Data Extraction
Data extraction attacks target the information processed or memorised by AI/ML systems. They take three main forms. First, training-data extraction: large language models can memorise verbatim spans of their training corpus, and an attacker who crafts the right prompts can pull back PII, API keys, or copyrighted text — a result demonstrated against GPT-2 by Carlini et al. and reproduced against several production models. Second, model extraction: by repeatedly querying a hosted model and observing outputs, an attacker can reconstruct enough behaviour to clone proprietary fine-tunes. Third, system-prompt and conversation leakage: indirect prompt injection or insecure logging can leak the application's instructions and other users' conversations. Multi-tenant inference platforms (vLLM, Triton, hosted APIs) and RAG systems are particularly exposed. Defenses: output filtering, differential privacy in training, rate limits, and strict tenant isolation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-44688 | Eclipse Theia: indirect prompt injection → RCE + exfil | @theia/ai-ide | - |
| HIGH | CVE-2026-46580 | Eclipse Theia: workspace prompt injection enables RCE/exfil | @theia/ai-editor | - |
| MEDIUM | CVE-2026-54683 | nl-portal documenten-api: IDOR exposes citizen documents | nl.nl-portal:documenten-api | 6.5 |
| MEDIUM | CVE-2026-56074 | PraisonAI: tool approval bypass enables credential theft | PraisonAI | 5.5 |
| HIGH | CVE-2026-56078 | PraisonAI: path traversal → arbitrary file read/write/RCE | PraisonAI | 8.8 |
| MEDIUM | CVE-2026-56077 | PraisonAI: agent ID collision leaks system prompts | PraisonAI | 6.5 |
| HIGH | CVE-2026-56076 | PraisonAI: CORS bypass enables arbitrary agent execution | PraisonAI | 8.1 |
| CRITICAL | CVE-2026-12048 | pgAdmin 4: Stored XSS enables full browser session hijack | 9.3 | |
| MEDIUM | CVE-2026-55832 | tract-onnx: path traversal exposes arbitrary local files | tract-onnx | 6.1 |
| MEDIUM | CVE-2026-55414 | nl-portal: GraphQL SSRF exposes Objecten-API auth token | nl.nl-portal:form | 5.3 |
| MEDIUM | CVE-2026-55375 | canto-saas-api: OAuth credentials logged via query params | jleehr/canto-saas-api | 5.3 |
| HIGH | CVE-2026-49357 | line-desktop-mcp: unauthenticated HTTP exposes LINE chats | line-desktop-mcp | - |
| HIGH | CVE-2026-54528 | jupyterlab-git: excluded_paths bypass exposes secrets | jupyterlab-git | 7.1 |
| UNKNOWN | CVE-2026-54527 | jupyterlab-git: stored XSS escalates to full RCE | @jupyterlab/git | - |
| HIGH | CVE-2026-54317 | Home Assistant Konnected: auth bypass leaks alarm panel state | homeassistant | 7.6 |
| HIGH | CVE-2026-53489 | containerd: symlink follow leaks host files via kubectl logs | github.com/containerd/containerd/v2 | - |
| CRITICAL | CVE-2026-55447 | Langflow: TAR symlink traversal enables full RCE | langflow | 9.6 |
| MEDIUM | CVE-2026-55423 | Langflow: logout fails to clear session tokens | langflow | 6.1 |
| CRITICAL | CVE-2026-55255 | Langflow: IDOR allows cross-user flow execution | langflow | 9.9 |
| HIGH | GHSA-mrvx-jmjw-vggc | mcp-searxng: SSRF via DNS rebinding in web_url_read | 7.1 |