Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
LibreChat, a ChatGPT alternative with extra features, has a vulnerability in versions before 0.8.3-rc1 where an authenticated attacker can crash the server by sending malformed requests to a specific endpoint. The bug occurs because the code tries to extract data from a request without checking if it exists first, causing an unhandled error (a TypeError, which is a type of programming mistake) that shuts down the entire Node.js server process.
Fix: Update LibreChat to version 0.8.3-rc1 or later, where this vulnerability is fixed.
NVD/CVE DatabaseLibreChat versions 0.8.2 to 0.8.2-rc3 have a security flaw in the MCP (Model Context Protocol, a system for connecting AI models to external services) OAuth callback endpoint that fails to verify the user's identity. An attacker can trick a victim into completing an authorization flow, which stores the victim's OAuth tokens (credentials that grant access to services) on the attacker's account, allowing the attacker to take over the victim's connected services like Atlassian or Outlook.
Graphiti versions before 0.28.2 had a Cypher injection vulnerability (a type of attack where malicious code is hidden in user input to manipulate database queries) in its search filters for non-Kuzu database backends. Attackers could exploit this by providing crafted labels through SearchFilters.node_labels or, in MCP deployments (a system where an AI model can call external tools), through prompt injection (tricking an LLM into executing attacker-controlled commands) to execute arbitrary database operations like reading, modifying, or deleting data.
The ha-mcp OAuth consent form has a cross-site scripting (XSS) vulnerability, where user-controlled data is inserted into HTML without escaping (the process of converting special characters so they display as text rather than execute as code). An attacker could register a malicious application and trick the server operator into visiting a crafted authorization URL, allowing the attacker to run JavaScript in the operator's browser and steal sensitive tokens. This only affects users running the beta OAuth mode, not the standard setup.
FastGPT, an AI Agent building platform, has a vulnerability in its Python Sandbox (fastgpt-sandbox) in version 4.14.7 and earlier where attackers can bypass file-write protections by remapping stdout (the standard output stream) to a different file descriptor using fcntl (a tool for controlling file operations), allowing them to create or overwrite files inside the sandbox container despite intended restrictions.
PingPong is a platform for using LLMs (large language models, AI systems trained on massive amounts of text) in teaching and learning. Before version 7.27.2, authenticated users (those logged in) could potentially access or delete files they shouldn't have permission to see or modify, including private user files and AI-generated outputs. An attacker would need to be logged in and have access to at least one conversation thread to exploit this vulnerability.
Google Cloud Vertex AI (a machine learning platform) had a vulnerability in versions 1.21.0 through 1.132.x where an attacker could create Cloud Storage buckets (cloud storage containers) with predictable names to trick the system into using them, allowing unauthorized access, model theft, and code execution across different customers' environments. The vulnerability has been fixed in version 1.133.0 and later, and no action is required from users.
A stored XSS vulnerability (cross-site scripting, where an attacker injects malicious code that gets saved and runs when others view it) was found in Google's Vertex AI Python SDK visualization tool. An unauthenticated attacker could inject harmful JavaScript code into model evaluation results or dataset files, which would then execute in a victim's Jupyter or Colab environment (cloud-based coding notebooks).
Cloud CLI (a user interface for Claude Code and similar tools) had a critical vulnerability in versions before 1.25.0 where user inputs called projectPath, initialCommand, and sessionId were directly used to build system commands without filtering, allowing attackers to inject arbitrary OS commands (OS command injection, where an attacker tricks the system into running unauthorized commands) through WebSocket connections. This vulnerability has been patched in version 1.25.0.
Cloud CLI (a user interface for AI coding tools like Claude Code and Gemini-CLI) had a vulnerability before version 1.24.0 where attackers who had login access could run unauthorized commands on a computer by manipulating text inputs in Git-related features. This happened because the software used string interpolation (directly inserting user text into commands) without properly checking if the input was safe, which is a type of OS command injection (CWE-78, where an attacker tricks the system into executing arbitrary commands).
Cloud CLI (a user interface for accessing Claude Code and similar tools) has a vulnerability in versions before 1.24.0 where user input in the git configuration endpoint is not properly sanitized before being executed as shell commands. This means an authenticated attacker (someone with login access) could run arbitrary OS commands (commands that do whatever they want on the operating system) by exploiting how backticks, command substitution (${}), and backslashes are interpreted within the double-quoted strings.
Cursor is a code editor designed for programming with AI assistance. Before version 2.0, the software was vulnerable to prompt injection attacks (tricking the AI by hiding malicious instructions in website content), which could bypass the command whitelist (a list of allowed commands) and cause the AI to execute commands without the user's permission. This is a serious security flaw rated as HIGH severity.
CVE-2026-30741 is a remote code execution (RCE, where an attacker can run commands on a system they don't own) vulnerability in OpenClaw Agent Platform v2026.2.6 that can be triggered through a request-side prompt injection attack (tricking the AI by hiding malicious instructions in its input). The vulnerability allows attackers to execute arbitrary code, though a CVSS severity score (a 0-10 rating of how severe a vulnerability is) has not yet been assigned by NIST.
The `@appium/support` library has a bug in its ZIP file extraction code that fails to prevent Zip Slip attacks (a vulnerability where malicious ZIP files use `../` path components to write files outside the intended folder). The security check creates an error message but never throws it, so malicious ZIP entries can write files anywhere the Appium process has permission to write. This affects all JavaScript-based ZIP extractions by default.
Flowise, a tool for building custom AI workflows with a drag-and-drop interface, had a vulnerability before version 3.0.13 where its HTTP Node allowed attackers to perform SSRF (server-side request forgery, forcing a server to make requests to internal resources it shouldn't access) by sending requests to private networks or internal systems that are normally hidden from the public internet. This vulnerability is fixed in 3.0.13.
The MCP Atlassian tool's `confluence_download_attachment` function has a critical vulnerability where it writes downloaded files to any path on the system without checking directory boundaries. An attacker who can upload a malicious attachment to Confluence and call this tool can write arbitrary content anywhere the server process has write permissions, enabling arbitrary code execution (the ability to run any commands on the system), such as by writing a malicious cron job (a scheduled task) to execute automatically.
MCP Atlassian has a server-side request forgery (SSRF, where a server is tricked into making requests to unintended URLs) vulnerability that allows an unauthenticated attacker to force the server to make outbound HTTP requests to any URL by supplying two custom headers without proper validation. This could enable credential theft in cloud environments or allow attackers to probe internal networks and inject malicious content into AI tool results.
The `blockUnsafeOperationsPlugin` in simple-git fails to block unsafe git protocol overrides when the configuration key is written in uppercase or mixed case (like `PROTOCOL.ALLOW` instead of `protocol.allow`), because the security check uses a case-sensitive regex while git itself treats config keys case-insensitively. An attacker who controls arguments passed to git operations can exploit this to enable the `ext::` protocol, which allows arbitrary OS command execution (RCE, remote code execution where an attacker runs commands on a system they don't control).
vLLM has a bypass in its SSRF (server-side request forgery, where an attacker tricks a server into making requests to unintended targets) protection because the validation layer and the HTTP client parse URLs differently. The validation uses urllib3, which treats backslashes as literal characters, but the actual requests use aiohttp with yarl, which interprets backslashes as part of the userinfo section. An attacker can craft a URL like `https://httpbin.org\@evil.com/` that passes validation for httpbin.org but actually connects to evil.com.
Fix: Update to LibreChat version 0.8.3-rc1, where this vulnerability is fixed.
NVD/CVE DatabaseFix: Upgrade to version 0.28.2 or later. Version 0.28.2 added validation of SearchFilters.node_labels, defense-in-depth label validation in shared search-filter constructors, validation of entity node labels in persistence query builders, and validation of group_ids in shared search fulltext helpers. If you cannot upgrade immediately, do not expose Graphiti MCP tools to untrusted users or LLM workflows processing untrusted prompts, avoid passing untrusted values into SearchFilters.node_labels or MCP entity_types, and restrict graph database credentials to minimum required privileges.
GitHub Advisory DatabaseFix: Upgrade to version 7.0.0
GitHub Advisory DatabaseFix: This vulnerability is fixed in version 7.27.2. Users should update PingPong to this version or later.
NVD/CVE DatabaseFix: Mitigations have already been applied to version 1.133.0 and later. Update to Vertex AI Experiments version 1.133.0 or later.
Google Cloud Security BulletinsFix: Update the google-cloud-aiplatform Python SDK to version 1.131.0 or later (released on 2025-12-16) to receive the fix.
Google Cloud Security BulletinsFix: Update Cloud CLI to version 1.25.0 or later, which fixes the OS command injection vulnerability.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 1.24.0. Users should update Cloud CLI to 1.24.0 or later.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 1.24.0. Users should update Cloud CLI to version 1.24.0 or later.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 2.0.
NVD/CVE Databasen8n, a workflow automation tool, has a vulnerability in how it handles dynamically managed code resources (code that is created or modified while the program runs), which allows attackers to execute arbitrary code remotely on affected systems. This vulnerability is currently being actively exploited by attackers in the wild.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services (a government directive for managing cloud security), or discontinue use of the product if mitigations are unavailable.
CISA Known Exploited VulnerabilitiesFix: Update Flowise to version 3.0.13 or later.
NVD/CVE DatabaseFix: Add the `/i` flag to the regex to make it case-insensitive. Change the vulnerable code from `if (!/^\s*protocol(.[a-z]+)?.allow/.test(next))` to `if (!/^\s*protocol(.[a-z]+)?.allow/i.test(next))` in the `preventProtocolOverride` function located in `simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts` at line 24.
GitHub Advisory Database