Security vulnerabilities, privacy incidents, safety concerns, and policy updates affecting LLMs and AI agents.
TanStack contains a vulnerability that allowed attackers to publish malicious versions of the software to npm (a package repository where developers download code libraries) under the trusted TanStack identity, potentially distributing credential-stealing malware (software that steals login information). This vulnerability is currently being actively exploited by attackers.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Known Exploited VulnerabilitiesA vulnerability (CVE-2026-9540) was found in vllm version 0.19.0 that affects the OpenAI-compatible Serving Path component and can be exploited remotely to cause a denial of service (making a service unavailable by overwhelming it). The vulnerability has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 5.5 (medium severity), and a public exploit is already available.
CVE-2026-41109 is a security flaw in GitHub Copilot and Visual Studio that allows an attacker to bypass a security feature by improperly handling special characters in output, which are then processed by another component (injection, where untrusted data is inserted into code or commands). The vulnerability can be exploited over a network by unauthorized attackers.
A weakness was found in aiwaves-cn agents (software components that perform tasks autonomously) that allows attackers to consume excessive resources on a system, potentially making it slow or unavailable. The vulnerability is in a function called recall_relevant_memories_to_working_memory and can be exploited remotely (from a distance over a network), with the exploit code now publicly available. The developers have been notified but have not yet responded or released a fix.
A vulnerability was found in Langchain-Chatchat (a chatbot framework) up to version 0.3.1.3 in the file upload handler component. The vulnerability involves insufficiently random values (meaning the system doesn't generate unpredictable numbers properly), which could be exploited by someone on the same local network, though the attack is difficult to carry out.
A vulnerability (CVE-2026-7669) was found in SGLang, an open-source project, affecting versions up to 0.5.9. The flaw is in the get_tokenizer function and allows deserialization (converting untrusted data into executable objects), which can be exploited remotely, though it requires high complexity to execute. The vulnerability has a CVSS score (a 0-10 severity rating) of 6.3, classified as medium severity.
A vulnerability (CVE-2026-7644) was found in ChatGPTNextWeb NextChat version 2.16.1 and earlier, affecting the addMcpServer function in the app/mcp/actions.ts file. The flaw allows improper authorization (meaning the system fails to correctly verify who should have access to certain features), and it can be exploited remotely by anyone without needing special permissions. The vulnerability has been publicly disclosed, and the developers have been notified but have not yet responded.
A vulnerability (CVE-2026-7178) was found in ChatGPTNextWeb NextChat up to version 2.16.1 that allows server-side request forgery (SSRF, where an attacker tricks a server into making unwanted requests to other systems) through the storeUrl function in the Artifacts Endpoint. The flaw can be exploited remotely, and the attack code has been made public, though the project developers have not yet responded to the early notification.
A security flaw has been found in ChatGPTNextWeb NextChat up to version 2.16.1 that allows server-side request forgery (SSRF, where an attacker tricks a server into making unwanted requests to other systems). The vulnerability exists in the proxyHandler function and can be exploited remotely, with public exploits already available. The developers have been notified but have not yet responded.
A vulnerability (CVE-2026-7061) was found in Toowiredd chatgpt-mcp-server version 0.1.0 that allows OS command injection (running unauthorized system commands on a server through malicious input) in the MCP/HTTP component. The flaw can be exploited remotely by attackers, and public exploit code is already available, but the developers have not yet responded to the security report.
Gemini CLI had two security vulnerabilities that could allow remote code execution (running malicious code on a system). First, in headless mode (non-interactive environments like CI/CD pipelines), the tool automatically trusted workspace folders and loaded configuration files without verification, which could be exploited through malicious environment variables. Second, the `--yolo` flag bypassed tool allowlisting (restrictions on what commands can run), allowing unrestricted command execution via prompt injection (tricking the AI by hiding instructions in its input). Version 0.39.1 and later now require explicit folder trust and enforce tool allowlisting even in `--yolo` mode.
A serious vulnerability in Oracle Java SE and related products (JAXP component, which handles XML processing) allows attackers on the network to access sensitive data without needing to log in or interact with a user. The flaw affects multiple versions of Java and can be exploited through web services or untrusted code loaded in Java applications, with a CVSS score (0-10 severity rating) of 7.5 indicating high risk for data theft.
A vulnerability (CVE-2026-6608) was found in lm-sys fastchat up to version 0.2.36 in the add_text function of the Arena Side-by-Side View Handler component, which allows incorrect control flow (improper program execution logic) that can be exploited remotely. The root cause was partially fixed in commit 34eca62 for one file, but three other files containing the same issue were not corrected.
A vulnerability was found in lm-sys fastchat (a tool for running AI models) up to version 0.2.36 that allows attackers to consume excessive resources by exploiting the api_generate function in the Worker API Endpoint (the part of the software that handles requests from other programs). The attack can be done remotely over the internet, the vulnerability details have been publicly disclosed, and it may already be exploited.
A security flaw called CVE-2026-6600 was found in Langflow (an AI tool) up to version 1.8.3 that allows cross-site scripting (XSS, where attackers inject malicious code into web pages to trick users). The vulnerability is in a React component (a reusable piece of code in the user interface) that handles message editing, and it can be exploited remotely by someone with login access.
A vulnerability exists in Langflow (an AI application framework) versions up to 1.8.3 in the Model Context Protocol Configuration API, where attackers can manipulate the X-Forwarded-For header (a field that identifies the client's IP address) to perform injection attacks (inserting malicious code into the system). This vulnerability can be exploited remotely, the exploit code is publicly available, and the vendor has not responded to disclosure attempts.
A security vulnerability (CVE-2026-6596) was found in Langflow (an AI tool) version 1.1.0 and earlier, affecting a file upload function in the API. The flaw allows unrestricted file uploads (meaning attackers can upload any type of file without proper checks), and it can be exploited remotely without requiring authentication or user interaction.
A path traversal vulnerability (a weakness that lets attackers access files outside their intended directory) was found in the chatgpt-on-wechat CowAgent software version 2.0.4 and earlier, specifically in the memory API endpoint where it processes a filename argument. This flaw can be exploited remotely by attackers, and proof-of-concept code has already been published online.
Fix: A pull request to fix this issue awaits acceptance (mentioned in the source as pending at https://github.com/vllm-project/vllm/pull/37594).
NVD/CVE Databasen8n-mcp (a tool for connecting AI systems to external services) was logging sensitive information like passwords and API keys when running in HTTP mode (a way to communicate over the internet). When authenticated users made requests to call tools, their secret credentials were written to server logs before being hidden, which could expose them if logs were shared or accessed by unauthorized people. The issue only affected HTTP mode and required authentication, so it couldn't be exploited by random internet users.
Fix: Upgrade to n8n-mcp v2.47.13 or later using either `npx n8n-mcp@latest` (npm) or `docker pull ghcr.io/czlonkowski/n8n-mcp:latest` (Docker). The patch changes how tool arguments are logged by using a `summarizeToolCallArgs` function that records only the structure and size of data, never the actual secret values. As a temporary workaround if you cannot upgrade immediately: restrict HTTP port access through firewall or VPN, limit who can read server logs, or switch to stdio transport mode (`MCP_MODE=stdio`).
GitHub Advisory DatabaseFix: Update to Gemini CLI version 0.39.1 or 0.40.0-preview.3. For workflows running on trusted inputs, set the environment variable `GEMINI_TRUST_WORKSPACE: 'true'` in your GitHub Actions workflow. For workflows processing untrusted inputs, review the guidance at https://github.com/google-github-actions/run-gemini-cli to harden your workflow against malicious content and set the same environment variable after implementing appropriate security measures. If you have specified a specific version of gemini_cli, upgrade to one of the patched versions and audit your workflow settings.
GitHub Advisory DatabaseMarimo has a pre-authorization remote code execution vulnerability (RCE, where an attacker can run commands on a system they don't own) that allows unauthenticated attackers to gain shell access and execute arbitrary commands without needing to log in first. This vulnerability is actively being exploited in real-world attacks.
Fix: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
CISA Known Exploited VulnerabilitiesFix: Install the patch identified by commit c9e84b89c91d45191dc24466888de526fa04cf33. Note that commit ff66426 patched the api_generate function in base_model_worker.py but missed other entry points (other places in the code where the same issue occurs).
NVD/CVE DatabaseFix: Upgrading to version 2.0.5 mitigates this issue. The patch identifier is 174ee0cafc9e8e9d97a23c305418251485b8aa89.
NVD/CVE Database