making unwanted requests to other systems) was discovered in the aitool Ai Auto Tool Content Writing Assistant plugin for WordPress, affecting versions up to 2.2.6. This vulnerability allows attackers to exploit the plugin's ability to make requests on the server's behalf, potentially accessing internal systems or data.
The Obsidian GitHub Copilot Plugin (a tool that integrates GitHub's AI code assistant into the Obsidian note-taking app) has a security flaw in versions before 1.1.7 where it stores GitHub API tokens (authentication credentials that allow access to a GitHub account) in cleartext (unencrypted, readable text). This means an attacker who gains access to a user's computer could steal these tokens and perform unauthorized actions on their GitHub account.
The EverNoteLoader component in langchain-ai/langchain version 0.3.63 has a security flaw that allows XXE (XML External Entity) attacks, where an attacker tricks the XML parser into reading external files by embedding special references in XML input. This could expose sensitive system files like password lists to an attacker.
5ire version 0.13.2, a desktop AI assistant and model context protocol client (software that lets AI models interact with external tools), contains a vulnerability that allows content injection attacks (inserting malicious code into web pages) through multiple routes including malicious prompts, compromised servers, and exploited tool connections. This vulnerability is fixed in version 0.14.0.
CVE-2025-9959 is a vulnerability in smolagents (a Python agent library) where incomplete validation of dunder attributes (special Python variables with double underscores, like __import__) allows an attacker to escape the sandbox (a restricted execution environment) if they use prompt injection (tricking the AI into executing malicious commands). The attack requires the attacker to manipulate the agent's input to make it create and run harmful code.
Langflow, a tool for building AI-powered agents and workflows, has a privilege escalation vulnerability (CWE-269, improper privilege management) where an authenticated user with RCE (remote code execution, the ability to run commands on a system they don't own) can use an internal CLI command to create a new administrative account, gaining full superuser access even if they originally registered as a regular user. A patched version has not been publicly released at the time this advisory was published.
Roo Code is an AI tool that automatically writes code inside text editors, but versions before 3.25.5 have a bug in how they parse commands (the instructions telling a computer what to do). An attacker could trick the AI into running extra harmful commands by hiding them in prompts if the user had enabled auto-approved command execution, a risky setting that is off by default.
Fix: Upgrade to version 3.0.6 or later, which includes commit 9e178d68873eb876073846433a596590d3d9c863 that secures password reset endpoints. The source also recommends: (1) never return reset tokens or account details in API responses; (2) send tokens only through the user's registered email; (3) make the forgot-password endpoint respond with a generic success message to prevent attackers from discovering which accounts exist; (4) require strong validation of reset tokens, including making them single-use, giving them a short expiration time, and tying them to the request origin; and (5) apply these same fixes to both cloud and self-hosted deployments.
NVD/CVE DatabaseFix: Update to version 4.53.0, where the vulnerability has been fixed. A patch is available at https://github.com/huggingface/transformers/commit/47c34fba5c303576560cb29767efb452ff12b8be.
NVD/CVE DatabaseFix: Update Claude Code to version 1.0.105 or the latest version. Users with automatic updates enabled will have received this fix automatically; those updating manually should upgrade to version 1.0.105 or newer.
NVD/CVE DatabaseFix: Update to version 1.0.105 or the latest version. Users with auto-update enabled have already received this fix automatically.
NVD/CVE DatabaseFix: This is fixed in version 3.26.0.
NVD/CVE DatabaseFix: This is fixed in version 3.26.0.
NVD/CVE DatabaseFix: Update to version 3.26.0 or later, which fixes this issue.
NVD/CVE DatabaseFix: Update to version 3.26.7.
NVD/CVE DatabaseFix: Update to version 3.26.0 or later.
NVD/CVE DatabaseFix: Update the Obsidian GitHub Copilot Plugin to version 1.1.7 or later.
NVD/CVE DatabaseFix: Update to version 0.14.0, which contains the fix for this vulnerability.
NVD/CVE DatabaseFix: Update to version 3.25.5, where the issue is fixed.
NVD/CVE Database