Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
vLLM versions 0.5.5 through 0.17.x have a bug where Librosa (a library that processes audio) uses a simple averaging method for mono downmixing (converting multi-channel audio to single-channel), but the international standard ITU-R BS.775-4 requires a weighted algorithm instead. This causes audio to sound different to humans than what AI models actually process, creating a mismatch in how the same audio is experienced.
Fix: This issue has been patched in version 0.18.0.
NVD/CVE DatabaseA supply chain attack compromised the axios npm package (versions 1.14.1 and 0.30.4) by injecting a malicious dependency that installs a RAT (remote access trojan, malware giving attackers shell access and command execution). The @lightdash/cli package could resolve to these compromised axios versions during installation, potentially affecting users who installed @lightdash/cli versions 0.1800.0 through 0.2695.0 without a lockfile (a file that pins exact dependency versions) during the roughly 3-hour window the malicious versions were available on npm.
SillyTavern, a local application that lets users interact with AI text generation models and other AI tools, had a security flaw in versions before 1.17.0 where it didn't properly validate all types of network addresses. The validation only checked for standard IPv4 addresses (like 127.0.0.1) but missed other ways to refer to the local computer, such as 'localhost' or IPv6 addresses, which could allow SSRF (server-side request forgery, where an attacker tricks the application into making unwanted network requests to internal services).
SillyTavern is a locally installed interface for interacting with text generation AI models and related tools. Before version 1.17.0, it had a path traversal vulnerability (a flaw where an attacker can access files outside the intended directory) that allowed authenticated attackers to read and delete arbitrary files like secrets.json and settings.json by manipulating the avatar_url parameter.
SillyTavern is a locally installed interface for interacting with text generation models and AI tools. Before version 1.17.0, it had a path traversal vulnerability (a flaw that lets attackers access files outside the intended directory) that allowed unauthenticated users to check whether files exist anywhere on the server by sending specially encoded requests with "../" sequences to the file routes.
SillyTavern, a locally installed interface for interacting with AI text generation models, had a path traversal vulnerability (a flaw that lets attackers write files outside the intended directory) in its /api/chats/import feature prior to version 1.17.0. An authenticated attacker could exploit this by injecting traversal sequences into the character_name field to place malicious files outside the chats directory.
The lodash library has a code injection vulnerability in its `_.template` function (a tool that generates reusable text templates with dynamic values). Attackers can inject malicious code through the `options.imports` parameter, either by passing untrusted input as key names or by exploiting prototype pollution (a technique where attackers modify the default object properties that all objects inherit from). This allows arbitrary code to run when a template is compiled.
Lodash versions 4.17.23 and earlier have a vulnerability in the `_.unset` and `_.omit` functions that allows prototype pollution (modifying built-in object templates like Object.prototype that affect all objects). An attacker can bypass the previous security fix by using array-wrapped path segments to delete properties from these core prototypes, though they cannot change how those prototypes work.
ONNX's `save_external_data` method contains a TOCTOU vulnerability (time-of-check-time-of-use, a gap between checking if a file exists and using it) that allows attackers to overwrite arbitrary files by creating symlinks (shortcuts to other files) between those two operations. The code also has a potential path validation bypass on Windows systems that may allow absolute paths to be used.
PraisonAI's `FileTools.download_file()` function has a security flaw called SSRF (server-side request forgery, where a server is tricked into making requests to unintended targets) because it doesn't validate URLs before downloading files. An attacker can make it download from internal services or cloud metadata endpoints, potentially stealing credentials or accessing restricted information.
PraisonAI's SubprocessSandbox has a critical security flaw where it uses `shell=True` (a setting that makes subprocess execute commands through a shell) and only blocks certain command names, but doesn't block `sh` or `bash` executables, allowing attackers to escape the sandbox by running commands like `sh -c '<command>'` even in STRICT mode. This means security protections meant to isolate untrusted AI code can be bypassed, giving attackers access to the network, files, and system information.
PraisonAI's `passthrough()` function accepts a user-controlled `api_base` parameter (the server address to send requests to) and uses it without validation when the primary request method fails. This allows an attacker to make the server send requests to any address it can reach, including internal services like cloud metadata servers that contain sensitive credentials, a vulnerability called SSRF (server-side request forgery, where an attacker tricks a server into requesting internal resources). The flaw affects PraisonAI version 1.5.87 and potentially others.
PraisonAI's `run_python()` function has a shell injection vulnerability (a security flaw where attackers can sneak in operating system commands) because it doesn't properly escape shell metacharacters like `$()` and backticks when building commands. An attacker can inject arbitrary OS commands by embedding `$()` in code passed to the function, leading to full command execution on the system.
The `execute_code()` function in PraisonAI uses a sandbox to restrict what Python code can do, but attackers can bypass all three security layers by creating a custom `str` subclass (a modified version of the string type) with an overridden `startswith()` method, allowing them to run arbitrary OS commands on the host system. This is especially dangerous because many deployments auto-approve code execution without human review, so an attacker could trigger the vulnerability silently through indirect prompt injection (sneaking malicious instructions into the AI's input).
ONNX (Open Neural Network Exchange, a standard format for sharing machine learning models) versions before 1.21.0 have a symlink traversal vulnerability (a flaw where attackers can follow symbolic links to access files outside the intended model directory), allowing unauthorized reading of files outside the model directory. This vulnerability affects how ONNX loads external data when processing models.
ONNX (Open Neural Network Exchange, a standard format for sharing machine learning models) has a security flaw in versions before 1.21.0 where its file-loading function checks for symlinks (shortcuts to files) but misses hardlinks (alternate names pointing to the same file), allowing attackers to bypass path traversal protections (restrictions that prevent accessing files outside an intended folder).
ONNX (Open Neural Network Exchange, a standard format for sharing machine learning models) had a vulnerability in versions before 1.21.0 where it didn't properly validate data loaded from model files, allowing an attacker to craft a malicious model that could overwrite internal object properties. An attacker could exploit this by embedding specially crafted metadata (like file paths) into an ONNX model file that would be processed without proper checks.
ONNX (Open Neural Network Exchange, a standard format for sharing machine learning models) versions before 1.21.0 have a path traversal vulnerability via symlink (a shortcut that points to files outside its intended folder), allowing attackers to read arbitrary files outside the model or user-provided directory. This vulnerability has a CVSS score (0-10 severity rating) of 8.7, indicating high severity.
TorchGeo versions 0.4–0.6.0 had a critical vulnerability where the `eval` function (a Python function that executes code from text input) was used in the model weight API, allowing attackers to run arbitrary commands on systems using the library. Any platform exposing TorchGeo's get_weight() or trainers functions publicly was at risk.
OpenClaw had a vulnerability in its SSRF guard (a security check that blocks requests to internal network addresses), which incorrectly classified certain IPv6 special-use ranges (reserved address groups in the newer internet protocol) as public. This allowed attackers to potentially access internal or non-routable addresses that should have been blocked.
Fix: Upgrade @lightdash/cli immediately to version 0.2695.1, which pins axios to the safe version 1.14.0, using: `npm install -g @lightdash/cli@0.2695.1`. If unable to upgrade immediately, force install the safe axios version with `npm install -g axios@1.14.0 --force`. For Docker images or lockfile-based setups, verify axios is not version 1.14.1 or 0.30.4 by running `npm ls axios`. Additionally, block network traffic to the attacker's command-and-control servers (`sfrclak[.]com` and `142.11.206.73:8000`) at the network level. If compromise is suspected, check for RAT artifacts (macOS: `/Library/Caches/com.apple.act.mond`, Windows: `%PROGRAMDATA%\wt.exe`, Linux: `/tmp/ld.py`), and if found, rotate all credentials and secrets.
GitHub Advisory DatabaseFix: Update to version 1.17.0 or later, where this issue has been patched.
NVD/CVE DatabaseFix: This issue has been patched in version 1.17.0. Users should update to version 1.17.0 or later.
NVD/CVE DatabaseFix: This issue has been patched in version 1.17.0.
NVD/CVE DatabaseFix: This issue has been patched in version 1.17.0. Users should upgrade to version 1.17.0 or later.
NVD/CVE DatabaseFix: Users should upgrade to lodash version 4.18.0. The fix validates import key names using the same security checks applied to the `variable` option, and it changes how imports are merged to prevent inherited properties from being included.
GitHub Advisory DatabaseFix: Upgrade to Lodash version 4.18.0 or later. The source states: 'This issue is patched in 4.18.0.'
GitHub Advisory DatabaseFix: The source text provides a suggested fix that validates URLs by checking that the scheme is http or https, and blocking requests to private/reserved IP ranges (127.0.0.0/8, 169.254.0.0/16, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) using the `urllib.parse` and `ipaddress` Python modules. The fix includes a `_validate_url()` function that raises a ValueError if a blocked address is detected. Additionally, the code should be updated to call this validation function before passing the URL to `httpx.stream()`, and `follow_redirects=True` should be reconsidered to prevent redirect-based bypasses.
GitHub Advisory DatabaseFix: Replace the `subprocess.run()` call with `shlex.split(command)` (a function that safely parses command strings) and set `shell=False` to disable shell interpretation. Specifically, change from `subprocess.run(command, shell=True, ...)` to `subprocess.run(shlex.split(command), shell=False, cwd=cwd, env=env, capture_output=capture_output, text=True, timeout=timeout)`.
GitHub Advisory DatabaseFix: This issue has been patched in version 1.21.0. Users should upgrade to ONNX version 1.21.0 or later.
NVD/CVE DatabaseFix: Update ONNX to version 1.21.0 or later, where this issue has been patched.
NVD/CVE DatabaseFix: Update ONNX to version 1.21.0 or later, where this issue has been patched.
NVD/CVE DatabaseFix: Update to ONNX version 1.21.0 or later, where this issue has been patched.
NVD/CVE DatabaseFix: The `eval` statement was replaced with a fixed enum lookup (a safer way to match input to predefined options). Users are encouraged to upgrade to TorchGeo 0.6.1 or newer. For unpatched versions, input validation and sanitization (checking and cleaning user input before processing) can be used to avoid the vulnerability.
GitHub Advisory DatabaseFix: Update OpenClaw to version 2026.3.28 or later. The fix was implemented in commit d61f8e5672 with the change "Net: block missing IPv6 special-use ranges."
GitHub Advisory Database