Social Engineering
Generative AI lowers the cost of social engineering by orders of magnitude. Spear-phishing emails that previously required a fluent writer and target research are now produced in seconds with reasonable per-target personalisation. Voice cloning (ElevenLabs, OpenVoice, and others) enables real-time impersonation of executives and family members; multiple confirmed business-email-compromise and CFO-fraud incidents in 2023-2024 used cloned voices. Deepfake video is good enough for short verification clips and live calls under poor video conditions. Beyond direct attacks, AI-generated content fuels disinformation campaigns, fake review economies, and pig-butchering scams at unprecedented scale. AI Threat Alert tracks this category through CVEs in voice/face-recognition systems that fail to detect synthetic media, plus incidents in AIID (the AI Incident Database). Defenses: out-of-band verification for sensitive actions, deepfake detection layered with provenance signals (C2PA), and user education that assumes any voice or video can be faked.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-26192 | Open WebUI: stored XSS via citation iFrame → admin RCE | open-webui | 7.3 |
| MEDIUM | CVE-2025-46571 | Open WebUI: Stored XSS via HTML upload enables admin RCE | open-webui | - |
| MEDIUM | CVE-2026-56359 | n8n: XSS via malicious OAuth2 Authorization URL | n8n | 5.4 |
Page 4 of 4