Monthly
Indirect prompt injection in Eclipse Theia versions prior to 1.71.0 allows attackers who control a workspace's filesystem layout to coerce the built-in AI chat agent into executing attacker-supplied instructions, enabling data exfiltration through Markdown image rendering or arbitrary command execution through task definitions. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.4 reflects high impact across confidentiality, integrity and availability once a developer opens an untrusted repository. The flaw is reported by the Eclipse Foundation and fixed in version 1.71.0.
{{ github.event.issue.user.login }}, which means any logged-in GitHub user who opens an issue can reach this agentic workflow with attacker-controlled content. Untrusted issue title and body content are embedded directly into the prompt of anthropics/claude-code-action, and the workflow then runs a command-capable Claude agent with permission to comment on and relabel the current issue via gh. Because this workflow is triggered automatically on issues.opened, an external attacker can submit a crafted issue that steers the agent beyond its intended issue-triage purpose and influences authenticated issue actions. This vulnerability is fixed in 2.4.1.
Prompt injection in 1millionbot Millie chatbot allows remote attackers to bypass chat restrictions using Boolean logic techniques, enabling retrieval of prohibited information and execution of unintended tasks including potential abuse of OpenAI API keys. The vulnerability exploits insufficient input validation in the LLM's containment mechanisms, permitting attackers to reformulate queries in ways that trigger affirmative responses ('true') that then execute injected instructions outside the chatbot's intended scope.
Indirect prompt injection in Eclipse Theia versions prior to 1.71.0 allows attackers who control a workspace's filesystem layout to coerce the built-in AI chat agent into executing attacker-supplied instructions, enabling data exfiltration through Markdown image rendering or arbitrary command execution through task definitions. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.4 reflects high impact across confidentiality, integrity and availability once a developer opens an untrusted repository. The flaw is reported by the Eclipse Foundation and fixed in version 1.71.0.
{{ github.event.issue.user.login }}, which means any logged-in GitHub user who opens an issue can reach this agentic workflow with attacker-controlled content. Untrusted issue title and body content are embedded directly into the prompt of anthropics/claude-code-action, and the workflow then runs a command-capable Claude agent with permission to comment on and relabel the current issue via gh. Because this workflow is triggered automatically on issues.opened, an external attacker can submit a crafted issue that steers the agent beyond its intended issue-triage purpose and influences authenticated issue actions. This vulnerability is fixed in 2.4.1.
Prompt injection in 1millionbot Millie chatbot allows remote attackers to bypass chat restrictions using Boolean logic techniques, enabling retrieval of prohibited information and execution of unintended tasks including potential abuse of OpenAI API keys. The vulnerability exploits insufficient input validation in the LLM's containment mechanisms, permitting attackers to reformulate queries in ways that trigger affirmative responses ('true') that then execute injected instructions outside the chatbot's intended scope.