AI / ML
Monthly
AutoGPT has a second SSRF vulnerability (CVSS 9.8) in a different endpoint, providing an additional path to access internal network resources.
AutoGPT has a Server-Side Request Forgery vulnerability (CVSS 9.8) allowing unauthenticated attackers to make the AI platform access internal network resources.
Langroid LLM framework prior to 0.5 has a code injection vulnerability (CVSS 9.6) allowing attackers to execute arbitrary code through the AI agent system.
OpenClaw versions prior to 2026.1.30 suffer from a path traversal vulnerability in the isValidMedia() function that permits authenticated agents to read arbitrary files on the system by crafting malicious MEDIA output directives. An attacker with agent access can leverage this flaw to exfiltrate sensitive data accessible to the application process. Public exploit code exists for this vulnerability, and no patch is currently available.
OpenClaw AI assistant versions prior to 2026.1.29 contain two command injection vulnerabilities: unescaped user input in SSH project paths allows remote code execution on SSH hosts, and insufficient validation of SSH target parameters enables local command execution through malicious flag injection. An attacker can exploit these flaws to achieve arbitrary code execution either remotely via SSH or locally on the system running OpenClaw.
N8N versions up to 1.118.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
n8n is an open source workflow automation platform. [CVSS 8.1 HIGH]
Stored cross-site scripting in n8n's markdown rendering component allows authenticated users to inject malicious scripts into workflows and sticky notes that execute with session privileges when viewed by other users. An attacker with workflow modification permissions can exploit this to hijack sessions and compromise accounts of users who interact with affected workflows. Versions 1.123.9 and 2.2.1 contain fixes for this vulnerability.
n8n has a command injection vulnerability (CVSS 9.9) allowing authenticated users to execute arbitrary OS commands through workflow definitions.
n8n has a TOCTOU race condition vulnerability (CVSS 9.9) enabling bypass of execution restrictions in workflow processing.
Improper Content Security Policy enforcement in n8n workflow automation allows authenticated users to inject persistent XSS payloads into webhook responses that execute with same-origin privileges when other users access the affected workflows. An attacker with workflow creation/modification permissions could exploit this to hijack sessions and compromise user accounts. The vulnerability affects n8n versions prior to 1.123.2.
n8n workflow automation platform has an authenticated code execution vulnerability (CVSS 9.9) through improper runtime behavior modification, enabling server takeover.
Claude Code versions before 2.0.72 allow authenticated attackers to execute arbitrary commands by exploiting a command parsing defect that bypasses the execution confirmation prompt via malicious find command syntax. An attacker with the ability to inject untrusted content into a Claude Code context can trigger unintended command execution with high impact to confidentiality, integrity, and availability. No patch is currently available for affected deployments.
Claude Code versions prior to 2.0.74 allow authenticated users to write files outside designated directories by exploiting inadequate Bash command validation in ZSH clobber syntax parsing. An attacker with the ability to inject malicious content into a Claude Code context window on a ZSH-based system can bypass file restrictions and achieve unauthorized file writes without triggering user permission prompts. This vulnerability requires user interaction and ZSH environment configuration, making it suitable for supply chain or prompt injection attacks against Claude Code users.
Claude Code versions prior to 1.0.111 fail to properly validate trusted domains for WebFetch requests, allowing attackers to register lookalike domains (e.g., modelcontextprotocol.io.example.com) that bypass validation checks. This enables unauthorized automated requests to attacker-controlled servers without user interaction, potentially resulting in sensitive data exfiltration from the user's environment. The vulnerability affects Claude Code's agentic coding functionality and requires upgrading to version 1.0.111 or later to remediate.
Local code injection in NVIDIA Megatron-LM allows authenticated users to achieve arbitrary code execution and privilege escalation through malicious input to vulnerable scripts. An attacker with local access can craft specially designed data to trigger unsafe code evaluation, enabling complete system compromise including data theft and modification. No patch is currently available for this vulnerability affecting all supported platforms.
A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. [CVSS 7.3 HIGH]
Command injection in OpenClaw's Docker sandbox execution allows authenticated users to manipulate the PATH environment variable and execute arbitrary commands within containers prior to version 2026.1.29. An attacker with valid credentials and ability to control environment variables could achieve code execution within the containerized AI assistant. A patch is available in version 2026.1.29 and later.
Amazon SageMaker Python SDK versions prior to v2.256.0 or v3.1.1 disable TLS certificate verification when importing Triton Python models, enabling attackers to perform man-in-the-middle attacks by presenting invalid or self-signed certificates. This vulnerability affects organizations using the affected SDK versions for model imports over HTTPS connections. No patch is currently available for this vulnerability.
Amazon SageMaker Python SDK versions before 3.2.0 and 2.256.0 expose the ModelBuilder HMAC signing key in cleartext API responses, allowing authenticated users with S3 bucket write access to inject malicious artifacts into training jobs that execute with elevated privileges. An attacker with dual permissions to call the DescribeTrainingJob API and modify the training output S3 location can achieve arbitrary code execution when the compromised job runs. No patch is currently available for this vulnerability.
Khoj is a self-hostable artificial intelligence app. Prior to 2.0.0-beta.23, an IDOR in the Notion OAuth callback allows an attacker to hijack any user's Notion integration by manipulating the state parameter. The callback endpoint accepts any user UUID without verifying the OAuth flow was initiated by that user, allowing attackers to replace victims' Notion configurations with their own, resulting in data poisoning and unauthorized access to the victim's Khoj search index. This attack requir...
In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. [CVSS 8.8 HIGH]
Lunary contains a vulnerability that allows attackers to delete prompts created in other organizations through ID manipulation (CVSS 6.5).
Multiple command injection vulnerabilities in CAI (Cybersecurity AI) framework up to 0.5.10 allow OS command execution through the security testing platform.
Remote code execution in AutoGPT Platform prior to v0.6.44 allows authenticated users to execute disabled blocks and write arbitrary Python code to the server filesystem. The vulnerability stems from insufficient validation of the disabled flag in block execution endpoints, enabling attackers to achieve code execution via the BlockInstallationBlock component. Public exploit code exists, and self-hosted instances with Supabase signup enabled are particularly vulnerable to account creation and exploitation.
An input validation vulnerability in the flow.Tensor.new_empty/flow.Tensor.new_ones/flow.Tensor.new_zeros component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.2 MEDIUM]
An input validation vulnerability in the flow.scatter/flow.scatter_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted indices. [CVSS 6.2 MEDIUM]
Oneflow versions up to 0.9.0 contains a vulnerability that allows attackers to cause a Denial of Service (DoS) via a crafted input (CVSS 6.2).
An input validation vulnerability in the oneflow.index_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 7.5 HIGH]
A floating point exception (FPE) in the oneflow.reshape component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]
A floating point exception (FPE) in the oneflow.view component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]
A segmentation violation in the oneflow.logical_or component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]
An input validation vulnerability in the flow.arange() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 7.5 HIGH]
A floating-point exception (FPE) in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4. [CVSS 4.4 MEDIUM]
Discourse is an open source discussion platform. [CVSS 5.4 MEDIUM]
Arbitrary file upload in AI Engine WordPress plugin versions up to 3.3.2 allows authenticated Editor-level users to bypass file type validation and execute remote code by uploading files through the `update_media_metadata` REST endpoint. An attacker can upload a benign image file and then rename it to PHP, placing executable code in the web-accessible uploads directory. The vulnerability affects WordPress installations with the plugin installed and requires Editor or higher privileges to exploit.
Path traversal vulnerability in RAGFlow RAG engine version 0.23.1 allows unauthenticated attackers to read arbitrary files from the server filesystem. PoC available, patch available.
The AI Engine plugin for WordPress versions up to 3.3.2 contains a server-side request forgery vulnerability in the 'get_audio' function that allows authenticated subscribers and higher-privileged users to make arbitrary web requests from the server. When the Public API setting is enabled and allow_url_fopen is active, attackers can query and modify data on internal services accessible to the web application. No patch is currently available for this vulnerability.
NVIDIA runx contains a vulnerability where an attacker could cause a code injection. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]
n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through crafted workflow expressions.
AnythingLLM versions prior to 1.10.0 contain a path traversal vulnerability in the DrupalWiki integration that allows malicious administrators or attackers with admin privileges to write arbitrary files to the server, potentially achieving remote code execution through configuration file overwriting or malicious script injection. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. The attack requires high-level privileges but carries critical risk due to the ability to completely compromise server integrity.
Anythingllm versions up to 1.10.0 contains a vulnerability that allows attackers to complete compromise of the semantic search / retrieval functionality and indirec (CVSS 7.5).
BentoML versions prior to 1.4.34 allow path traversal attacks through improperly validated file path fields in bentofile.yaml configurations, enabling attackers to embed arbitrary files from the victim's system into bento archives during the build process. This vulnerability can be exploited to exfiltrate sensitive data such as credentials, SSH keys, and environment variables into supply chain artifacts that may be pushed to registries or deployed in production environments. A patch is available in version 1.4.34.
Arbitrary file upload in Kalrav AI Agent WordPress plugin due to missing file type validation in the kalrav_upload_file AJAX action.
Stored XSS in ChatterMate AI chatbot framework versions 1.0.8 and below. The chatbot accepts and renders malicious HTML/JavaScript from user input. PoC and patch available.
The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. [CVSS 4.3 MEDIUM]
Upsonic has an insecure deserialization via cloudpickle (EPSS 1.3%) enabling remote code execution through crafted serialized AI agent data.
Remote code execution in Langflow's disk cache service allows authenticated attackers to execute arbitrary code by exploiting improper deserialization of untrusted data. The vulnerability affects Langflow installations and requires valid authentication credentials to exploit, enabling attackers to gain code execution within the service account context. No patch is currently available.
Langflow's PythonFunction component allows authenticated attackers with user interaction to inject and execute arbitrary Python code within application workflows, achieving remote code execution. The vulnerability affects Langflow deployments using Python-based AI/ML components, with exploitation feasibility depending on specific product configurations. No patch is currently available.
Langflow has a third RCE vulnerability via exec_globals (EPSS 10.0%) allowing inclusion of untrusted code that executes in the application's global scope.
Langflow has an eval injection in eval_custom_component_code (EPSS 2.0%) enabling remote code execution through crafted custom component definitions.
Langflow has a code injection vulnerability in the code component (EPSS 2.6%) enabling remote code execution through the visual AI workflow builder.
Remote code execution in Open WebUI through the load_tool_module_by_id function allows authenticated attackers to execute arbitrary Python code due to insufficient input validation on user-supplied strings. An attacker with valid credentials can leverage this vulnerability to achieve code execution with service account privileges. No patch is currently available, making this a critical risk for deployed Open WebUI instances.
Remote code execution in Open WebUI's install_frontmatter_requirements function allows authenticated attackers to execute arbitrary commands on the host system by bypassing input validation in system call parameters. The vulnerability affects AI/ML deployments using Open WebUI and requires valid authentication credentials to exploit. No patch is currently available.
GPT Academic has a second insecure deserialization vulnerability in the upload function (EPSS 1.5%) allowing remote code execution through crafted file uploads.
GPT Academic has an insecure deserialization in run_in_subprocess_wrapper_func (EPSS 1.7%) enabling remote code execution through crafted subprocess data.
Remote code execution in GPT Academic's stream_daas function results from improper deserialization of untrusted data when communicating with external servers, allowing unauthenticated attackers to execute arbitrary code with root privileges. The vulnerability requires interaction with a malicious DAAS server and currently has no available patch. Organizations using GPT Academic should implement network controls to restrict connections to untrusted DAAS services until patching is available.
MetaGPT has a code injection vulnerability in actionoutput_str_to_mapping (EPSS 2.6%) allowing remote attackers to execute arbitrary code through crafted AI agent output processing.
MetaGPT by Foundation Agents has an insecure deserialization in deserialize_message (EPSS 1.7%) enabling remote code execution through crafted serialized data in AI agent communications.
Katana Network Development Starter Kit has a command injection in executeCommand enabling remote code execution through the development framework.
mcp-server-siri-shortcuts fails to validate the shortcutName parameter before using it in system calls, enabling local attackers with low-privileged code execution to inject arbitrary commands and escalate to service account privileges. This command injection vulnerability (CVE-2026-0758, CVSS 7.8) affects the AI/ML tool and currently lacks a patch. An attacker exploiting this flaw can execute arbitrary code with elevated privileges on the affected system.
MCP Manager for Claude Desktop is vulnerable to command injection through improperly validated MCP config objects, enabling remote attackers to escape the sandbox and execute arbitrary code on affected systems. The vulnerability requires user interaction such as visiting a malicious page or opening a malicious file, and currently lacks an available patch. An attacker can leverage this flaw to achieve code execution with medium integrity privileges in the context of the running process.
github-kanban-mcp-server has a command injection in execAsync (EPSS 1.0%) enabling remote code execution on developer machines using the GitHub Kanban MCP integration.
gemini-mcp-tool has a command injection in execAsync allowing remote code execution on systems using the Gemini AI MCP integration.
Ollama MCP Server has a command injection vulnerability in execAsync (EPSS 1.0%) allowing remote attackers to execute arbitrary commands on systems running the Ollama AI integration.
Framelink Figma MCP Server has a command injection vulnerability in fetchWithRetry (EPSS 1.4%) enabling remote code execution on developer machines using the MCP integration.
Information disclosure in Microsoft 365 Word Copilot enables unauthenticated attackers to extract sensitive data through improper handling of escape and control sequences in network communications. The vulnerability requires user interaction to trigger and affects the Copilot AI/ML service with a CVSS score of 7.4. No patch is currently available.
Unauthenticated attackers can remotely access sensitive information in Microsoft Copilot Studio due to improper access controls, requiring no authentication or user interaction. This network-based vulnerability exposes confidential data to unauthorized disclosure with no patch currently available.
Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. [CVSS 7.4 HIGH]
Langfuse versions 3.146.0 and below allow unauthenticated attackers to hijack Slack OAuth integrations by injecting arbitrary projectIds into the /api/public/slack/install endpoint, enabling them to bind malicious Slack workspaces to any project and intercept prompt management data. An attacker can replace existing Prompt Slack Automations or pre-register malicious integrations that execute when authenticated users unknowingly configure them. Public exploit code exists for this vulnerability, which affects the DNS and AI/ML components of the Langfuse platform.
Grist spreadsheet software has an injection vulnerability in Python formula execution that allows authenticated users to escape the formula sandbox and execute arbitrary code.
CVAT is an open source interactive video and image annotation tool for computer vision. [CVSS 8.8 HIGH]
CVAT is an open source interactive video and image annotation tool for computer vision. [CVSS 5.4 MEDIUM]
Claude Code versions prior to 2.0.65 allow attackers to steal Anthropic API keys from users by crafting malicious repositories that redirect API calls to attacker-controlled servers before the trust confirmation dialog appears. When a victim opens an infected repository, the tool automatically reads malicious configuration settings and sends API requests containing credentials before displaying any security prompt, enabling credential theft. Users should upgrade to version 2.0.65 or later, though auto-update users have already received the patch.
SQLBot is an intelligent data query system based on a large language model and RAG. [CVSS 6.1 MEDIUM]
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata [CVSS 7.5 HIGH]
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder [CVSS 7.5 HIGH]
NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]
Improper permission validation in CrawlChat versions prior to 0.0.8 allows unauthenticated Discord guild members to inject malicious content into the bot's knowledge base through the jigsaw emoji feature, enabling attackers to manipulate chatbot responses across all integrations and redirect users to malicious sites. The vulnerability affects the AI/ML platform's ability to maintain knowledge base integrity, as normal users can bypass intended admin-only controls. Public exploit code exists for this issue, though a patch is available.
ChatterBot versions through 1.2.10 suffer from denial-of-service vulnerabilities due to improper connection pool management that allows attackers to exhaust database connections through concurrent requests to the get_response() method, causing persistent service unavailability. Public exploit code exists for this vulnerability, which affects all deployments of the affected ChatterBot versions and requires manual service restart to recover. ChatterBot 1.2.11 addresses this issue.
Stored XSS in LobeChat's Mermaid artifact renderer prior to version 2.0.0-next.180 enables attackers to execute arbitrary JavaScript, which can be escalated to remote code execution through the exposed electronAPI IPC bridge to run system commands. This affects users of the open source chat platform running vulnerable versions, requiring local interaction and high privileges to exploit but resulting in full system compromise. No patch is currently available.
Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox restrictions and execute arbitrary code on the underlying operating system, with full instance takeover possible in Internal execution mode. Public exploit code exists for this vulnerability, which affects n8n deployments running under Internal execution mode where the Python executor has direct OS access. External execution mode deployments using Docker sidecars have reduced impact as code execution is confined to the container rather than the main node.
MCPJam Inspector versions 1.4.2 and earlier allow unauthenticated remote code execution through missing authentication in the MCP server debugging platform, with EPSS 17.2% indicating active scanning.
Dask distributed is a distributed task scheduler for Dask. [CVSS 6.1 MEDIUM]
Dive, an MCP Host Desktop Application for LLM integration, allows code injection prior to version 0.13.0 through malicious tool responses, enabling attackers to execute arbitrary code on the user's machine.
TheLibrarian's web_fetch tool can expose the Adminer interface, enabling unauthenticated remote attackers to obtain credentials for the internal backend system. This high-severity vulnerability affects AI/ML deployments and TheLibrarian installations, with no patch currently available. An attacker with network access could leverage the exposed interface to gain unauthorized administrative access to the backend infrastructure.
The Librarian's web_fetch tool can access the supervisord status page, exposing information about running backend processes to unauthenticated remote attackers. This information disclosure vulnerability (CVSS 7.3) affects AI/ML deployments and could enable attackers to map internal service architecture and identify targets for further exploitation. No patch is currently available for this vulnerability.
The Librarian's web_fetch tool can be exploited via SSRF to perform unauthorized GET requests against internal IP addresses and cloud services within the Hertzner environment, allowing attackers to conduct port scanning and reconnaissance of the infrastructure. This unauthenticated network-based attack requires no user interaction and could expose sensitive internal services and their configurations. While the vendor has released patches, exploitation remains possible on unpatched instances.
The Librarian's web_fetch tool permits attackers to retrieve arbitrary external content and proxy requests through the application's infrastructure without authentication, resulting in information disclosure. This network-accessible vulnerability affects all versions of The Librarian AI/ML product and has high severity due to its ease of exploitation and potential for infrastructure abuse. A vendor patch is currently unavailable.
AutoGPT has a second SSRF vulnerability (CVSS 9.8) in a different endpoint, providing an additional path to access internal network resources.
AutoGPT has a Server-Side Request Forgery vulnerability (CVSS 9.8) allowing unauthenticated attackers to make the AI platform access internal network resources.
Langroid LLM framework prior to 0.5 has a code injection vulnerability (CVSS 9.6) allowing attackers to execute arbitrary code through the AI agent system.
OpenClaw versions prior to 2026.1.30 suffer from a path traversal vulnerability in the isValidMedia() function that permits authenticated agents to read arbitrary files on the system by crafting malicious MEDIA output directives. An attacker with agent access can leverage this flaw to exfiltrate sensitive data accessible to the application process. Public exploit code exists for this vulnerability, and no patch is currently available.
OpenClaw AI assistant versions prior to 2026.1.29 contain two command injection vulnerabilities: unescaped user input in SSH project paths allows remote code execution on SSH hosts, and insufficient validation of SSH target parameters enables local command execution through malicious flag injection. An attacker can exploit these flaws to achieve arbitrary code execution either remotely via SSH or locally on the system running OpenClaw.
N8N versions up to 1.118.0 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).
n8n is an open source workflow automation platform. [CVSS 8.1 HIGH]
Stored cross-site scripting in n8n's markdown rendering component allows authenticated users to inject malicious scripts into workflows and sticky notes that execute with session privileges when viewed by other users. An attacker with workflow modification permissions can exploit this to hijack sessions and compromise accounts of users who interact with affected workflows. Versions 1.123.9 and 2.2.1 contain fixes for this vulnerability.
n8n has a command injection vulnerability (CVSS 9.9) allowing authenticated users to execute arbitrary OS commands through workflow definitions.
n8n has a TOCTOU race condition vulnerability (CVSS 9.9) enabling bypass of execution restrictions in workflow processing.
Improper Content Security Policy enforcement in n8n workflow automation allows authenticated users to inject persistent XSS payloads into webhook responses that execute with same-origin privileges when other users access the affected workflows. An attacker with workflow creation/modification permissions could exploit this to hijack sessions and compromise user accounts. The vulnerability affects n8n versions prior to 1.123.2.
n8n workflow automation platform has an authenticated code execution vulnerability (CVSS 9.9) through improper runtime behavior modification, enabling server takeover.
Claude Code versions before 2.0.72 allow authenticated attackers to execute arbitrary commands by exploiting a command parsing defect that bypasses the execution confirmation prompt via malicious find command syntax. An attacker with the ability to inject untrusted content into a Claude Code context can trigger unintended command execution with high impact to confidentiality, integrity, and availability. No patch is currently available for affected deployments.
Claude Code versions prior to 2.0.74 allow authenticated users to write files outside designated directories by exploiting inadequate Bash command validation in ZSH clobber syntax parsing. An attacker with the ability to inject malicious content into a Claude Code context window on a ZSH-based system can bypass file restrictions and achieve unauthorized file writes without triggering user permission prompts. This vulnerability requires user interaction and ZSH environment configuration, making it suitable for supply chain or prompt injection attacks against Claude Code users.
Claude Code versions prior to 1.0.111 fail to properly validate trusted domains for WebFetch requests, allowing attackers to register lookalike domains (e.g., modelcontextprotocol.io.example.com) that bypass validation checks. This enables unauthorized automated requests to attacker-controlled servers without user interaction, potentially resulting in sensitive data exfiltration from the user's environment. The vulnerability affects Claude Code's agentic coding functionality and requires upgrading to version 1.0.111 or later to remediate.
Local code injection in NVIDIA Megatron-LM allows authenticated users to achieve arbitrary code execution and privilege escalation through malicious input to vulnerable scripts. An attacker with local access can craft specially designed data to trigger unsafe code evaluation, enabling complete system compromise including data theft and modification. No patch is currently available for this vulnerability affecting all supported platforms.
A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. [CVSS 7.3 HIGH]
Command injection in OpenClaw's Docker sandbox execution allows authenticated users to manipulate the PATH environment variable and execute arbitrary commands within containers prior to version 2026.1.29. An attacker with valid credentials and ability to control environment variables could achieve code execution within the containerized AI assistant. A patch is available in version 2026.1.29 and later.
Amazon SageMaker Python SDK versions prior to v2.256.0 or v3.1.1 disable TLS certificate verification when importing Triton Python models, enabling attackers to perform man-in-the-middle attacks by presenting invalid or self-signed certificates. This vulnerability affects organizations using the affected SDK versions for model imports over HTTPS connections. No patch is currently available for this vulnerability.
Amazon SageMaker Python SDK versions before 3.2.0 and 2.256.0 expose the ModelBuilder HMAC signing key in cleartext API responses, allowing authenticated users with S3 bucket write access to inject malicious artifacts into training jobs that execute with elevated privileges. An attacker with dual permissions to call the DescribeTrainingJob API and modify the training output S3 location can achieve arbitrary code execution when the compromised job runs. No patch is currently available for this vulnerability.
Khoj is a self-hostable artificial intelligence app. Prior to 2.0.0-beta.23, an IDOR in the Notion OAuth callback allows an attacker to hijack any user's Notion integration by manipulating the state parameter. The callback endpoint accepts any user UUID without verifying the OAuth flow was initiated by that user, allowing attackers to replace victims' Notion configurations with their own, resulting in data poisoning and unauthorized access to the victim's Khoj search index. This attack requir...
In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a 'viewer' role can exploit this vulnerability to hijack another user's account by obtaining the password reset token. [CVSS 8.8 HIGH]
Lunary contains a vulnerability that allows attackers to delete prompts created in other organizations through ID manipulation (CVSS 6.5).
Multiple command injection vulnerabilities in CAI (Cybersecurity AI) framework up to 0.5.10 allow OS command execution through the security testing platform.
Remote code execution in AutoGPT Platform prior to v0.6.44 allows authenticated users to execute disabled blocks and write arbitrary Python code to the server filesystem. The vulnerability stems from insufficient validation of the disabled flag in block execution endpoints, enabling attackers to achieve code execution via the BlockInstallationBlock component. Public exploit code exists, and self-hosted instances with Supabase signup enabled are particularly vulnerable to account creation and exploitation.
An input validation vulnerability in the flow.Tensor.new_empty/flow.Tensor.new_ones/flow.Tensor.new_zeros component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.2 MEDIUM]
An input validation vulnerability in the flow.scatter/flow.scatter_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted indices. [CVSS 6.2 MEDIUM]
Oneflow versions up to 0.9.0 contains a vulnerability that allows attackers to cause a Denial of Service (DoS) via a crafted input (CVSS 6.2).
An input validation vulnerability in the oneflow.index_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 7.5 HIGH]
A floating point exception (FPE) in the oneflow.reshape component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]
A floating point exception (FPE) in the oneflow.view component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]
A segmentation violation in the oneflow.logical_or component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]
An input validation vulnerability in the flow.arange() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 7.5 HIGH]
A floating-point exception (FPE) in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS).This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4. [CVSS 4.4 MEDIUM]
Discourse is an open source discussion platform. [CVSS 5.4 MEDIUM]
Arbitrary file upload in AI Engine WordPress plugin versions up to 3.3.2 allows authenticated Editor-level users to bypass file type validation and execute remote code by uploading files through the `update_media_metadata` REST endpoint. An attacker can upload a benign image file and then rename it to PHP, placing executable code in the web-accessible uploads directory. The vulnerability affects WordPress installations with the plugin installed and requires Editor or higher privileges to exploit.
Path traversal vulnerability in RAGFlow RAG engine version 0.23.1 allows unauthenticated attackers to read arbitrary files from the server filesystem. PoC available, patch available.
The AI Engine plugin for WordPress versions up to 3.3.2 contains a server-side request forgery vulnerability in the 'get_audio' function that allows authenticated subscribers and higher-privileged users to make arbitrary web requests from the server. When the Public API setting is enabled and allow_url_fopen is active, attackers can query and modify data on internal services accessible to the web application. No patch is currently available for this vulnerability.
NVIDIA runx contains a vulnerability where an attacker could cause a code injection. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]
n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through crafted workflow expressions.
AnythingLLM versions prior to 1.10.0 contain a path traversal vulnerability in the DrupalWiki integration that allows malicious administrators or attackers with admin privileges to write arbitrary files to the server, potentially achieving remote code execution through configuration file overwriting or malicious script injection. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. The attack requires high-level privileges but carries critical risk due to the ability to completely compromise server integrity.
Anythingllm versions up to 1.10.0 contains a vulnerability that allows attackers to complete compromise of the semantic search / retrieval functionality and indirec (CVSS 7.5).
BentoML versions prior to 1.4.34 allow path traversal attacks through improperly validated file path fields in bentofile.yaml configurations, enabling attackers to embed arbitrary files from the victim's system into bento archives during the build process. This vulnerability can be exploited to exfiltrate sensitive data such as credentials, SSH keys, and environment variables into supply chain artifacts that may be pushed to registries or deployed in production environments. A patch is available in version 1.4.34.
Arbitrary file upload in Kalrav AI Agent WordPress plugin due to missing file type validation in the kalrav_upload_file AJAX action.
Stored XSS in ChatterMate AI chatbot framework versions 1.0.8 and below. The chatbot accepts and renders malicious HTML/JavaScript from user input. PoC and patch available.
The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. [CVSS 4.3 MEDIUM]
Upsonic has an insecure deserialization via cloudpickle (EPSS 1.3%) enabling remote code execution through crafted serialized AI agent data.
Remote code execution in Langflow's disk cache service allows authenticated attackers to execute arbitrary code by exploiting improper deserialization of untrusted data. The vulnerability affects Langflow installations and requires valid authentication credentials to exploit, enabling attackers to gain code execution within the service account context. No patch is currently available.
Langflow's PythonFunction component allows authenticated attackers with user interaction to inject and execute arbitrary Python code within application workflows, achieving remote code execution. The vulnerability affects Langflow deployments using Python-based AI/ML components, with exploitation feasibility depending on specific product configurations. No patch is currently available.
Langflow has a third RCE vulnerability via exec_globals (EPSS 10.0%) allowing inclusion of untrusted code that executes in the application's global scope.
Langflow has an eval injection in eval_custom_component_code (EPSS 2.0%) enabling remote code execution through crafted custom component definitions.
Langflow has a code injection vulnerability in the code component (EPSS 2.6%) enabling remote code execution through the visual AI workflow builder.
Remote code execution in Open WebUI through the load_tool_module_by_id function allows authenticated attackers to execute arbitrary Python code due to insufficient input validation on user-supplied strings. An attacker with valid credentials can leverage this vulnerability to achieve code execution with service account privileges. No patch is currently available, making this a critical risk for deployed Open WebUI instances.
Remote code execution in Open WebUI's install_frontmatter_requirements function allows authenticated attackers to execute arbitrary commands on the host system by bypassing input validation in system call parameters. The vulnerability affects AI/ML deployments using Open WebUI and requires valid authentication credentials to exploit. No patch is currently available.
GPT Academic has a second insecure deserialization vulnerability in the upload function (EPSS 1.5%) allowing remote code execution through crafted file uploads.
GPT Academic has an insecure deserialization in run_in_subprocess_wrapper_func (EPSS 1.7%) enabling remote code execution through crafted subprocess data.
Remote code execution in GPT Academic's stream_daas function results from improper deserialization of untrusted data when communicating with external servers, allowing unauthenticated attackers to execute arbitrary code with root privileges. The vulnerability requires interaction with a malicious DAAS server and currently has no available patch. Organizations using GPT Academic should implement network controls to restrict connections to untrusted DAAS services until patching is available.
MetaGPT has a code injection vulnerability in actionoutput_str_to_mapping (EPSS 2.6%) allowing remote attackers to execute arbitrary code through crafted AI agent output processing.
MetaGPT by Foundation Agents has an insecure deserialization in deserialize_message (EPSS 1.7%) enabling remote code execution through crafted serialized data in AI agent communications.
Katana Network Development Starter Kit has a command injection in executeCommand enabling remote code execution through the development framework.
mcp-server-siri-shortcuts fails to validate the shortcutName parameter before using it in system calls, enabling local attackers with low-privileged code execution to inject arbitrary commands and escalate to service account privileges. This command injection vulnerability (CVE-2026-0758, CVSS 7.8) affects the AI/ML tool and currently lacks a patch. An attacker exploiting this flaw can execute arbitrary code with elevated privileges on the affected system.
MCP Manager for Claude Desktop is vulnerable to command injection through improperly validated MCP config objects, enabling remote attackers to escape the sandbox and execute arbitrary code on affected systems. The vulnerability requires user interaction such as visiting a malicious page or opening a malicious file, and currently lacks an available patch. An attacker can leverage this flaw to achieve code execution with medium integrity privileges in the context of the running process.
github-kanban-mcp-server has a command injection in execAsync (EPSS 1.0%) enabling remote code execution on developer machines using the GitHub Kanban MCP integration.
gemini-mcp-tool has a command injection in execAsync allowing remote code execution on systems using the Gemini AI MCP integration.
Ollama MCP Server has a command injection vulnerability in execAsync (EPSS 1.0%) allowing remote attackers to execute arbitrary commands on systems running the Ollama AI integration.
Framelink Figma MCP Server has a command injection vulnerability in fetchWithRetry (EPSS 1.4%) enabling remote code execution on developer machines using the MCP integration.
Information disclosure in Microsoft 365 Word Copilot enables unauthenticated attackers to extract sensitive data through improper handling of escape and control sequences in network communications. The vulnerability requires user interaction to trigger and affects the Copilot AI/ML service with a CVSS score of 7.4. No patch is currently available.
Unauthenticated attackers can remotely access sensitive information in Microsoft Copilot Studio due to improper access controls, requiring no authentication or user interaction. This network-based vulnerability exposes confidential data to unauthorized disclosure with no patch currently available.
Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. [CVSS 7.4 HIGH]
Langfuse versions 3.146.0 and below allow unauthenticated attackers to hijack Slack OAuth integrations by injecting arbitrary projectIds into the /api/public/slack/install endpoint, enabling them to bind malicious Slack workspaces to any project and intercept prompt management data. An attacker can replace existing Prompt Slack Automations or pre-register malicious integrations that execute when authenticated users unknowingly configure them. Public exploit code exists for this vulnerability, which affects the DNS and AI/ML components of the Langfuse platform.
Grist spreadsheet software has an injection vulnerability in Python formula execution that allows authenticated users to escape the formula sandbox and execute arbitrary code.
CVAT is an open source interactive video and image annotation tool for computer vision. [CVSS 8.8 HIGH]
CVAT is an open source interactive video and image annotation tool for computer vision. [CVSS 5.4 MEDIUM]
Claude Code versions prior to 2.0.65 allow attackers to steal Anthropic API keys from users by crafting malicious repositories that redirect API calls to attacker-controlled servers before the trust confirmation dialog appears. When a victim opens an infected repository, the tool automatically reads malicious configuration settings and sends API requests containing credentials before displaying any security prompt, enabling credential theft. Users should upgrade to version 2.0.65 or later, though auto-update users have already received the patch.
SQLBot is an intelligent data query system based on a large language model and RAG. [CVSS 6.1 MEDIUM]
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata [CVSS 7.5 HIGH]
An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder [CVSS 7.5 HIGH]
NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. [CVSS 7.8 HIGH]
Improper permission validation in CrawlChat versions prior to 0.0.8 allows unauthenticated Discord guild members to inject malicious content into the bot's knowledge base through the jigsaw emoji feature, enabling attackers to manipulate chatbot responses across all integrations and redirect users to malicious sites. The vulnerability affects the AI/ML platform's ability to maintain knowledge base integrity, as normal users can bypass intended admin-only controls. Public exploit code exists for this issue, though a patch is available.
ChatterBot versions through 1.2.10 suffer from denial-of-service vulnerabilities due to improper connection pool management that allows attackers to exhaust database connections through concurrent requests to the get_response() method, causing persistent service unavailability. Public exploit code exists for this vulnerability, which affects all deployments of the affected ChatterBot versions and requires manual service restart to recover. ChatterBot 1.2.11 addresses this issue.
Stored XSS in LobeChat's Mermaid artifact renderer prior to version 2.0.0-next.180 enables attackers to execute arbitrary JavaScript, which can be escalated to remote code execution through the exposed electronAPI IPC bridge to run system commands. This affects users of the open source chat platform running vulnerable versions, requiring local interaction and high privileges to exploit but resulting in full system compromise. No patch is currently available.
Authenticated users can exploit string formatting and exception handling in n8n's Python task executor to escape sandbox restrictions and execute arbitrary code on the underlying operating system, with full instance takeover possible in Internal execution mode. Public exploit code exists for this vulnerability, which affects n8n deployments running under Internal execution mode where the Python executor has direct OS access. External execution mode deployments using Docker sidecars have reduced impact as code execution is confined to the container rather than the main node.
MCPJam Inspector versions 1.4.2 and earlier allow unauthenticated remote code execution through missing authentication in the MCP server debugging platform, with EPSS 17.2% indicating active scanning.
Dask distributed is a distributed task scheduler for Dask. [CVSS 6.1 MEDIUM]
Dive, an MCP Host Desktop Application for LLM integration, allows code injection prior to version 0.13.0 through malicious tool responses, enabling attackers to execute arbitrary code on the user's machine.
TheLibrarian's web_fetch tool can expose the Adminer interface, enabling unauthenticated remote attackers to obtain credentials for the internal backend system. This high-severity vulnerability affects AI/ML deployments and TheLibrarian installations, with no patch currently available. An attacker with network access could leverage the exposed interface to gain unauthorized administrative access to the backend infrastructure.
The Librarian's web_fetch tool can access the supervisord status page, exposing information about running backend processes to unauthenticated remote attackers. This information disclosure vulnerability (CVSS 7.3) affects AI/ML deployments and could enable attackers to map internal service architecture and identify targets for further exploitation. No patch is currently available for this vulnerability.
The Librarian's web_fetch tool can be exploited via SSRF to perform unauthorized GET requests against internal IP addresses and cloud services within the Hertzner environment, allowing attackers to conduct port scanning and reconnaissance of the infrastructure. This unauthenticated network-based attack requires no user interaction and could expose sensitive internal services and their configurations. While the vendor has released patches, exploitation remains possible on unpatched instances.
The Librarian's web_fetch tool permits attackers to retrieve arbitrary external content and proxy requests through the application's infrastructure without authentication, resulting in information disclosure. This network-accessible vulnerability affects all versions of The Librarian AI/ML product and has high severity due to its ease of exploitation and potential for infrastructure abuse. A vendor patch is currently unavailable.