Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
Baltimore has become the first major U.S. city to sue Elon Musk's xAI over its Grok image generator, which can create deepfakes (AI-manipulated videos or images that realistically fake someone's appearance or actions) of non-consensual sexual content involving women and children. The lawsuit claims xAI violated consumer protection laws by marketing Grok and X as safe while allowing mass creation of non-consenting intimate images (sexually explicit content created without permission) and child sexual abuse material. Baltimore is asking the court to force xAI to stop targeting its residents, redesign its platforms to prevent exploitation, and change its marketing practices.
Wallos, an open-source tool for tracking subscriptions that users can run on their own servers, had incomplete security protections in versions before 4.7.0. A logged-in attacker could bypass these protections by sending specially crafted web addresses to three different features (AI Ollama settings, AI recommendations, and notification scheduling), allowing them to reach internal systems or cloud configuration services they shouldn't access.
Langflow versions before 1.9.0 have a shell injection vulnerability in GitHub Actions workflows where unsanitized GitHub context variables (like branch names and pull request titles) are directly inserted into shell commands, allowing attackers to execute arbitrary commands and steal secrets like the GITHUB_TOKEN by creating a malicious branch or pull request. This vulnerability can lead to secret theft, infrastructure manipulation, or supply chain compromise during CI/CD (continuous integration/continuous deployment, the automated testing and deployment process) execution.
New API, an LLM (large language model) gateway and AI asset management system, had a vulnerability before version 0.11.4-alpha.2 that allowed any logged-in user to view videos belonging to other users through the video proxy endpoint. The problem was an IDOR vulnerability (insecure direct object reference, a flaw where the system doesn't check if a user owns the data they're requesting), caused by a function that checked only the video ID without verifying the user owned it.
PyTorch 2.10.0 contains a vulnerability in its pt2 Loading Handler component that allows unsafe deserialization (loading data in a way that can execute unintended code) through an unknown function. The vulnerability can only be exploited locally (by someone with access to the affected computer), but an exploit is publicly available, and the PyTorch team has not yet responded to the initial report.
A SQL injection vulnerability (CVE-2026-4530) has been found in apconw Aix-DB up to version 1.2.3, where an attacker can manipulate the Description argument in the file agent/text2sql/rag/terminology_retriever.py to execute unauthorized SQL commands (SQL injection, a type of attack where an attacker inserts malicious database commands into input fields). The attack requires local access, the exploit is public, and the vendor has not responded to the disclosure.
Langflow's /profile_pictures/{folder_name}/{file_name} endpoint has a path traversal vulnerability (a flaw where attackers use ../ sequences to access files outside the intended directory). The folder_name and file_name parameters aren't properly validated, allowing attackers to read the secret_key file across directories. Since the secret_key is used for JWT authentication (a token system that verifies who you are), an attacker can forge login tokens and gain unauthorized access to the system.
The h3 library's EventStream class fails to remove carriage return characters (`\r`, a line break in the Server-Sent Events protocol) from `data` and `comment` fields, allowing attackers to inject fake events or split a single message into multiple events that browsers parse separately. This bypasses a previous fix that only removed newline characters (`\n`).
etcd (a distributed key-value store used in systems like Kubernetes) has multiple authorization bypass vulnerabilities that let unauthorized users call sensitive functions like MemberList, Alarm, Lease APIs, and compaction when the gRPC API (a communication protocol for remote procedure calls) is exposed to untrusted clients. These vulnerabilities are patched in etcd versions 3.6.9, 3.5.28, and 3.4.42, and typical Kubernetes deployments are not affected because Kubernetes handles authentication separately.
Langflow has a vulnerability where the image download endpoint (`/api/v1/files/images/{flow_id}/{file_name}`) allows anyone to download images without logging in or proving they own the image (an IDOR, or insecure direct object reference, where attackers access resources by manipulating identifiers). An attacker who knows a flow ID and filename can retrieve private images from any user, potentially exposing sensitive data in multi-tenant setups (systems serving multiple separate customers).
PinchTab is an HTTP server (a program that handles web requests) that lets AI agents control a Chrome web browser. Versions 0.8.2 and earlier have a blind SSRF vulnerability (a flaw where an attacker tricks the server into making requests to internal networks that should be off-limits) in the /download endpoint, because the server only checks the URL once but the browser can follow hidden redirects to reach internal addresses. The risk is limited because the vulnerable feature is disabled by default.
FastGPT (an AI platform for building AI agents) versions 4.14.8.3 and below have a critical security flaw where the fastgpt-preview-image.yml workflow uses pull_request_target (a GitHub feature that runs code with access to repository secrets) but executes code from an external contributor's fork, allowing attackers to run arbitrary code (commands on systems they don't own), steal secrets, and potentially compromise the production container registry (the central storage system for packaged software).
SQLBot, an intelligent data query system that uses a large language model and RAG (retrieval-augmented generation, where an AI pulls in external documents to answer questions), has a critical SQL injection vulnerability (a bug where an attacker tricks the system into running unintended database commands) in versions before 1.7.0 that allows authenticated users to execute arbitrary code on the backend server. The vulnerability exists because Excel sheet names are directly inserted into database commands without proper sanitization (cleaning/validation), and attackers can exploit this by uploading specially crafted files to gain complete control of the system.
SQLBot, an AI-based system for querying databases that uses RAG (retrieval-augmented generation, where it pulls in external data to answer questions), has a vulnerability in versions before 1.7.0 that lets attackers read any file from the server. An attacker can exploit the /api/v1/datasource/check endpoint by submitting a fake MySQL connection with a malicious setting, which tricks the server into reading and sending back sensitive files like /etc/passwd when it tries to verify the connection.
SQLBot, a data query system combining AI with RAG (retrieval-augmented generation, where an AI pulls in external documents to answer questions), has a critical vulnerability in versions 1.5.0 and below that chains three security gaps: missing permission checks on file uploads, unsanitized storage of user input, and inadequate protections when inserting data into the AI's instructions. An attacker can exploit this to trick the AI into running malicious database commands that give them control over the database server.
Discourse, an open-source discussion platform, has a cross-site scripting vulnerability (XSS, where attackers inject malicious code that runs in a user's browser) in versions before 2026.3.0-latest.1, 2026.2.1, and 2026.1.2. The vulnerability exists because the system trusts output directly from an AI language model and displays it without proper sanitization (cleaning) in the Review Queue interface, allowing attackers to use prompt injection (tricking the AI by hiding instructions in user input) to make the AI generate malicious code that executes when staff members review flagged posts.
CVE-2026-26137 is a server-side request forgery vulnerability (SSRF, a flaw where an attacker tricks a server into making unwanted network requests on their behalf) in Microsoft 365 Copilot's Business Chat that allows an authorized attacker to gain elevated privileges over a network. The vulnerability affects an exclusively hosted service and was published on March 19, 2026.
Fix: Update to version 4.7.0, which patches this vulnerability.
NVD/CVE DatabaseFix: Upgrade to version 1.9.0, which patches the vulnerability. Additionally, the source recommends refactoring affected workflows to use environment variables with double quotes instead of direct interpolation: assign the GitHub context variable to an environment variable first (e.g., `env: BRANCH_NAME: ${{ github.head_ref }}`), then reference it in `run:` steps with double quotes (e.g., `echo "Branch is: \"$BRANCH_NAME\""`), and avoid direct `${{ ... }}` interpolation inside `run:` for any user-controlled values.
NVD/CVE DatabaseFix: Update to version 0.11.4-alpha.2 or later, which contains a patch addressing this vulnerability.
NVD/CVE DatabaseFix: Upgrade to etcd 3.6.9, etcd 3.5.28, or etcd 3.4.42. If upgrading is not immediately possible, restrict network access to etcd server ports so only trusted components can connect, and require strong client identity at the transport layer such as mTLS (mutual TLS, where both client and server verify each other's identity) with tightly scoped client certificate distribution.
GitHub Advisory DatabaseFix: The issue has been patched in version 0.8.3.
NVD/CVE DatabaseFix: Update to version 1.7.0 or later, where this issue has been fixed.
NVD/CVE DatabaseFix: Update to version 1.7.0 or later. The source states: 'This issue was fixed in version 1.7.0.'
NVD/CVE DatabaseLaravel Livewire (a PHP framework for building interactive web applications) contains a code injection vulnerability (a flaw where attackers can insert malicious code into an application) that allows unauthenticated attackers to execute arbitrary commands on affected systems in certain situations. This vulnerability is currently being actively exploited by attackers in the wild.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The due date for remediation is 2026-04-03.
CISA Known Exploited VulnerabilitiesApple's operating systems (watchOS, iOS, iPadOS, macOS, visionOS, and tvOS) contain an improper locking vulnerability (a flaw that fails to properly control access to shared memory between processes), which allows a malicious application to make unexpected changes to memory that multiple programs use. This vulnerability is currently being exploited by attackers in real-world attacks.
Fix: Apply mitigations per Apple's vendor instructions using the provided support links, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The due date for remediation is 2026-04-03.
CISA Known Exploited VulnerabilitiesA buffer overflow vulnerability (a programming error where data overflows its allocated memory space) affects multiple Apple products including watchOS, iOS, iPadOS, macOS, visionOS, and tvOS. A malicious app could exploit this to crash the system or write malicious code directly into kernel memory (the core of the operating system). This vulnerability is actively being exploited by attackers in the wild.
Fix: Apply mitigations per Apple's vendor instructions (referenced in support documents), follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The deadline for remediation is April 3, 2026.
CISA Known Exploited VulnerabilitiesFix: The issue is fixed in v1.6.0.
NVD/CVE DatabaseFix: Update to versions 2026.3.0-latest.1, 2026.2.1, or 2026.1.2, which contain a patch. Alternatively, as a workaround, temporarily disable AI triage automation scripts.
NVD/CVE Database