AI Security Dashboard
Curated vulnerabilities, advisories, and breaches affecting AI/ML systems.
Get the weekly digest
Top AI security stories every Monday. Free, no spam. Want it daily? See Daily Briefing.
CVE-2026-56307: Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudf
Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page lo...
CVE-2024-58351: Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig opti
Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction AP...
appium-mcp: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI)
## Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI) ### Summary `appium-mcp`'s `createLocatorGeneratorUI` function interpolates attacker-controlled element attributes — `text...
SearXNG MCP Server: DNS-resolved Private Hostname SSRF in `web_url_read`
## DNS-resolved Private Hostname SSRF in `web_url_read` ### Summary The `web_url_read` MCP tool in `mcp-searxng` is vulnerable to Server-Side Request Forgery (SSRF) via DNS rebinding bypass. The `as...
SearXNG MCP Server: Unbounded Response Body Read Bypasses URL Size Limit in `web_url_read`
## Unbounded Response Body Read Bypasses URL Size Limit in `web_url_read` ### Summary The `web_url_read` MCP tool in mcp-searxng enforces its 5 MiB response-size limit exclusively by inspecting the...
Network-AI: ApprovalInbox HTTP server has no authentication — anyone can approve pending agent actions
## Summary `network-ai`'s `ApprovalInbox` (`lib/approval-inbox.ts`) is a shipped, exported, documented feature — *"a web-accessible approval queue with REST API … and SSE streaming"* (SECURITY.md). I...
Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit
### Summary All components based on `BaseFileComponent` are vulnerable to the following vulnerability: 1. Docling (`DoclingInlineComponent`) 2. Docling Serve (`DoclingRemoteComponent`) 3. Read File (`...
Langflow: Unauthenticated DoS through multipart form boundary file upload
### Summary An attacker can send a `/api/v1/files/upload/` request without any authentication token/cookies and abuse a very long multipart form boundary to make the langflow app unusable for all user...
CVE-2026-50519: Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code allows an unauthorized at
Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network.
Langflow: Logout button does not clear session
### Summary The logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. ### Details Not in auto login mode. Hosted on localhost. `access_to...
CVE-2026-47645: Url redirection to untrusted site ('open redirect') in Microsoft 365 Copilot's Business Chat allows an unauthorized atta
Url redirection to untrusted site ('open redirect') in Microsoft 365 Copilot's Business Chat allows an unauthorized attacker to elevate privileges over a network.
Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow
## Summary Insecure Direct Object Reference (IDOR) vulnerability in `/api/v1/responses` endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victi...
CVE-2026-42895: Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unaut
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to perform tampering over a network.
dbt MCP Server: Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens
## Unauthenticated OAuth Context Endpoint Leaks dbt Platform Tokens ### Summary The local OAuth helper FastAPI server bundled with `dbt-mcp` exposes the `GET /dbt_platform_context` endpoint without...
@cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized --workspace Argument
## Summary A command injection vulnerability exists in `@cyclonedx/cyclonedx-npm` when the CLI is invoked with the `--workspace ` option while the environment variable `npm_execpath` is unset or empty...
Kozou: Unauthenticated MCP HTTP server and bundled dev-stack hardening (DNS-rebinding, request-body limits, read-only reads, default network exposure)
Kozou compiles a PostgreSQL schema into an Admin UI, a REST API, and an MCP server. Several hardening gaps in the bundled HTTP surfaces and the scaffolded dev stack are fixed in **1.8.1**. ## Issues...
CVE-2026-48774: ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 3.0.0 through 3.0.8, ProxySQL's GenAI/MC
ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 3.0.0 through 3.0.8, ProxySQL's GenAI/MCP `run_sql_readonly` tool violates its documented read-only contract for MySQL t...
Stanza: Remote Code Execution via Unsafe Pickle Deserialization in Model Loaders
### Summary Stanza 1.12.0 attempts to safely load PyTorch checkpoint files using `torch.load(..., weights_only=True)`, but automatically falls back to the fully unsafe `torch.load(..., weights_only=F...
Arbitrary host CRI log file read via symlink following in CRI checkpoint restore
### Impact A bug was found in containerd where the CRI plugin restores `container.log` from a checkpoint image without validating a symlinked path. This could result in reading an arbitrary file on th...
containerd CRI — image-config `LABEL` flows to restart-monitor `binary://` logger: host-root command execution from an image pull
### Impact A bug was found in containerd where the CRI plugin propagates labels from an image config (`LABEL` instruction in Dockerfile) to a container without validation. This may result in executing...
containerd: CRI checkpoint import allows local image tag poisoning
## Impact containerd's CRI checkpoint import process contains a vulnerability where it fails to validate the image references specified within a checkpoint image's configuration. An attacker with perm...
symfony/ux-live-component: CSRF Protection Bypass — Accept Header is CORS-Safelisted
### Description When using `symfony/ux-live-component`, methods annotated with `#[LiveAction]` are invokable from the browser and mutate server-side state via AJAX. `Symfony\UX\LiveComponent\EventLis...
symfony/ux-live-component: LiveComponentHydrator HMAC checksum lacks component and slot binding
### Description In `symfony/ux-live-component`, a component's server-side state is exposed to the browser as a set of props (`#[LiveProp]`-annotated properties). Props marked `writable: true` can be...
AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution
Microsoft researchers have detailed an exploit chain, named AutoJack, that turns an AI browsing agent into a delivery vehicle for remote code execution. Steer the agent to load an attacker's web page...
CVE-2023-54353: Chromacam 4.0.3.0 contains an unquoted service path vulnerability in the PsyFrameGrabberService that allows local attack
Chromacam 4.0.3.0 contains an unquoted service path vulnerability in the PsyFrameGrabberService that allows local attackers to execute arbitrary code by placing malicious executables in unquoted path...