Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
MaxKB (Max Knowledge Base) is an open source system that answers questions using a large language model and RAG (retrieval-augmented generation, where an AI pulls in external documents to answer questions). A reverse shell vulnerability (a security flaw that lets attackers gain control of a system remotely) exists in its function library module and can be exploited by privileged users to create unauthorized access.
Fix: This vulnerability is fixed in v1.10.4-lts. Users should update to this version or later.
NVD/CVE DatabaseBentoML is a Python library for building AI model serving systems, but versions before 1.4.8 had a vulnerability in its runner server that allowed attackers to execute arbitrary code (unauthorized commands) by sending specially crafted requests with specific headers and parameters, potentially giving them full access to the server and its data.
CVE-2025-26644 is a vulnerability in Windows Hello (a biometric authentication system) where its recognition mechanism fails to properly detect or handle adversarial input perturbations (slight changes designed to fool AI systems). This weakness allows a local attacker to spoof someone's identity without authorization.
Cursor (a code editor designed for AI-assisted programming) had a bug in versions 0.45.0 through 0.48.6 where the Cursor Agent (an AI component that can automatically modify files) could be tricked into writing to files outside the workspace the user opened, either through direct user requests or hidden instructions in context. However, the risk was low because exploitation required deliberate prompting and any changes were visible to the user for review.
BentoML v1.4.2 contains a Remote Code Execution (RCE) vulnerability caused by insecure deserialization (unsafe handling of data conversion from storage format back into code objects), which allows unauthenticated users to execute arbitrary code on the server through an unsafe code segment in serde.py. This is a critical security flaw in a Python library used for building AI model serving systems.
CVE-2025-3136 is a memory corruption vulnerability found in PyTorch 2.6.0, specifically in a function that manages GPU memory allocation. The vulnerability requires local access to exploit and has been publicly disclosed, though it is rated as medium severity with a CVSS score (a 0-10 rating of how severe a vulnerability is) of 4.8.
CVE-2025-3121 is a memory corruption vulnerability (where a program accidentally writes data to wrong memory locations) found in PyTorch 2.6.0, specifically in the torch.jit.jit_module_from_flatbuffer function. An attacker with local access (meaning they can run code on the same computer) could exploit this vulnerability, and the exploit details have been publicly disclosed.
CVE-2025-31564 is a SQL injection vulnerability (a type of attack where an attacker inserts malicious database commands into user input) found in the Ai Auto Tool Content Writing Assistant WordPress plugin, versions up to 2.1.7. The vulnerability allows blind SQL injection (SQL attacks where the attacker cannot see direct results but can infer information through application behavior), potentially letting attackers access or manipulate the database.
CVE-2025-31843 is a missing authorization vulnerability (a security flaw where the software fails to properly check if a user has permission to perform an action) in the Wilson OpenAI Tools plugin for WordPress and WooCommerce that affects versions up to 2.1.5. The vulnerability allows attackers to exploit incorrectly configured access controls, meaning they can perform actions they shouldn't be allowed to do.
PyTorch 2.6.0 contains a critical vulnerability (CVE-2025-3001) in the torch.lstm_cell function that causes memory corruption (damage to data stored in a computer's memory) through local manipulation. The vulnerability requires local access to exploit and has been publicly disclosed.
A critical vulnerability (CVE-2025-3000) was found in PyTorch 2.6.0 affecting the torch.jit.script function, which causes memory corruption (damage to data stored in a computer's RAM). The vulnerability can be exploited locally (by someone with access to the same machine) and has already been publicly disclosed, making it a known risk.
CVE-2025-2999 is a critical vulnerability in PyTorch 2.6.0 affecting the torch.nn.utils.rnn.unpack_sequence function, which causes memory corruption (unsafe access to computer memory). An attacker must have local access (ability to run code on the same machine) to exploit this bug, and the vulnerability has already been made public.
PyTorch 2.6.0 contains a critical vulnerability (CVE-2025-2998) in the torch.nn.utils.rnn.pad_packed_sequence function that causes memory corruption (a situation where data in a program's memory is accidentally overwritten or damaged). An attacker with local access (ability to run code on the same machine) can exploit this flaw, and the vulnerability details have been publicly disclosed.
A vulnerability in PyTorch 2.6.0+cu124 affects the torch.mkldnn_max_pool2d function, a component used for processing image data. The vulnerability can cause a denial of service (making a system unavailable), but requires local access to the machine. The vulnerability's real existence is still disputed.
Mesop is a Python-based UI framework for building web applications that has a class pollution vulnerability (a flaw allowing attackers to modify global variables and class attributes at runtime, similar to prototype pollution in JavaScript) in versions before 0.14.1. This vulnerability could cause denial of service attacks (making a service unavailable), identity confusion where attackers impersonate system roles, jailbreak attacks against LLMs (large language models, AI systems that generate text), or potentially remote code execution (running unauthorized commands on a server) depending on how the application is built.
In MLflow (a machine learning workflow tool) version 2.18, administrators can create user accounts without requiring passwords, which violates security best practices and could allow unauthorized access to accounts. This vulnerability is classified under weak password requirements, meaning the system doesn't enforce strong authentication measures.
A CSRF vulnerability (cross-site request forgery, where an attacker tricks a user into performing unwanted actions on a website) exists in the Signup feature of MLflow versions 2.17.0 to 2.20.1, allowing attackers to create unauthorized accounts. This could enable an attacker to perform malicious actions while appearing to be a legitimate user.
MLflow version 2.17.2 has a vulnerability in its `/graphql` endpoint (a web interface for querying data) that allows attackers to perform a denial of service attack (making a service unavailable) by sending large batches of repeated queries. This exhausts all the workers (processes handling requests) that MLflow has available, preventing the application from responding to legitimate requests.
Ollama (an AI model framework) versions 0.3.14 and earlier have a vulnerability where a malicious user can upload a specially crafted GGUF model file (a format for storing AI models) that causes a division by zero error (when code tries to divide a number by zero, crashing the program) in the ggufPadding function, crashing the server and making it unavailable (a Denial of Service attack).
Fix: Update BentoML to version 1.4.8 or later, where this vulnerability is fixed.
NVD/CVE DatabaseFix: This vulnerability is fixed in version 0.48.7.
NVD/CVE DatabaseLangflow versions before 1.3.0 have a code injection vulnerability (a flaw where attackers can insert and run malicious code) in the /api/v1/validate/code endpoint that allows unauthenticated attackers (those without login credentials) to execute arbitrary code by sending specially crafted HTTP requests (formatted messages to the server). This vulnerability is actively being exploited in the wild.
Fix: Update Langflow to version 1.3.0 or later, as referenced in the official release notes at https://github.com/langflow-ai/langflow/releases/tag/1.3.0. If mitigations are unavailable, discontinue use of the product.
NVD/CVE DatabaseFix: This vulnerability is fixed in BentoML version 1.4.3. Users should upgrade from v1.4.2 to v1.4.3 or later.
NVD/CVE DatabaseFix: Users should upgrade to version 0.14.1 to obtain a fix for the issue.
NVD/CVE DatabaseFix: The issue is fixed in version 2.19.0. Users should upgrade MLflow from version 2.18 to version 2.19.0 or later.
NVD/CVE DatabaseFix: A patch is available at https://github.com/mlflow/mlflow/commit/ecfa61cb43d3303589f3b5834fd95991c9706628.
NVD/CVE Database