Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
JWCrypto version 1.5.6 has a weakness in its protection against decompression bomb attacks (where compressed data expands to huge sizes). The code only checks the size of the compressed input (limiting it to 250KB), but does not check the size of the decompressed output, allowing an attacker to send a small token that expands to 100MB or more in memory, causing denial of service (a crash from running out of memory) on resource-constrained devices.
Fix: The actual solution is implemented in version 1.5.7, as noted in the resolving commit. (The source does not provide explicit details of the fix itself, only that v1.5.7 contains the corrected implementation.)
GitHub Advisory DatabaseA mutation XSS (cross-site scripting, where attackers inject malicious code through HTML) vulnerability was found in the justhtml library when using custom sanitization policies that preserve foreign namespaces like SVG or MathML. Specially crafted input could pass through sanitization appearing safe, but then become dangerous when a browser or parser processes it again. This only affects users with custom policies; the default settings are safe.
LiteLLM had three security flaws that combined to allow attackers to take over user accounts: passwords were stored using weak SHA-256 hashing without salt (making them easy to crack with rainbow tables, which are pre-computed lists of password hashes), the password hashes were exposed in API responses that any logged-in user could access, and the login endpoint accepted raw hashes instead of requiring the actual password (a vulnerability called pass-the-hash). An attacker could retrieve another user's password hash through the API and use it directly to log in as that user.
LibreChat, a ChatGPT alternative with extra features, had a vulnerability in versions before 0.8.4 where it didn't properly validate filenames from its code execution sandbox, allowing attackers to write files anywhere on the server using path traversal (sequences like ../ that navigate to parent directories). Any user able to run code through the sandbox could exploit this to write arbitrary files with the permissions of the LibreChat server.
The java-sdk has a DNS rebinding vulnerability (an attack where a hacker tricks your browser into accessing a private server by manipulating domain name resolution) that allows attackers to make tool calls to local or private MCP (model context protocol, a system for AI agents to interact with tools) servers if you visit a malicious website. This happens because the java-sdk wasn't validating the Origin header (a security check that confirms requests come from trusted sources) before version 1.0.0, violating the MCP specification.
OpenTelemetry-Go has a denial-of-service vulnerability where the library parses multiple `baggage` HTTP headers (a standard for distributed tracing metadata) separately instead of treating them as one combined value. An attacker can send many baggage header lines to force the server to waste CPU and memory on repeated parsing work, even though each individual header stays within size limits, causing high latency and excessive allocations per request.
NVIDIA Triton Inference Server has a vulnerability (CVE-2026-24175) where an attacker can crash the server by sending a malformed request header, potentially causing a denial of service (disruption of normal service). The vulnerability stems from an uncaught exception (an error that the program doesn't handle properly), which allows attackers to exploit this weakness.
NVIDIA Triton Inference Server has a vulnerability (CVE-2026-24174) where an attacker can crash the server by sending a malformed request (a request with incorrect formatting), causing a denial of service (when a system becomes unavailable to legitimate users). The vulnerability stems from incorrect conversion between numeric types (the software not properly handling different number formats).
NVIDIA Triton Inference Server has a vulnerability (CVE-2026-24173) where an attacker can send a malformed request to crash the server, causing a denial of service (when a service becomes unavailable due to an attack). The vulnerability is related to integer overflow or wraparound (when a number exceeds the maximum value a system can store, causing unexpected behavior).
CVE-2026-24147 is a vulnerability in NVIDIA Triton Inference Server (a tool that runs AI models) where an attacker can upload a malicious model configuration file to cause information disclosure (exposing sensitive data) or denial of service (making the system unavailable). The vulnerability stems from improper path traversal (a flaw that lets attackers access files outside intended directories) validation when handling uploaded files.
NVIDIA Triton Inference Server has a vulnerability where it doesn't properly check user inputs and can crash when given a large number of outputs, potentially causing a denial of service (making the server unavailable to users). The vulnerability stems from excessive memory allocation triggered by malformed input.
CVE-2026-35487 is a path traversal vulnerability (a flaw that lets attackers read files outside the intended directory) in text-generation-webui, an open-source tool for running large language models through a web interface. Before version 4.3, attackers could exploit the load_prompt() function without logging in to read any .txt file on the server and see its contents in the API response.
text-generation-webui, an open-source web interface for running Large Language Models, has a vulnerability in versions before 4.3 where the superbooga and superboogav2 RAG extensions (tools that fetch external documents to help answer questions) accept user-provided URLs without checking them for safety. This allows attackers to access cloud metadata endpoints (services that store sensitive credentials in cloud environments) and steal IAM credentials (identity and access management tokens that control what users can do). The vulnerability is fixed in version 4.3.
text-generation-webui, an open-source web interface for running Large Language Models, has a path traversal vulnerability (a security flaw where an attacker can access files outside the intended directory) in versions before 4.3. An unauthenticated attacker can exploit this by sending specially crafted requests through the API to read any file on the server, because Gradio (the framework it uses) does not validate user input on the server side.
CVE-2026-35484 is a path traversal vulnerability (a bug where an attacker can access files outside the intended folder) in text-generation-webui, an open-source tool for running large language models through a web interface. Before version 4.3, attackers could read any .yaml file (a configuration file format) on the server without needing to log in, potentially exposing sensitive data like passwords and API keys in the response.
CVE-2026-35483 is a path traversal vulnerability (a flaw that lets attackers read files outside intended directories) in text-generation-webui, an open-source tool for running large language models. Versions before 4.3 allow unauthenticated attackers to read files with extensions like .jinja, .jinja2, .yaml, or .yml from anywhere on the server.
MLflow has a security flaw called an authorization bypass (a weakness where access controls are not properly checked) in its AJAX endpoint (a web interface used to download model files) that allows users without permission to download saved model artifacts they shouldn't be able to access. This affects MLflow versions up to 3.10.1 and has a CVSS score (a 0-10 rating of severity) of 5.3, considered medium severity.
MLflow has a stored XSS vulnerability (cross-site scripting, where malicious code hidden in data executes when viewed in a web browser) in how it handles YAML-based MLmodel artifact files. An authenticated attacker can upload a specially crafted MLmodel file that runs malicious code when another user views it in the web interface, potentially letting the attacker hijack sessions or perform actions as that user. This affects MLflow version 3.10.1 and earlier.
A vulnerability in HuggingFace Transformers' `Trainer` class (a tool for training AI models) allows attackers to run arbitrary code by providing a malicious checkpoint file. The problem occurs because the `_load_rng_state()` method uses `torch.load()` without the `weights_only=True` parameter (a safety setting that restricts what code can run), leaving systems vulnerable when using PyTorch versions below 2.6.
Anthropic's Claude Code CLI and Claude Agent SDK have a vulnerability where authentication helper settings are executed with shell=true (allowing shell commands to run) without checking the input first. An attacker who can change settings like apiKeyHelper or awsAuthRefresh could inject shell metacharacters (special characters that have meaning in command shells) to run arbitrary commands with the user's privileges, potentially stealing credentials or accessing environment variables.
Fix: Upgrade to justhtml version 1.14.0 or later. If you cannot upgrade immediately, keep `drop_foreign_namespaces=True`, avoid allowlisting foreign namespaces for untrusted input, and avoid allowlisting raw-text containers such as `<style>` in custom policies.
GitHub Advisory DatabaseFix: Fixed in v1.83.0. Passwords are now hashed with scrypt (a much stronger algorithm using a random 16-byte salt with parameters n=16384, r=8, p=1). Password hashes are stripped from all API responses. Existing SHA-256 hashes are transparently migrated to the new format on the user's next login.
GitHub Advisory DatabaseFix: This vulnerability is fixed in version 0.8.4.
NVD/CVE DatabaseFix: Users can mitigate this risk by: 1) Running the MCP server behind a reverse proxy (a security layer like Nginx or HAProxy that forwards requests and can validate headers) configured to strictly validate the Host and Origin headers, or 2) Using a framework that inherently enforces strict CORS (cross-origin resource sharing, a browser security feature that controls which websites can access your data) and Origin validation, such as Spring AI.
GitHub Advisory DatabaseFix: The source recommends: "avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total)." The fix is accepted when allocations and parsing operations stay within 2x of baseline and response latency (p95) stays below 2ms.
GitHub Advisory DatabaseFix: Update text-generation-webui to version 4.3 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Update text-generation-webui to version 4.3 or later.
NVD/CVE DatabaseFix: Update text-generation-webui to version 4.3 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 4.3. Users should update text-generation-webui to version 4.3 or later.
NVD/CVE DatabaseFix: Update to version 4.3 or later. The vulnerability is fixed in 4.3.
NVD/CVE DatabaseFix: The issue is resolved in version v5.0.0rc3.
NVD/CVE Database