AI & LLM Vulnerabilities

PraisonAI's example A2A server (a type of agent-to-agent communication system) has a critical vulnerability where unauthenticated remote clients can execute arbitrary Python code. The vulnerability exists because the example exposes the server without authentication, binds it to all network interfaces (0.0.0.0), and registers a 'calculate' tool that uses Python's eval() function (which executes any code passed to it as a string). An attacker can send a specially crafted request that tricks the AI model into calling this unsafe tool, leading to RCE (remote code execution).

PraisonAI's `execute_code()` function has a critical sandbox escape vulnerability that allows attackers to execute arbitrary commands on the host system. The vulnerability exploits four gaps in security validation: the `__self__` attribute (which retrieves the real Python builtins module) is not blocked, the `vars()` function is not restricted, attribute-based function calls bypass checks, and string concatenation bypasses string constant filters. An attacker can use these gaps to access the `__import__` function and run OS commands, completely defeating the sandbox protection.

PraisonAI version 4.6.33 generates a Flask API server with authentication disabled by default when users run `praisonai deploy --type api`. The server exposes endpoints like `/chat` and `/agents` that accept unauthenticated requests and can execute user-supplied commands with access to API keys stored in the environment.

SillyTavern is a locally installed interface for interacting with text generation AI models, image generators, and voice tools. Prior to version 1.18.0, a vulnerability allowed attackers to delete the entire user extensions directory without authentication by sending a specially crafted request to the delete endpoint that bypassed filename validation (a security check that prevents malicious file paths).

SillyTavern, a locally installed interface for interacting with AI language models and image generators, had a vulnerability in versions before 1.18.0 where it trusted HTTP headers (Remote-User and X-Authentik-Username) used by single sign-on systems without verifying they came from a trusted source. This meant anyone who could connect directly to SillyTavern could fake these headers to log in as any user, including administrators, without a password, but only if SSO was explicitly enabled in the configuration.

RAGFlow, an open-source RAG (retrieval-augmented generation, where an AI pulls in external documents to answer questions) engine, has a Jinja2 template injection vulnerability (a flaw where untrusted data gets processed as code in a templating system) in version 0.24.0 and earlier. Any registered user can exploit this flaw in the prompt generator to run arbitrary OS commands (any commands they want) on the server by creating a Canvas workflow with specific components.

Langroid versions before 0.63.0 have a vulnerability where SQLChatAgent (a tool that lets an AI execute SQL queries) can be tricked through prompt injection (hiding malicious instructions in input data) into running dangerous SQL commands. If the database is configured with elevated privileges, an attacker can achieve RCE (remote code execution, where an attacker runs commands on a system they don't own) on the database server, potentially stealing or deleting data.

IBM Langflow OSS (open-source software) versions 1.0.0 through 1.9.1 has a vulnerability that could allow remote code execution (running malicious code on a system from a distance) because it doesn't properly validate symbolic links (shortcuts that point to files) when extracting archive files. This is a path traversal (CWE-22) weakness, meaning an attacker could potentially access or execute files outside the intended directory.

GitLab MCP Server (a tool that lets AI agents interact with GitLab) had a critical security flaw in versions before 0.6.0 where its HTTP transport exposed an unauthenticated endpoint (a service that processes requests without checking who is calling it) to any website, combined with a misconfiguration that made it accessible from all network interfaces instead of just locally. This allowed attackers from anywhere to make changes to GitLab repositories using the server operator's stored credentials.

Boxlite, a sandbox service for running containers, has a path traversal vulnerability (a security flaw where attackers can access files outside intended boundaries) in how it extracts container images. When processing tar files (compressed archives), Boxlite doesn't validate symlink targets (shortcuts to files or directories), allowing an attacker to create a malicious container image that writes files anywhere on the host system, potentially leading to remote code execution (running unauthorized commands on the computer).

BoxLite is a sandbox service that runs untrusted code in lightweight virtual machines (VMs, which are isolated computing environments). It claims to protect host files by mounting directories in read-only mode (preventing writes), but the vulnerability bypasses this: BoxLite tells the underlying VM system (libkrun) to mount directories without actually enforcing read-only restrictions, and it doesn't limit container capabilities (special permissions), so malicious code can remount directories as read-write and modify files that should be protected.

Twig (a PHP template engine) has a vulnerability where template names in `{% use %}` tags aren't properly escaped, allowing attackers to inject arbitrary PHP code that executes when the template cache loads. This bypasses Twig's security sandbox, giving attackers remote code execution (the ability to run commands on the server).

NVIDIA Triton Inference Server has a vulnerability (CVE-2026-24207) where an attacker could bypass authentication (skip security checks that normally verify who someone is), potentially allowing them to run code, gain higher privileges, change data, crash the service, or steal information. The vulnerability is classified as an authentication bypass using an alternate path or channel (CWE-288, a type of weakness where attackers find different ways to access a system without proper verification).

Coder's Azure identity verification has a critical flaw: it checks that a certificate comes from a trusted Azure authority but never verifies the actual PKCS#7 signature (a cryptographic stamp that proves data hasn't been tampered with). An attacker can forge identity data and steal session tokens that grant access to Git keys, OAuth tokens, and secrets. All Coder v2 versions are affected.

9router, a tool for managing AI plugins, has a critical vulnerability where two unprotected API endpoints can be chained together to run arbitrary OS commands. The problem occurs because the authentication middleware (a security check) only protects 8 specific routes, while 40+ routes under `/api/cli-tools/*` and `/api/mcp/*` have no protection, allowing attackers with network access to register malicious commands and then trigger them without any credentials.

An attacker published malicious code in guardrails-ai version 0.10.1 on PyPI (a package repository where developers download Python libraries), but PyPI removed it within 2 hours and found no evidence that user data was stolen through this compromise. This is an example of a supply chain attack, where someone tries to harm users by corrupting a widely-used software package.

MLflow version 3.9.0 has a vulnerability in its Assistant feature where /ajax-api endpoints don't properly validate the origin (the source website making a request). This allows an attacker on a malicious webpage to send cross-origin requests (requests from a different domain) to trick the MLflow Assistant running on a victim's computer, bypass security restrictions meant to only allow local access, and execute arbitrary commands (run any code they choose) through the Claude Code sub-agent.

MLflow versions before 3.11.0 create temporary directories with overly permissive access permissions (world-writable or group-writable), allowing local attackers to modify model files and execute arbitrary code when those files are loaded. This is especially dangerous in shared environments like Databricks where multiple users access the same network storage.

Version 2.4.6 of the mistralai package on PyPI contained malicious code that runs when the package is imported on Linux systems. The malicious code downloads and executes a file from a remote server, and versions 2.4.5 and earlier are not affected.