AI / ML
Monthly
RCE in D-Tale pandas data visualizer before 3.20.0 via /save-column-filter. Patch available.
When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG. [CVSS 6.5 MEDIUM]
eBay API MCP Server's ebay_set_user_tokens tool fails to validate environment variable inputs in the updateEnvFile function, allowing authenticated attackers to inject arbitrary variables into the .env configuration file. An attacker with login credentials can exploit this to overwrite existing configurations, trigger denial of service conditions, or achieve remote code execution through malicious environment variable injection. No patch is currently available for this vulnerability affecting all versions of the AI/ML product.
OpenShift versions 1.1.2-alpha and below suffer from a race condition in local JSON persistence that allows authenticated local users to corrupt data stores or cause loss of updates across sessions, study materials, quizzes, and authentication records. The vulnerability stems from non-atomic and insufficiently synchronized file operations that can be exploited through concurrent access to the application's local storage. No patch is currently available.
OpenSift versions 1.1.2-alpha and below allow authenticated attackers to abuse the URL ingest feature's overly permissive server-side request functionality to probe or access private and local network resources from the OpenSift host. The vulnerability requires valid credentials but no user interaction, enabling attackers to enumerate or interact with internal infrastructure not otherwise accessible. No patch is currently available, though version 1.1.3-alpha contains a fix.
Stored cross-site scripting in OpenSift versions 1.1.2-alpha and below allows authenticated attackers to execute arbitrary JavaScript in victims' browsers by injecting malicious content into study materials, quizzes, or flashcards that render without proper HTML sanitization. An attacker with the ability to create or modify stored content could perform unauthorized actions within authenticated user sessions. No patch is currently available for this vulnerability.
Query injection in @langchain/langgraph-checkpoint-redis allows authenticated users to manipulate RediSearch filter logic by injecting special syntax characters into user-provided keys and values, potentially bypassing access controls. An attacker with valid credentials could craft malicious filter parameters to alter query behavior and access unintended data. The vulnerability affects LangGraph checkpoint implementations using Redis storage and is fixed in version 1.0.2.
Missing Authorization vulnerability in cliengo Cliengo - Chatbot cliengo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cliengo - Chatbot: from n/a through <= 3.0.4. [CVSS 6.5 MEDIUM]
OpenClaw versions prior to 2026.2.15 contain a stored XSS vulnerability in the Control UI where unsanitized assistant identity values (name/avatar) are injected into inline script tags, allowing authenticated attackers with high privileges to break out of the script context and execute arbitrary JavaScript. Public exploit code exists for this vulnerability. The issue has been remediated in version 2026.2.15 through removal of inline scripts and implementation of a restrictive Content Security Policy.
OpenClaw versions prior to 2026.2.15 allow authenticated administrators to write files outside the skill installation directory due to insufficient validation of the targetDir parameter during skill installation. An admin user could exploit this path traversal vulnerability to place malicious files in arbitrary locations on the system. A patch is available in version 2026.2.15 and later.
OpenClaw AI assistant versions prior to 2026.2.15 allow local authenticated users to access session transcripts across peer accounts in multi-user shared-agent deployments due to insufficient session targeting restrictions. Additionally, Telegram webhook mode may fail to properly validate per-account secrets, potentially allowing unauthorized webhook access. The vulnerability primarily impacts multi-user environments with untrusted peers, while single-user or trusted deployments face limited practical risk.
OpenClaw versions prior to 2026.2.15 expose Telegram bot tokens in error messages and logs without redaction, allowing attackers who gain access to these logs to impersonate the bot and hijack its API access. This credential disclosure affects users of the AI assistant across systems where logs, crash reports, or support bundles are generated. Users must upgrade to version 2026.2.15 and rotate exposed Telegram bot tokens immediately.
Configuration injection in OpenClaw Docker sandbox before 2026.2.15 allows escaping sandbox restrictions. Patch available.
OpenClaw versions prior to 2026.2.15 fail to sanitize workspace directory paths before injecting them into LLM prompts, allowing local attackers with execution privileges to inject malicious instructions through control characters and Unicode markers in directory names. An attacker can exploit this prompt injection vulnerability to manipulate the AI assistant's behavior and execute unintended commands. A patch is available in version 2026.2.15 and later.
OpenClaw versions 2026.1.12 through 2026.2.13 contain a path traversal vulnerability in the browser download helper that allows authenticated users with CLI access or valid gateway RPC tokens to write files outside the intended temporary downloads directory. An attacker with these credentials can exploit unsanitized output paths to place arbitrary files on the system. Version 2026.2.13 and later contain the fix.
OpenClaw versions prior to 2026.2.14 allow authenticated users to read arbitrary files from the Gateway host through path traversal in the browser tool's upload functionality. An attacker with valid Gateway credentials and browser tool permissions can supply absolute or traversal paths to bypass file access restrictions and access sensitive files. This vulnerability requires authentication and browser tool enablement but presents a high confidentiality risk to affected deployments.
OpenClaw versions prior to 2026.2.14 allow authenticated users to bypass group authorization policies by leveraging direct message trust credentials in group contexts, enabling unauthorized access to restricted group conversations. An attacker with valid credentials could exploit improper policy enforcement in iMessage groupPolicy=allowlist configurations to gain unauthorized visibility into protected group communications. A patch is available in version 2026.2.14 and later.
OpenClaw's mDNS/Bonjour discovery beacons transmit unauthenticated TXT records that iOS, macOS, and Android clients treat as authoritative for routing and TLS certificate pinning, allowing an attacker on a shared LAN to advertise a rogue service and redirect connections to attacker-controlled endpoints. An attacker can exploit this to bypass TLS pinning validation and potentially capture Gateway credentials through man-in-the-middle attacks. The vulnerability affects OpenClaw versions prior to 2026.2.14 and requires network proximity but no user interaction.
OpenClaw versions prior to 2026.2.14 expose sensitive configuration secrets through the skills.status endpoint to clients with operator.read privileges, allowing authenticated attackers to retrieve raw credential values including Discord tokens. The vulnerability affects AI/ML deployments where read-scoped access is intended to be non-sensitive; affected users should upgrade to version 2026.2.14 or later and rotate any exposed Discord tokens.
OpenClaw versions before 2026.2.14 allow attackers with execution privileges to bypass command allowlist controls on node host deployments by exploiting a mismatch between validated and executed commands, potentially enabling execution of unapproved system commands. The vulnerability only affects configurations using node host execution paths with allowlist-based security policies and approval prompting. A patch is available in version 2026.2.14 which enforces consistency validation.
OpenClaw prior to version 2026.2.14 fails to properly validate IPv6-formatted addresses in its SSRF protection, allowing attackers to bypass restrictions and access loopback and private network resources that should be blocked. An unauthenticated remote attacker can exploit this by crafting requests using IPv4-mapped IPv6 literals to reach restricted endpoints. The vulnerability has been patched in version 2026.2.14.
Arbitrary command execution in OpenClaw versions 2026.1.8 through 2026.2.13 allows attackers to execute shell commands when developers or CI systems run the update-clawtributors.ts maintenance script on repositories containing malicious commit metadata. The vulnerability stems from unsanitized interpolation of git author emails into shell commands via execSync, exploitable only by those with access to the development environment or source repository. Version 2026.2.14 patches the issue.
OpenClaw versions prior to 2026.2.14 fail to validate the gatewayUrl parameter in the Gateway tool, allowing authenticated users or operators to redirect WebSocket connections to arbitrary targets and potentially access internal resources. This vulnerability requires authentication and the ability to invoke specific tool calls, limiting exposure to trusted users and automated systems rather than anonymous attackers. An attacker with these privileges could establish unauthorized outbound connections from the OpenClaw host, compromising confidentiality and potentially enabling further network-based attacks.
OpenClaw's Feishu extension prior to version 2026.2.14 improperly handles `mediaUrl` parameters by treating attacker-controlled values as local filesystem paths, enabling unauthorized file read access. An attacker who can influence tool calls through direct manipulation or prompt injection could exfiltrate sensitive files like `/etc/passwd`. This high-severity path traversal vulnerability (CWE-22) is resolved in version 2026.2.14 and later, which implements proper access controls and routes media loading through hardened helpers.
OpenClaw macOS desktop client versions 2026.2.6 through 2026.2.13 fail to fully display message content in confirmation dialogs for deep links, allowing attackers to hide malicious payloads behind whitespace that users cannot see before execution. When a user approves the truncated preview and clicks "Run," the full hidden message executes, potentially leading to arbitrary command execution depending on the user's configured permissions. This affects beta versions of the OpenClaw AI assistant on macOS where the openclaw:// URL scheme is registered without proper authentication.
OpenClaw's Telnyx voice-call webhook handler fails to validate webhook signatures when the public key is not configured, allowing unauthenticated attackers to forge arbitrary Telnyx events. This affects only deployments with the Voice Call plugin installed, enabled, and publicly accessible, enabling attackers to inject malicious voice-call events into the system. A patch is available.
OpenClaw versions prior to 2026.2.14 lack proper Cross-Origin Request Forgery (CSRF) protections on localhost mutation endpoints, allowing malicious websites to trigger unauthorized actions against a victim's local AI assistant instance such as opening tabs, modifying storage, or controlling browser functions. The vulnerability affects the browser control plane through cross-origin requests initiated from the victim's browser context, despite the service's loopback binding. Version 2026.2.14 and later mitigate this by validating Origin/Referer headers and rejecting mutating requests from cross-site origins.
OpenClaw is a personal AI assistant. [CVSS 7.5 HIGH]
SillyTavern versions before 1.16.0 contain a server-side request forgery (SSRF) vulnerability in the asset download endpoint that allows authenticated users to make arbitrary HTTP requests from the server and access internal services, cloud metadata, and private network resources. Public exploit code exists for this vulnerability, which can be mitigated by upgrading to version 1.16.0 or configuring domain whitelisting in the config.yaml file.
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. [CVSS 7.3 HIGH]
Stored XSS in Open WebUI prior to version 0.7.0 allows authenticated users to inject malicious HTML payloads into chat document metadata, which execute in the browser when citations are previewed or viewed in shared chats. Public exploit code exists for this vulnerability, and an attacker with login access can compromise any user who interacts with their weaponized chat documents. Upgrade to version 0.7.0 or later to remediate.
Skill Scanner versions 1.0.1 and earlier expose an unauthenticated API endpoint due to improper interface binding, allowing remote attackers to trigger memory exhaustion or upload arbitrary files to the affected system. An attacker can exploit this without authentication by sending crafted API requests to the exposed server. A patch is available to address this network-accessible vulnerability.
Remote code execution in Microsoft Semantic Kernel Python SDK before 1.39.4. Code injection in the AI orchestration framework. Patch available.
Penci AI SmartContent Creator version 2.0 and earlier contains an authorization bypass vulnerability that allows authenticated users to perform unauthorized actions due to improperly configured access controls. An attacker with valid credentials could exploit this to modify data or functionality they should not have access to. No patch is currently available for this issue.
The echo-knowledge-base plugin through version 16.011.0 fails to properly enforce access controls, enabling authenticated users to modify content they should not have permission to change. An attacker with valid login credentials could exploit misconfigured authorization rules to alter documentation or FAQ entries within the knowledge base system.
WP Wand AI Content Generation plugin for WordPress versions up to 1.3.07 contains an authorization bypass that allows authenticated users to modify or disable plugin functionality through improper access control enforcement. An attacker with user-level credentials can exploit this vulnerability to cause service disruption or data integrity issues. No patch is currently available.
Improper access control in Alt Text AI versions up to 1.10.15 enables unauthenticated remote attackers to cause denial of service through misconfigured authorization checks. The vulnerability allows an attacker to disrupt service availability without requiring authentication or user interaction. No patch is currently available for this issue.
Ays Pro AI ChatBot with ChatGPT and Content Generator by AYS ays-chatgpt-assistant is affected by missing authorization (CVSS 5.3).
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSecret` is not configured, allowing attackers with network access to the webhook endpoint to forge Telegram messages and trigger unintended bot actions. Public exploit code exists for this vulnerability. Affected deployments must upgrade to version 2026.2.1 or later, or ensure the webhook endpoint is not reachable by untrusted networks.
The Smartsupp - live chat, AI shopping assistant and chatbots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
Ffmpeg contains a vulnerability that allows attackers to a double-free condition, potentially causing FFmpeg or any application using it (CVSS 3.3).
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering. [CVSS 7.8 HIGH]
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering. [CVSS 7.8 HIGH]
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering. [CVSS 7.8 HIGH]
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering. [CVSS 7.8 HIGH]
NVIDIA NeMo Framework for all platforms contains a vulnerability in a voice-preprocessing script, where malicious input created by an attacker could cause a code injection. [CVSS 7.8 HIGH]
NVIDIA NeMo Framework for all platforms contains a vulnerability in the ASR Evaluator utility, where a user could cause a command injection by supplying crafted input to a configuration parameter. [CVSS 7.8 HIGH]
NVIDIA NeMo Framework contains a vulnerability where malicious data could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 8.0 HIGH]
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution in distributed environments. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution by loading a maliciously crafted file. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]
NVIDIA NeMo Framework contains a vulnerability where malicious data created by an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]
Insufficient input validation in the Gutenberg Blocks with AI by Kadence WP plugin allows authenticated contributors and above to perform server-side request forgery against GetResponse API endpoints, potentially exposing sensitive data like contacts and campaigns stored on the site. The vulnerability stems from overly permissive access controls that grant the dangerous `endpoint` parameter manipulation to users with only Contributor-level privileges instead of requiring administrator access. Attackers can also extract the site's stored GetResponse API credentials from request headers during exploitation.
JeecgBoot 3.9.1's RAG knowledge controller fails to properly validate ZIP file imports, allowing authenticated remote attackers to trigger unsafe deserialization with public exploit code available. The vulnerability requires authentication and complex attack execution but could enable information disclosure or integrity compromise. No patch is currently available from the vendor.
Server-side request forgery in Deepaudit versions up to 3.0.3 allows authenticated remote attackers to manipulate the IP Address Handler component in the embedding configuration endpoint, potentially enabling them to perform arbitrary network requests from the affected server. The vulnerability requires valid credentials but no user interaction, affecting the AI/ML product's backend services. Upgrading to version 3.0.4 or later resolves this issue.
Unauthenticated API access in Milvus vector database before 2.5.27/2.6.10. TCP port 9091 exposed by default without authentication. EPSS 0.32% with PoC and patch available.
Cursor versions before 2.5 allow sandbox escape through improper .git configuration file protections, enabling malicious prompts or agents to write git hooks that execute arbitrary code when git commands are triggered. An attacker can achieve remote code execution without user interaction since git automatically executes these hooks, potentially compromising systems where Cursor is used for AI-assisted development. A patch is available in version 2.5.
FastGPT's web and HTTP data acquisition nodes fail to properly validate internal network addresses, allowing unauthenticated remote attackers to bypass network isolation controls and access sensitive internal resources. This vulnerability affects FastGPT versions prior to 4.14.7 and requires user interaction to exploit. The vulnerability has a CVSS score of 5.4 and currently has no available patch.
Remote code execution in AutoGPT prior to version 0.6.48 allows authenticated users to execute arbitrary Python code on the backend server by embedding a disabled BlockInstallationBlock within a workflow graph, bypassing validation controls that only checked the disabled flag at direct execution endpoints. An attacker with valid credentials can exploit this to gain full control over the backend system and automate malicious workflows. The vulnerability has been patched in version 0.6.48 and all users should upgrade immediately.
Dify versions prior to 1.13.0 contain a stored cross-site scripting vulnerability in the chat frontend's echarts integration that executes malicious JavaScript payloads embedded in user or LLM-generated inputs. An attacker can exploit this to perform actions in the context of other users' browsers, potentially stealing session tokens or conducting phishing attacks. Public exploit code exists for this vulnerability, though a patch is available in version 1.13.0 and later.
RecursiveUrlLoader in LangChain Community prior to 1.1.14 uses weak string-based URL validation that allows attackers to bypass the preventOutside crawling restriction by crafting domains with matching prefixes, potentially exposing the crawler to malicious or internal infrastructure endpoints. An attacker controlling a crawled webpage could inject links to cloud metadata services or private IP ranges, which the crawler would follow without validation, leading to information disclosure.
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability...
AutoGPT platform versions before 0.6.32 contain a regular expression denial of service vulnerability in the Code Extraction Block due to overlapping quantifiers that cause catastrophic backtracking when processing whitespace-heavy inputs. Authenticated attackers can exploit this by submitting malicious input with long sequences of spaces to trigger excessive regex processing, causing the service to become unavailable. Public exploit code exists for this vulnerability, and a patch is available in version 0.6.32 and later.
Unauthenticated access to the FastGPT plugin API endpoint (FastGPT/api/plugin/xxx) in versions 4.14.0 through 4.14.5 allows remote attackers to disrupt plugin functionality and cause loss of plugin installation state without authentication. The vulnerability affects the AI/ML platform's plugin system availability and integrity, though sensitive data such as cryptographic keys are not exposed. A patch is available in version 4.14.5-fix.
Authenticated users can exploit a race condition in GitHub Copilot and Visual Studio Code to execute arbitrary code remotely by manipulating file state between verification and use. This vulnerability affects users with network access to these development tools and requires user interaction to trigger. No patch is currently available to address this high-severity flaw.
GitHub Copilot and Visual Studio Code are vulnerable to command injection attacks that allow unauthenticated attackers to bypass security features over the network through improper neutralization of special command elements. The vulnerability requires user interaction to exploit and could enable attackers to execute arbitrary commands with high impact on confidentiality, integrity, and availability. No patch is currently available for this issue.
GitHub Copilot is vulnerable to command injection attacks that enable remote code execution without requiring authentication or user interaction beyond a click. An attacker can exploit this network-accessible vulnerability to execute arbitrary commands on affected systems. No patch is currently available for this high-severity vulnerability.
GitHub Copilot and Visual Studio 2022 contain a command injection vulnerability that allows authenticated users to execute arbitrary commands through improper sanitization of special elements. An attacker with valid credentials can leverage user interaction to escalate privileges and gain elevated access across the network. No patch is currently available for this vulnerability.
Remote code execution in GitHub Copilot and Visual Studio 2022 via command injection allows unauthenticated attackers to execute arbitrary code over the network with user interaction. The vulnerability stems from improper sanitization of special elements in commands, enabling attackers to break out of intended command contexts and inject malicious payloads. No patch is currently available for this high-severity issue affecting both development environments.
Uncontrolled search path for some AI Playground before version 2.6.1 beta within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowl...
Authenticated attackers can inject malicious JavaScript into Flowring's AgentFlow platform that persists and executes in other users' browsers when they load affected pages, potentially compromising user sessions and data. This stored cross-site scripting vulnerability affects the AI/ML and Agentflow products and requires user interaction to trigger, though no patch is currently available.
Reflected XSS in AgentFlow enables unauthenticated attackers to inject malicious JavaScript that executes in victims' browsers during phishing campaigns, potentially compromising user sessions and data. The vulnerability affects the AI/ML platform with no patch currently available, requiring users to rely on defensive measures such as email filtering and user awareness training.
Agentflow versions up to - is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Missing authentication in Flowring Agentflow allows unauthenticated attackers to read, modify, and delete data. Second auth bypass CVE.
Stored cross-site scripting in the Fluent Forms WordPress plugin's AI Form Builder module (versions up to 6.1.14) enables authenticated subscribers to inject malicious scripts that execute for all users viewing affected forms through missing authorization checks, leaked nonces, and insufficient input sanitization of AI-generated content. An attacker with subscriber-level access can exploit this to perform actions on behalf of administrators or steal sensitive information from form viewers. The vulnerability affects WordPress installations using this plugin and has no patch currently available.
LangSmith Client SDKs for Python and AI/ML platforms are susceptible to server-side request forgery through malicious HTTP baggage headers that allow attackers to redirect trace data exfiltration to attacker-controlled endpoints. An unauthenticated attacker can inject arbitrary api_url values during distributed tracing operations, causing the SDK to send sensitive trace data outside the intended infrastructure. No patch is currently available for this medium-severity vulnerability.
Python code execution through Pyodide in the mcp-run-python library lacks isolation from the JavaScript environment, enabling attackers to manipulate the JS runtime and hijack MCP server functionality. This allows adversaries to perform malicious operations including tool shadowing and potential server compromise through crafted Python payloads. No patch is available as the project is archived.
Pydantic-AI's MCP Run Python tool uses an insufficiently restrictive Deno sandbox configuration that permits Python code to access the host's localhost interface, enabling Server-Side Request Forgery (SSRF) attacks. An attacker can exploit this to probe or interact with services running on the local machine that should be isolated from external access. The archived project status means no patch is expected to be released.
GitLab AI Gateway's Duo Workflow Service has a CVSS 9.9 server-side template injection enabling code execution through the AI workflow system.
Maigret Mcp Server versions up to 1.0.12. contains a vulnerability that allows attackers to command injection (CVSS 6.3).
Enclave versions up to 2.10.1 is affected by loop with unreachable exit condition (infinite loop) (CVSS 8.8).
Arbitrary file append vulnerability in Qdrant vector database versions 1.9.3 through 1.15.x allows authenticated users with minimal read-only privileges to write to arbitrary files through an unsanitized log file path parameter in the /logger endpoint. Public exploit code exists for this vulnerability, enabling attackers to corrupt system files or inject malicious content with high impact to confidentiality, integrity, and availability. The issue is resolved in version 1.16.0.
OpenClaw prior to version 2026.1.20 allows local unauthenticated attackers to execute arbitrary commands as the gateway user by exploiting the WebSocket API to inject malicious command paths through the config.apply function. The vulnerability stems from insufficient validation of the cliPath parameter, which is subsequently used for command discovery without proper sanitization. No patch is currently available for affected versions.
Microsoft Semantic Kernel SDK has a CVSS 9.9 path traversal vulnerability enabling AI agents to access arbitrary files outside their intended scope.
Unauthenticated attackers can exploit arbitrary attribute access in MCP Salesforce Connector versions prior to 0.1.10 to extract sensitive Salesforce authentication tokens. This vulnerability requires only network access with no user interaction, enabling complete disclosure of credentials used for Salesforce API integration. Organizations using affected versions should upgrade to 0.1.10 immediately.
Claude Code prior to version 2.1.2 has a CVSS 10.0 sandbox escape in the bubblewrap sandboxing mechanism, allowing code execution outside the intended sandbox boundary.
Claude Code versions prior to 2.0.55 insufficiently validate piped sed commands, permitting authenticated users to circumvent file write protections and deposit files in restricted directories including .claude folders and locations outside project scope. An attacker with access to the "accept edits" feature can exploit this to write malicious content to sensitive areas of the system. A patch is available in version 2.0.55 and later.
Claude Code prior to version 2.0.57 failed to properly validate MCP tool inputs, allowing malicious MCP servers to inject commands through tool responses.
OrcaStatLLM Researcher is an LLM Based Research Paper Generator. [CVSS 5.4 MEDIUM]
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.32, there is a DoS vulnerability in ReadRSSFeedBlock. [CVSS 6.5 MEDIUM]
AutoGPT platform versions prior to v0.6.46 expose API keys and authentication secrets in application logs due to insecure logging of decrypted credentials across three Stagehand integration blocks. Authenticated users can access these plaintext secrets through log files, enabling credential theft and unauthorized access to integrated services. Public exploit code exists for this vulnerability, though a patch is available in v0.6.46 and later.
RCE in D-Tale pandas data visualizer before 3.20.0 via /save-column-filter. Patch available.
When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG. [CVSS 6.5 MEDIUM]
eBay API MCP Server's ebay_set_user_tokens tool fails to validate environment variable inputs in the updateEnvFile function, allowing authenticated attackers to inject arbitrary variables into the .env configuration file. An attacker with login credentials can exploit this to overwrite existing configurations, trigger denial of service conditions, or achieve remote code execution through malicious environment variable injection. No patch is currently available for this vulnerability affecting all versions of the AI/ML product.
OpenShift versions 1.1.2-alpha and below suffer from a race condition in local JSON persistence that allows authenticated local users to corrupt data stores or cause loss of updates across sessions, study materials, quizzes, and authentication records. The vulnerability stems from non-atomic and insufficiently synchronized file operations that can be exploited through concurrent access to the application's local storage. No patch is currently available.
OpenSift versions 1.1.2-alpha and below allow authenticated attackers to abuse the URL ingest feature's overly permissive server-side request functionality to probe or access private and local network resources from the OpenSift host. The vulnerability requires valid credentials but no user interaction, enabling attackers to enumerate or interact with internal infrastructure not otherwise accessible. No patch is currently available, though version 1.1.3-alpha contains a fix.
Stored cross-site scripting in OpenSift versions 1.1.2-alpha and below allows authenticated attackers to execute arbitrary JavaScript in victims' browsers by injecting malicious content into study materials, quizzes, or flashcards that render without proper HTML sanitization. An attacker with the ability to create or modify stored content could perform unauthorized actions within authenticated user sessions. No patch is currently available for this vulnerability.
Query injection in @langchain/langgraph-checkpoint-redis allows authenticated users to manipulate RediSearch filter logic by injecting special syntax characters into user-provided keys and values, potentially bypassing access controls. An attacker with valid credentials could craft malicious filter parameters to alter query behavior and access unintended data. The vulnerability affects LangGraph checkpoint implementations using Redis storage and is fixed in version 1.0.2.
Missing Authorization vulnerability in cliengo Cliengo - Chatbot cliengo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cliengo - Chatbot: from n/a through <= 3.0.4. [CVSS 6.5 MEDIUM]
OpenClaw versions prior to 2026.2.15 contain a stored XSS vulnerability in the Control UI where unsanitized assistant identity values (name/avatar) are injected into inline script tags, allowing authenticated attackers with high privileges to break out of the script context and execute arbitrary JavaScript. Public exploit code exists for this vulnerability. The issue has been remediated in version 2026.2.15 through removal of inline scripts and implementation of a restrictive Content Security Policy.
OpenClaw versions prior to 2026.2.15 allow authenticated administrators to write files outside the skill installation directory due to insufficient validation of the targetDir parameter during skill installation. An admin user could exploit this path traversal vulnerability to place malicious files in arbitrary locations on the system. A patch is available in version 2026.2.15 and later.
OpenClaw AI assistant versions prior to 2026.2.15 allow local authenticated users to access session transcripts across peer accounts in multi-user shared-agent deployments due to insufficient session targeting restrictions. Additionally, Telegram webhook mode may fail to properly validate per-account secrets, potentially allowing unauthorized webhook access. The vulnerability primarily impacts multi-user environments with untrusted peers, while single-user or trusted deployments face limited practical risk.
OpenClaw versions prior to 2026.2.15 expose Telegram bot tokens in error messages and logs without redaction, allowing attackers who gain access to these logs to impersonate the bot and hijack its API access. This credential disclosure affects users of the AI assistant across systems where logs, crash reports, or support bundles are generated. Users must upgrade to version 2026.2.15 and rotate exposed Telegram bot tokens immediately.
Configuration injection in OpenClaw Docker sandbox before 2026.2.15 allows escaping sandbox restrictions. Patch available.
OpenClaw versions prior to 2026.2.15 fail to sanitize workspace directory paths before injecting them into LLM prompts, allowing local attackers with execution privileges to inject malicious instructions through control characters and Unicode markers in directory names. An attacker can exploit this prompt injection vulnerability to manipulate the AI assistant's behavior and execute unintended commands. A patch is available in version 2026.2.15 and later.
OpenClaw versions 2026.1.12 through 2026.2.13 contain a path traversal vulnerability in the browser download helper that allows authenticated users with CLI access or valid gateway RPC tokens to write files outside the intended temporary downloads directory. An attacker with these credentials can exploit unsanitized output paths to place arbitrary files on the system. Version 2026.2.13 and later contain the fix.
OpenClaw versions prior to 2026.2.14 allow authenticated users to read arbitrary files from the Gateway host through path traversal in the browser tool's upload functionality. An attacker with valid Gateway credentials and browser tool permissions can supply absolute or traversal paths to bypass file access restrictions and access sensitive files. This vulnerability requires authentication and browser tool enablement but presents a high confidentiality risk to affected deployments.
OpenClaw versions prior to 2026.2.14 allow authenticated users to bypass group authorization policies by leveraging direct message trust credentials in group contexts, enabling unauthorized access to restricted group conversations. An attacker with valid credentials could exploit improper policy enforcement in iMessage groupPolicy=allowlist configurations to gain unauthorized visibility into protected group communications. A patch is available in version 2026.2.14 and later.
OpenClaw's mDNS/Bonjour discovery beacons transmit unauthenticated TXT records that iOS, macOS, and Android clients treat as authoritative for routing and TLS certificate pinning, allowing an attacker on a shared LAN to advertise a rogue service and redirect connections to attacker-controlled endpoints. An attacker can exploit this to bypass TLS pinning validation and potentially capture Gateway credentials through man-in-the-middle attacks. The vulnerability affects OpenClaw versions prior to 2026.2.14 and requires network proximity but no user interaction.
OpenClaw versions prior to 2026.2.14 expose sensitive configuration secrets through the skills.status endpoint to clients with operator.read privileges, allowing authenticated attackers to retrieve raw credential values including Discord tokens. The vulnerability affects AI/ML deployments where read-scoped access is intended to be non-sensitive; affected users should upgrade to version 2026.2.14 or later and rotate any exposed Discord tokens.
OpenClaw versions before 2026.2.14 allow attackers with execution privileges to bypass command allowlist controls on node host deployments by exploiting a mismatch between validated and executed commands, potentially enabling execution of unapproved system commands. The vulnerability only affects configurations using node host execution paths with allowlist-based security policies and approval prompting. A patch is available in version 2026.2.14 which enforces consistency validation.
OpenClaw prior to version 2026.2.14 fails to properly validate IPv6-formatted addresses in its SSRF protection, allowing attackers to bypass restrictions and access loopback and private network resources that should be blocked. An unauthenticated remote attacker can exploit this by crafting requests using IPv4-mapped IPv6 literals to reach restricted endpoints. The vulnerability has been patched in version 2026.2.14.
Arbitrary command execution in OpenClaw versions 2026.1.8 through 2026.2.13 allows attackers to execute shell commands when developers or CI systems run the update-clawtributors.ts maintenance script on repositories containing malicious commit metadata. The vulnerability stems from unsanitized interpolation of git author emails into shell commands via execSync, exploitable only by those with access to the development environment or source repository. Version 2026.2.14 patches the issue.
OpenClaw versions prior to 2026.2.14 fail to validate the gatewayUrl parameter in the Gateway tool, allowing authenticated users or operators to redirect WebSocket connections to arbitrary targets and potentially access internal resources. This vulnerability requires authentication and the ability to invoke specific tool calls, limiting exposure to trusted users and automated systems rather than anonymous attackers. An attacker with these privileges could establish unauthorized outbound connections from the OpenClaw host, compromising confidentiality and potentially enabling further network-based attacks.
OpenClaw's Feishu extension prior to version 2026.2.14 improperly handles `mediaUrl` parameters by treating attacker-controlled values as local filesystem paths, enabling unauthorized file read access. An attacker who can influence tool calls through direct manipulation or prompt injection could exfiltrate sensitive files like `/etc/passwd`. This high-severity path traversal vulnerability (CWE-22) is resolved in version 2026.2.14 and later, which implements proper access controls and routes media loading through hardened helpers.
OpenClaw macOS desktop client versions 2026.2.6 through 2026.2.13 fail to fully display message content in confirmation dialogs for deep links, allowing attackers to hide malicious payloads behind whitespace that users cannot see before execution. When a user approves the truncated preview and clicks "Run," the full hidden message executes, potentially leading to arbitrary command execution depending on the user's configured permissions. This affects beta versions of the OpenClaw AI assistant on macOS where the openclaw:// URL scheme is registered without proper authentication.
OpenClaw's Telnyx voice-call webhook handler fails to validate webhook signatures when the public key is not configured, allowing unauthenticated attackers to forge arbitrary Telnyx events. This affects only deployments with the Voice Call plugin installed, enabled, and publicly accessible, enabling attackers to inject malicious voice-call events into the system. A patch is available.
OpenClaw versions prior to 2026.2.14 lack proper Cross-Origin Request Forgery (CSRF) protections on localhost mutation endpoints, allowing malicious websites to trigger unauthorized actions against a victim's local AI assistant instance such as opening tabs, modifying storage, or controlling browser functions. The vulnerability affects the browser control plane through cross-origin requests initiated from the victim's browser context, despite the service's loopback binding. Version 2026.2.14 and later mitigate this by validating Origin/Referer headers and rejecting mutating requests from cross-site origins.
OpenClaw is a personal AI assistant. [CVSS 7.5 HIGH]
SillyTavern versions before 1.16.0 contain a server-side request forgery (SSRF) vulnerability in the asset download endpoint that allows authenticated users to make arbitrary HTTP requests from the server and access internal services, cloud metadata, and private network resources. Public exploit code exists for this vulnerability, which can be mitigated by upgrading to version 1.16.0 or configuring domain whitelisting in the config.yaml file.
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. [CVSS 7.3 HIGH]
Stored XSS in Open WebUI prior to version 0.7.0 allows authenticated users to inject malicious HTML payloads into chat document metadata, which execute in the browser when citations are previewed or viewed in shared chats. Public exploit code exists for this vulnerability, and an attacker with login access can compromise any user who interacts with their weaponized chat documents. Upgrade to version 0.7.0 or later to remediate.
Skill Scanner versions 1.0.1 and earlier expose an unauthenticated API endpoint due to improper interface binding, allowing remote attackers to trigger memory exhaustion or upload arbitrary files to the affected system. An attacker can exploit this without authentication by sending crafted API requests to the exposed server. A patch is available to address this network-accessible vulnerability.
Remote code execution in Microsoft Semantic Kernel Python SDK before 1.39.4. Code injection in the AI orchestration framework. Patch available.
Penci AI SmartContent Creator version 2.0 and earlier contains an authorization bypass vulnerability that allows authenticated users to perform unauthorized actions due to improperly configured access controls. An attacker with valid credentials could exploit this to modify data or functionality they should not have access to. No patch is currently available for this issue.
The echo-knowledge-base plugin through version 16.011.0 fails to properly enforce access controls, enabling authenticated users to modify content they should not have permission to change. An attacker with valid login credentials could exploit misconfigured authorization rules to alter documentation or FAQ entries within the knowledge base system.
WP Wand AI Content Generation plugin for WordPress versions up to 1.3.07 contains an authorization bypass that allows authenticated users to modify or disable plugin functionality through improper access control enforcement. An attacker with user-level credentials can exploit this vulnerability to cause service disruption or data integrity issues. No patch is currently available.
Improper access control in Alt Text AI versions up to 1.10.15 enables unauthenticated remote attackers to cause denial of service through misconfigured authorization checks. The vulnerability allows an attacker to disrupt service availability without requiring authentication or user interaction. No patch is currently available for this issue.
Ays Pro AI ChatBot with ChatGPT and Content Generator by AYS ays-chatgpt-assistant is affected by missing authorization (CVSS 5.3).
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSecret` is not configured, allowing attackers with network access to the webhook endpoint to forge Telegram messages and trigger unintended bot actions. Public exploit code exists for this vulnerability. Affected deployments must upgrade to version 2026.2.1 or later, or ensure the webhook endpoint is not reachable by untrusted networks.
The Smartsupp - live chat, AI shopping assistant and chatbots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]
Ffmpeg contains a vulnerability that allows attackers to a double-free condition, potentially causing FFmpeg or any application using it (CVSS 3.3).
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering. [CVSS 7.8 HIGH]
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering. [CVSS 7.8 HIGH]
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering. [CVSS 7.8 HIGH]
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering. [CVSS 7.8 HIGH]
NVIDIA NeMo Framework for all platforms contains a vulnerability in a voice-preprocessing script, where malicious input created by an attacker could cause a code injection. [CVSS 7.8 HIGH]
NVIDIA NeMo Framework for all platforms contains a vulnerability in the ASR Evaluator utility, where a user could cause a command injection by supplying crafted input to a configuration parameter. [CVSS 7.8 HIGH]
NVIDIA NeMo Framework contains a vulnerability where malicious data could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 8.0 HIGH]
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution in distributed environments. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution by loading a maliciously crafted file. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]
NVIDIA NeMo Framework contains a vulnerability where malicious data created by an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]
Insufficient input validation in the Gutenberg Blocks with AI by Kadence WP plugin allows authenticated contributors and above to perform server-side request forgery against GetResponse API endpoints, potentially exposing sensitive data like contacts and campaigns stored on the site. The vulnerability stems from overly permissive access controls that grant the dangerous `endpoint` parameter manipulation to users with only Contributor-level privileges instead of requiring administrator access. Attackers can also extract the site's stored GetResponse API credentials from request headers during exploitation.
JeecgBoot 3.9.1's RAG knowledge controller fails to properly validate ZIP file imports, allowing authenticated remote attackers to trigger unsafe deserialization with public exploit code available. The vulnerability requires authentication and complex attack execution but could enable information disclosure or integrity compromise. No patch is currently available from the vendor.
Server-side request forgery in Deepaudit versions up to 3.0.3 allows authenticated remote attackers to manipulate the IP Address Handler component in the embedding configuration endpoint, potentially enabling them to perform arbitrary network requests from the affected server. The vulnerability requires valid credentials but no user interaction, affecting the AI/ML product's backend services. Upgrading to version 3.0.4 or later resolves this issue.
Unauthenticated API access in Milvus vector database before 2.5.27/2.6.10. TCP port 9091 exposed by default without authentication. EPSS 0.32% with PoC and patch available.
Cursor versions before 2.5 allow sandbox escape through improper .git configuration file protections, enabling malicious prompts or agents to write git hooks that execute arbitrary code when git commands are triggered. An attacker can achieve remote code execution without user interaction since git automatically executes these hooks, potentially compromising systems where Cursor is used for AI-assisted development. A patch is available in version 2.5.
FastGPT's web and HTTP data acquisition nodes fail to properly validate internal network addresses, allowing unauthenticated remote attackers to bypass network isolation controls and access sensitive internal resources. This vulnerability affects FastGPT versions prior to 4.14.7 and requires user interaction to exploit. The vulnerability has a CVSS score of 5.4 and currently has no available patch.
Remote code execution in AutoGPT prior to version 0.6.48 allows authenticated users to execute arbitrary Python code on the backend server by embedding a disabled BlockInstallationBlock within a workflow graph, bypassing validation controls that only checked the disabled flag at direct execution endpoints. An attacker with valid credentials can exploit this to gain full control over the backend system and automate malicious workflows. The vulnerability has been patched in version 0.6.48 and all users should upgrade immediately.
Dify versions prior to 1.13.0 contain a stored cross-site scripting vulnerability in the chat frontend's echarts integration that executes malicious JavaScript payloads embedded in user or LLM-generated inputs. An attacker can exploit this to perform actions in the context of other users' browsers, potentially stealing session tokens or conducting phishing attacks. Public exploit code exists for this vulnerability, though a patch is available in version 1.13.0 and later.
RecursiveUrlLoader in LangChain Community prior to 1.1.14 uses weak string-based URL validation that allows attackers to bypass the preventOutside crawling restriction by crafting domains with matching prefixes, potentially exposing the crawler to malicious or internal infrastructure endpoints. An attacker controlling a crawled webpage could inject links to cloud metadata services or private IP ranges, which the crawler would follow without validation, leading to information disclosure.
LangChain is a framework for building agents and LLM-powered applications. Prior to 1.2.11, the ChatOpenAI.get_num_tokens_from_messages() method fetches arbitrary image_url values without validation when computing token counts for vision-enabled models. This allows attackers to trigger Server-Side Request Forgery (SSRF) attacks by providing malicious image URLs in user input. This vulnerability...
AutoGPT platform versions before 0.6.32 contain a regular expression denial of service vulnerability in the Code Extraction Block due to overlapping quantifiers that cause catastrophic backtracking when processing whitespace-heavy inputs. Authenticated attackers can exploit this by submitting malicious input with long sequences of spaces to trigger excessive regex processing, causing the service to become unavailable. Public exploit code exists for this vulnerability, and a patch is available in version 0.6.32 and later.
Unauthenticated access to the FastGPT plugin API endpoint (FastGPT/api/plugin/xxx) in versions 4.14.0 through 4.14.5 allows remote attackers to disrupt plugin functionality and cause loss of plugin installation state without authentication. The vulnerability affects the AI/ML platform's plugin system availability and integrity, though sensitive data such as cryptographic keys are not exposed. A patch is available in version 4.14.5-fix.
Authenticated users can exploit a race condition in GitHub Copilot and Visual Studio Code to execute arbitrary code remotely by manipulating file state between verification and use. This vulnerability affects users with network access to these development tools and requires user interaction to trigger. No patch is currently available to address this high-severity flaw.
GitHub Copilot and Visual Studio Code are vulnerable to command injection attacks that allow unauthenticated attackers to bypass security features over the network through improper neutralization of special command elements. The vulnerability requires user interaction to exploit and could enable attackers to execute arbitrary commands with high impact on confidentiality, integrity, and availability. No patch is currently available for this issue.
GitHub Copilot is vulnerable to command injection attacks that enable remote code execution without requiring authentication or user interaction beyond a click. An attacker can exploit this network-accessible vulnerability to execute arbitrary commands on affected systems. No patch is currently available for this high-severity vulnerability.
GitHub Copilot and Visual Studio 2022 contain a command injection vulnerability that allows authenticated users to execute arbitrary commands through improper sanitization of special elements. An attacker with valid credentials can leverage user interaction to escalate privileges and gain elevated access across the network. No patch is currently available for this vulnerability.
Remote code execution in GitHub Copilot and Visual Studio 2022 via command injection allows unauthenticated attackers to execute arbitrary code over the network with user interaction. The vulnerability stems from improper sanitization of special elements in commands, enabling attackers to break out of intended command contexts and inject malicious payloads. No patch is currently available for this high-severity issue affecting both development environments.
Uncontrolled search path for some AI Playground before version 2.6.1 beta within Ring 3: User Applications may allow an escalation of privilege. Unprivileged software adversary with an authenticated user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local access when attack requirements are present without special internal knowl...
Authenticated attackers can inject malicious JavaScript into Flowring's AgentFlow platform that persists and executes in other users' browsers when they load affected pages, potentially compromising user sessions and data. This stored cross-site scripting vulnerability affects the AI/ML and Agentflow products and requires user interaction to trigger, though no patch is currently available.
Reflected XSS in AgentFlow enables unauthenticated attackers to inject malicious JavaScript that executes in victims' browsers during phishing campaigns, potentially compromising user sessions and data. The vulnerability affects the AI/ML platform with no patch currently available, requiring users to rely on defensive measures such as email filtering and user awareness training.
Agentflow versions up to - is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
Missing authentication in Flowring Agentflow allows unauthenticated attackers to read, modify, and delete data. Second auth bypass CVE.
Stored cross-site scripting in the Fluent Forms WordPress plugin's AI Form Builder module (versions up to 6.1.14) enables authenticated subscribers to inject malicious scripts that execute for all users viewing affected forms through missing authorization checks, leaked nonces, and insufficient input sanitization of AI-generated content. An attacker with subscriber-level access can exploit this to perform actions on behalf of administrators or steal sensitive information from form viewers. The vulnerability affects WordPress installations using this plugin and has no patch currently available.
LangSmith Client SDKs for Python and AI/ML platforms are susceptible to server-side request forgery through malicious HTTP baggage headers that allow attackers to redirect trace data exfiltration to attacker-controlled endpoints. An unauthenticated attacker can inject arbitrary api_url values during distributed tracing operations, causing the SDK to send sensitive trace data outside the intended infrastructure. No patch is currently available for this medium-severity vulnerability.
Python code execution through Pyodide in the mcp-run-python library lacks isolation from the JavaScript environment, enabling attackers to manipulate the JS runtime and hijack MCP server functionality. This allows adversaries to perform malicious operations including tool shadowing and potential server compromise through crafted Python payloads. No patch is available as the project is archived.
Pydantic-AI's MCP Run Python tool uses an insufficiently restrictive Deno sandbox configuration that permits Python code to access the host's localhost interface, enabling Server-Side Request Forgery (SSRF) attacks. An attacker can exploit this to probe or interact with services running on the local machine that should be isolated from external access. The archived project status means no patch is expected to be released.
GitLab AI Gateway's Duo Workflow Service has a CVSS 9.9 server-side template injection enabling code execution through the AI workflow system.
Maigret Mcp Server versions up to 1.0.12. contains a vulnerability that allows attackers to command injection (CVSS 6.3).
Enclave versions up to 2.10.1 is affected by loop with unreachable exit condition (infinite loop) (CVSS 8.8).
Arbitrary file append vulnerability in Qdrant vector database versions 1.9.3 through 1.15.x allows authenticated users with minimal read-only privileges to write to arbitrary files through an unsanitized log file path parameter in the /logger endpoint. Public exploit code exists for this vulnerability, enabling attackers to corrupt system files or inject malicious content with high impact to confidentiality, integrity, and availability. The issue is resolved in version 1.16.0.
OpenClaw prior to version 2026.1.20 allows local unauthenticated attackers to execute arbitrary commands as the gateway user by exploiting the WebSocket API to inject malicious command paths through the config.apply function. The vulnerability stems from insufficient validation of the cliPath parameter, which is subsequently used for command discovery without proper sanitization. No patch is currently available for affected versions.
Microsoft Semantic Kernel SDK has a CVSS 9.9 path traversal vulnerability enabling AI agents to access arbitrary files outside their intended scope.
Unauthenticated attackers can exploit arbitrary attribute access in MCP Salesforce Connector versions prior to 0.1.10 to extract sensitive Salesforce authentication tokens. This vulnerability requires only network access with no user interaction, enabling complete disclosure of credentials used for Salesforce API integration. Organizations using affected versions should upgrade to 0.1.10 immediately.
Claude Code prior to version 2.1.2 has a CVSS 10.0 sandbox escape in the bubblewrap sandboxing mechanism, allowing code execution outside the intended sandbox boundary.
Claude Code versions prior to 2.0.55 insufficiently validate piped sed commands, permitting authenticated users to circumvent file write protections and deposit files in restricted directories including .claude folders and locations outside project scope. An attacker with access to the "accept edits" feature can exploit this to write malicious content to sensitive areas of the system. A patch is available in version 2.0.55 and later.
Claude Code prior to version 2.0.57 failed to properly validate MCP tool inputs, allowing malicious MCP servers to inject commands through tool responses.
OrcaStatLLM Researcher is an LLM Based Research Paper Generator. [CVSS 5.4 MEDIUM]
AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.32, there is a DoS vulnerability in ReadRSSFeedBlock. [CVSS 6.5 MEDIUM]
AutoGPT platform versions prior to v0.6.46 expose API keys and authentication secrets in application logs due to insecure logging of decrypted credentials across three Stagehand integration blocks. Authenticated users can access these plaintext secrets through log files, enabling credential theft and unauthorized access to integrated services. Public exploit code exists for this vulnerability, though a patch is available in v0.6.46 and later.