Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
Cursor, a code editor designed for AI-assisted programming, has a vulnerability in versions before 1.3.9 where it can write files to a workspace without asking the user for permission. An attacker can exploit this by using prompt injection (tricking the AI by hiding instructions in its input) combined with this flaw to modify editor configuration files and achieve RCE (remote code execution, where an attacker can run commands on a system they don't own) without the user's knowledge.
Fix: Update Cursor to version 1.3.9 or later, where this vulnerability is fixed.
NVD/CVE Database1Panel is a web management tool that controls websites, files, containers (isolated software environments), databases, and AI models on Linux servers. In versions 2.0.5 and earlier, the tool's HTTPS connection (encrypted communication) between its core system and agent components doesn't fully verify certificates (digital identification documents), allowing attackers to gain unauthorized access and execute arbitrary commands on the server.
Cursor, a code editor that uses AI to help with programming, has a vulnerability in versions below 1.3 where Mermaid (a diagram rendering tool) can embed images that leak sensitive information to an attacker's server. An attacker could exploit this by using prompt injection (tricking the AI by hiding instructions in its input) through malicious data like websites, uploaded images, or source code, potentially stealing data when the images are fetched.
Cursor is a code editor designed for programming with AI that has a vulnerability in versions below 1.3. If a user changes Cursor's default settings to use an allowlist (a list of approved commands), an attacker can bypass this protection by using backticks (`) or $(cmd) syntax to run arbitrary commands (unrestricted code execution) without permission, especially when combined with indirect prompt injection (tricking the AI through hidden instructions in input).
CVE-2025-45150 is a vulnerability in LangChain-ChatGLM-Webui (a tool that combines language models with a web interface) caused by insecure permissions (CWE-732, which means access controls are set incorrectly on important resources). Attackers can exploit this flaw by sending specially crafted requests to view and download sensitive files they shouldn't be able to access.
The modelscope/ms-swift library up to version 2.6.1 has a critical vulnerability where it unsafely deserializes (reconstructs objects from saved data) untrusted files using pickle.load(), a Python function that can run arbitrary code during deserialization. Attackers can exploit this by tricking users into loading a malicious checkpoint file during model training, executing code on their machine while keeping the training process running normally so the user doesn't notice the attack.
A WordPress plugin called 'Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery' has a stored cross-site scripting vulnerability (XSS, a security flaw where attackers inject malicious code into a website that runs when others visit it) in its comment feature through version 26.1.0. Because the plugin doesn't properly clean and validate user input, unauthenticated attackers can inject harmful scripts that will execute for anyone viewing the affected pages.
The dedupe Python library (which uses machine learning for fuzzy matching, deduplication, and entity resolution on structured data) had a critical vulnerability in its GitHub Actions workflow that allowed attackers to trigger code execution by commenting @benchmark on pull requests, potentially exposing the GITHUB_TOKEN (a credential that grants access to modify repository contents) and leading to repository takeover.
BentoML versions 1.4.0 to 1.4.19 have an SSRF vulnerability (server-side request forgery, where an attacker tricks a server into making requests to internal or restricted addresses) in their file upload feature. An unauthenticated attacker can exploit this to force the server to download files from any URL, including internal network addresses and cloud metadata endpoints (services that store sensitive information), without any validation.
LangChain AI version 0.3.51 contains an indirect prompt injection vulnerability (a technique where attackers hide malicious instructions in data like emails to trick AI systems) in its GmailToolkit component that could allow attackers to run arbitrary code through crafted emails. However, the supplier disputes this, arguing the actual vulnerability comes from user code that doesn't follow LangChain's security guidelines rather than from LangChain itself.
A sandbox escape vulnerability (a security flaw allowing code to break out of a restricted execution environment) was found in huggingface/smolagents version 1.14.0 that lets attackers bypass safety restrictions and achieve remote code execution (RCE, running commands on a system they don't own). The flaw is in the local_python_executor.py module, which failed to properly block Python code execution even though it had safety checks in place.
skops is a Python library for sharing scikit-learn machine learning models. Versions 0.11.0 and below have a flaw in MethodNode that allows attackers to access unexpected object fields using dot notation, potentially leading to arbitrary code execution (running any code on a system) when loading a model file.
skops is a Python library for sharing scikit-learn (a machine learning toolkit) based models. Versions 0.11.0 and below have a flaw in the OperatorFuncNode component that allows attackers to hide the execution of untrusted code, potentially leading to arbitrary code execution (running any commands on a system). This vulnerability can be exploited through code reuse attacks that make unsafe functions appear trustworthy.
OpenAI Codex CLI versions before 0.9.0 have a security flaw where ripgrep (a command-line search tool) can be executed automatically without requiring user approval, even when security flags like --pre, --hostname-bin, or --search-zip are used. This means an attacker could potentially run ripgrep commands without proper user consent.
The AI Engine WordPress plugin (a tool that adds AI features to WordPress websites) has a security flaw in versions up to 2.9.4 where the simpleTranscribeAudio endpoint (a connection point for audio transcription) fails to check what types of file locations are allowed before accessing files. This allows attackers with basic user access to read any file on the web server and steal it through the plugin's OpenAI integration (connection to OpenAI's service).
Roo Code is an AI coding agent that runs inside code editors, but versions 3.23.18 and earlier have a vulnerability where it doesn't check for line breaks in commands, allowing attackers to bypass the allow-list (a list of approved commands) by hiding extra commands on new lines. The tool only checks the first line of input when deciding whether to run a command, so attackers can inject additional malicious commands after a line break.
Ollama version 0.6.7 has a cross-domain token exposure vulnerability (CVE-2025-51471) in its authentication system where attackers can steal authentication tokens and bypass access controls by sending a malicious realm value in a WWW-Authenticate header (a standard web authentication response) through the /api/pull endpoint. This allows remote attackers, who don't need existing access, to gain unauthorized entry to the system.
CVE-2025-51480 is a path traversal vulnerability (a flaw where attackers use special sequences like '../' to access files outside intended directories) in ONNX 1.17.0's save_external_data function that allows attackers to overwrite arbitrary files by supplying malicious file paths. The vulnerability bypasses the intended directory restrictions that should prevent this kind of file manipulation.
CVE-2025-51863 is a self XSS (cross-site scripting, where an attacker tricks a user into running malicious code on a website by injecting it into the page) vulnerability in ChatGPT Unli that was present through May 26, 2025. The vulnerability allows attackers to execute arbitrary code (run any commands they want) by uploading a specially crafted SVG file (a type of image format) to the chat interface.
Chaindesk has a stored XSS vulnerability (cross-site scripting, where malicious code is saved and runs in users' browsers) in its chat feature through May 26, 2025. An attacker can trick the AI agent's system prompt (the instructions that control how an LLM behaves) to output harmful scripts that execute when users view conversations, potentially stealing session tokens (security credentials that prove who you are) and taking over accounts.
Fix: Fixed in version 2.0.6. Users should update to this version or later.
NVD/CVE DatabaseFix: This issue is fixed in version 1.3. Users should update Cursor to version 1.3 or later.
NVD/CVE DatabaseFix: This is fixed in version 1.3.
NVD/CVE DatabaseFix: This is fixed by commit 3f61e79.
NVD/CVE DatabaseFix: Upgrade to version 1.4.19 or later, which contains a patch for the issue.
NVD/CVE DatabaseFix: The issue is resolved in version 1.17.0.
NVD/CVE DatabaseFix: This is fixed in version 12.0.0. Users should update to version 12.0.0 or later.
NVD/CVE DatabaseFix: Update to version 0.12.0, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Update OpenAI Codex CLI to version 0.9.0 or later.
NVD/CVE DatabaseFix: This is fixed in version 3.23.19.
NVD/CVE DatabaseFix: Patches are available through pull requests #6959 and #7040 on the ONNX GitHub repository (https://github.com/onnx/onnx/pull/6959 and https://github.com/onnx/onnx/pull/7040).
NVD/CVE Database