AI Security Threat Feed

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name}...

A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct...

MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url / X-Atlassian-Confluence-Url headers

SageMaker Python SDK replaced eval() with safe parser in JumpStart search functionality

xgrammar vulnerable to DoS via multi-layer nesting

Fickling missing RCE-capable modules in UNSAFE_IMPORTS

Fickling has `always_check_safety()` bypass: pickle.loads and _pickle.loads remain unhooked

Fickling: OBJ opcode call invisibility bypasses all safety checks

MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of...

Picklescan (scan_pytorch) Bypass via dynamic eval MAGIC_NUMBER

Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic...

SageMaker Python SDK has Exposed HMAC

picklescan missing detection by simple obfuscation of a `builtins.eval` call

Lollms has an Improper Access Control vulnerability

In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions (0o777). This vulnerability allows an attacker with...

Chainlit contain a server-side request forgery (SSRF) vulnerability

Google Keras Allocates Resources Without Limits or Throttling in the HDF5 weight loading component

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to...

Fickling vulnerable to detection bypass due to "builtins" blindness

Fickling has Static Analysis Bypass via Incomplete Dangerous Module Blocklist

Fickling vulnerable to use of ctypes and pydoc gadget chain to bypass detection

Fickling Blocklist Bypass: cProfile.run()

Fickling has a bypass via runpy.run_path() and runpy.run_module()

vLLM introduced enhanced protection for CVE-2025-62164

picklescan has Arbitrary file read using `io.FileIO`

Picklescan is vulnerable to RCE via missing detection when calling built-in python _operator.attrgetter

Picklescan is vulnerable to RCE via missing detection when calling built-in python _operator.methodcaller

Picklescan is vulnerable to RCE via missing detection when calling numpy.f2py.crackfortran.getlincoef

Picklescan is vulnerable to RCE through missing detection when calling numpy.f2py.crackfortran.myeval

Picklescan is vulnerable to RCE through missing detection when calling built-in python operator.methodcaller

Picklescan missing detection when calling numpy.f2py.crackfortran.getlincoef

Picklescan Bypasses Unsafe Globals Check using pty.spawn

Picklescan missing detection when calling pty.spawn

Picklescan has Incomplete List of Disallowed Inputs

Picklescan does not block ctypes

Picklescan vulnerable to Arbitrary File Writing

Fickling has Code Injection vulnerability via pty.spawn()

Fickling has missing detection for marshal.loads and types.FunctionType in unsafe modules list

Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web

LangChain is a framework for building agents and LLM-powered applications. From versions 0.3.79 and prior and 1.0.0 to 1.0.6, a template injection vulnerability exists in LangChain's prompt template...

Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events

Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE

llama-index has Insecure Temporary File

A Server-Side Request Forgery (SSRF) vulnerability exists in the MediaConnector class within the vLLM project's multimodal feature set. The load_from_url and load_from_url_async methods fetch and...

LLaMA-Factory is a tuning library for large language models. Prior to version 0.9.4, a Server-Side Request Forgery (SSRF) vulnerability in the chat API allows any authenticated user to force the...

llama-index-core insecurely handles temporary files

Picklescan: ZIP archive scan bypass is possible through non-exhaustive Cyclic Redundancy Check

Picklescan is Vulnerable to Unsafe Globals Check Bypass through Subclass Imports

Monai: Unsafe use of Pickle deserialization may lead to RCE

MONAI: Unsafe torch usage may lead to arbitrary code execution