Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
Paperclip is a Node.js server (a JavaScript runtime that runs outside web browsers) with a React UI (a framework for building user interfaces) that manages multiple AI agents to automate business tasks. Before version 2026.416.0, an attacker without any login credentials could gain full remote code execution (the ability to run arbitrary commands on the target system) on any publicly accessible Paperclip instance using its default settings, simply by knowing the server's address and making six automated API calls (requests to the server's functions).
Fix: Update to version 2026.416.0, which patches the vulnerability.
NVD/CVE DatabasePaperclip is a Node.js server and React UI that manages multiple AI agents to run a business. Versions before 2026.416.0 have a privilege escalation vulnerability where an attacker with an agent API key (a credential that identifies an agent) can trick the system into running arbitrary OS commands (unauthorized instructions executed on the computer) on the Paperclip server by injecting malicious commands into a configuration field that the server later executes.
A vulnerability (CVE-2026-6874) was found in ericc-ch copilot-api version 0.7.0 and earlier that affects the /token file's Header Handler component. An attacker can manipulate the Host argument to exploit reliance on reverse DNS resolution (looking up a domain name from an IP address), potentially allowing remote access to systems where the attacker has login credentials.
DDEV, a local development tool, has a ZipSlip vulnerability (a path traversal flaw where attackers use special path names like '../' to escape the intended extraction directory) in its archive extraction functions. When DDEV extracts tar or zip archives from remote sources, it doesn't validate file paths, allowing attackers to write files anywhere on a developer's machine by crafting malicious archives.
The engram HTTP server (a local application running on your computer) had a critical security flaw where it allowed any website you visited to steal your private knowledge graph data and inject persistent malicious instructions into your AI coding assistant. This happened because the server had no password protection by default and accepted requests from any website origin (CORS, or cross-origin resource sharing, which controls what websites can talk to your local applications).
InstructLab has a security flaw in its `linux_train.py` script that automatically trusts code from external model sources without verification (trust_remote_code=True). An attacker could trick users into downloading a malicious model from HuggingFace (a popular AI model repository) and running training commands, allowing the attacker to execute arbitrary Python code and take over the entire system.
Flowise, a tool with a visual interface for building customized AI flows, has a vulnerability before version 3.1.0 where authenticated attackers can execute arbitrary commands on the server. The flaw exists in the MCP (model context protocol) adapter's handling of stdio commands, where input sanitization checks fail to prevent attackers from combining safe commands like "npx" with code execution arguments to run malicious commands on the underlying operating system.
A serious vulnerability in Oracle Java SE and related products (JAXP component, which handles XML processing) allows attackers on the network to access sensitive data without needing to log in or interact with a user. The flaw affects multiple versions of Java and can be exploited through web services or untrusted code loaded in Java applications, with a CVSS score (0-10 severity rating) of 7.5 indicating high risk for data theft.
Flowise version 3.0.13 has a vulnerability in its CSV Agent node that allows attackers to run arbitrary code on the server without needing to log in. The flaw occurs because the CSV Agent's `run` method doesn't properly sandbox (isolate) Python code generated by an LLM, and the validation checks that try to block dangerous commands can be bypassed, letting attackers execute system commands through the LLM-generated script.
Claude Code, an agentic coding tool (AI that can write and execute code), had a sandbox escape vulnerability before version 2.1.64 where sandboxed processes could create symlinks (shortcuts pointing to files outside their designated area) that allowed writing to locations outside the workspace without user permission. An attacker could exploit this by injecting malicious instructions into Claude Code's input, potentially executing code outside the intended sandbox.
LMDeploy, a toolkit for compressing, deploying, and serving large language models, contains a Server-Side Request Forgery vulnerability (SSRF, a flaw that lets attackers trick a server into making requests to unintended targets) in versions before 0.12.3. The vulnerability exists in the `load_image()` function, which downloads images from URLs without checking if those URLs point to private or internal systems, potentially allowing attackers to access sensitive cloud services and internal networks.
A vulnerability (CVE-2026-6662) was found in ericc-ch copilot-api versions up to 0.7.0 in the CORS function (a security feature that controls which websites can access an API from a web browser) of the token endpoint. The flaw allows a permissive cross-domain policy with untrusted domains, meaning attackers from other websites could potentially access the API remotely, and the exploit has been publicly disclosed.
A vulnerability (CVE-2026-6608) was found in lm-sys fastchat up to version 0.2.36 in the add_text function of the Arena Side-by-Side View Handler component, which allows incorrect control flow (improper program execution logic) that can be exploited remotely. The root cause was partially fixed in commit 34eca62 for one file, but three other files containing the same issue were not corrected.
A vulnerability was found in lm-sys fastchat (a tool for running AI models) up to version 0.2.36 that allows attackers to consume excessive resources by exploiting the api_generate function in the Worker API Endpoint (the part of the software that handles requests from other programs). The attack can be done remotely over the internet, the vulnerability details have been publicly disclosed, and it may already be exploited.
A security flaw called CVE-2026-6600 was found in Langflow (an AI tool) up to version 1.8.3 that allows cross-site scripting (XSS, where attackers inject malicious code into web pages to trick users). The vulnerability is in a React component (a reusable piece of code in the user interface) that handles message editing, and it can be exploited remotely by someone with login access.
A vulnerability exists in Langflow (an AI application framework) versions up to 1.8.3 in the Model Context Protocol Configuration API, where attackers can manipulate the X-Forwarded-For header (a field that identifies the client's IP address) to perform injection attacks (inserting malicious code into the system). This vulnerability can be exploited remotely, the exploit code is publicly available, and the vendor has not responded to disclosure attempts.
A vulnerability (CVE-2026-6598) was found in langflow-ai langflow versions up to 1.8.3 where the create_project/encrypt_auth_settings function improperly stores sensitive authentication settings in cleartext (unencrypted plain text) on disk instead of protecting them. An attacker can exploit this remotely, and the vulnerability details have been publicly disclosed.
A vulnerability (CVE-2026-6597) was found in langflow-ai langflow version 1.8.3 and earlier, where a function called remove_api_keys/has_api_terms fails to properly protect stored credentials (API keys and authentication information), allowing attackers to access them remotely. The vendor was notified but did not respond, and the exploit details have been publicly released.
A security vulnerability (CVE-2026-6596) was found in Langflow (an AI tool) version 1.1.0 and earlier, affecting a file upload function in the API. The flaw allows unrestricted file uploads (meaning attackers can upload any type of file without proper checks), and it can be exploited remotely without requiring authentication or user interaction.
Fix: @paperclipai/server version 2026.416.0 fixes the issue.
NVD/CVE DatabaseMarimo has a pre-authorization remote code execution vulnerability (RCE, where an attacker can run commands on a system they don't own) that allows unauthenticated attackers to gain shell access and execute arbitrary commands without needing to log in first. This vulnerability is actively being exploited in real-world attacks.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Known Exploited VulnerabilitiesFix: Upgrade to `engramx@2.0.2` or later. This version applies the following fixes: (1) requires authentication (Bearer token or HttpOnly cookie) on all non-public routes, (2) removes the wildcard CORS policy entirely and requires explicit opt-in via `ENGRAM_ALLOWED_ORIGINS`, (3) validates the Host and Origin headers to prevent DNS rebinding attacks, (4) enforces `Content-Type: application/json` on data modifications to block CSRF vectors, and (5) protects the UI bootstrap with `Sec-Fetch-Site` validation to prevent cross-origin probing.
GitHub Advisory DatabaseFix: Update Flowise to version 3.1.0 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Update to Claude Code version 2.1.64 or later. The source states: 'Users on standard Claude Code auto-update have received this fix automatically. Users performing manual updates are advised to update to version 2.1.64 or later.'
NVD/CVE DatabaseFix: Update LMDeploy to version 0.12.3 or later, which patches the issue.
NVD/CVE DatabaseFix: Install the patch identified by commit c9e84b89c91d45191dc24466888de526fa04cf33. Note that commit ff66426 patched the api_generate function in base_model_worker.py but missed other entry points (other places in the code where the same issue occurs).
NVD/CVE Database