How a malicious AI agent skill passed security checks and reached 26,000 users

A fake AI agent skill that passed security checks reached over 26,000 users through Instagram, highlighting new risks as enterprises rely on AI-driven tools.

Some of the agents involved were tied to corporate accounts, AIR said. The company said a similar attack could have exposed private conversations and internal systems. AIR said no agents were harmed in the research and that the test payload…

Read more →
Microsoft says web-enabled AI agents can trigger host-level RCE

Microsoft is warning of a novel remote code execution (RCE) path possible through web-enabled AI agents, demonstrating the technique against AutoGen Studio, its open-source interface for building and testing multi-agent applications.

The demonstration showed that a malicious webpage rendered by an AutoGen-powered browsing agent could reach a local Model Context Protocol (MCP) service and run…

Read more →
M365 Copilot SearchLeak: Your prompt injection attack surface just got bigger

A recent proof-of-concept attack against Microsoft’s M365 Copilot Enterprise highlights what could be a much broader prompt injection threat based on a common way many AI-enhanced web services operate.

Dubbed SearchLeak, the attack hinged on a typical malicious objective: to leak sensitive corporate data by tricking employees to click on specially crafted links.

To carry out the attack,…

Read more →
Langflow RCE under active attack months after a patch was shipped

Enterprises using the open-source AI orchestration platform Langflow are being urged to patch a high-severity path traversal flaw amid active exploitation, despite a fix having been available for more than two months.

The bug, which stems from improper handling of filenames in Langflow’s file upload functionality, can allow attackers to write files to arbitrary locations within the affected…

Read more →
Prompt injection breaks today’s AI agents, study warns

Today’s AI web agents have no dependable defenses against prompt injection, according to new research showing that not a single attack scenario was consistently blocked across leading systems powered by GPT‑5 and Gemini.

The findings come from StakeBench, a stakeholder-centric benchmark developed by researchers from Nanyang Technological University, ST Engineering, IBM Research, and the…

Read more →
Flowise’s MCP implementation can run ghost commands

Enterprises using the lightweight, open-source Flowise platform to power self-hosted AI workloads have a new near-max severity issue to worry about.

Researchers at Obsidian Security have detailed a one-click remote code execution (RCE) vulnerability affecting self-hosted Flowise deployments through its implementation of Model Context Protocol (MCP) stdio servers.

The problem is essentially a…

Read more →
Project Glasswing has uncovered 10,000 vulnerabilities: Anthropic

Anthropic says it and upwards of 50 partners involved in Project Glasswing have uncovered an estimated 10,000 critical or high-severity vulnerabilities in their software offerings.

The company launched the cybersecurity initiative, which is built around Claude Mythos Preview, in April, stating that its launch partners would use it as part of their defensive security work.

Anthropic said it…

Read more →
AI agent finds 18-year-old remote code execution flaw in Nginx

Researchers have found a critical vulnerability in the widely used Nginx web server that can potentially lead to remote code execution under certain conditions. The flaw is a heap buffer overflow that has gone undetected in the program’s code for the past 18 years.

Tracked as CVE-2026-42945, the vulnerability is one of 4 bugs found in Nginx by researchers from security startup DepthFirst AI,…

Read more →
PraisonAI vulnerability gets scanned within 4 hours of disclosure

A newly disclosed authentication bypass flaw in the open-source AI orchestration framework PraisonAI was probed by internet scanners less than four hours after its public disclosure.

According to Sysdig observations, roughly three hours and 44 minutes after a GitHub advisory dropped, a scanner identifying itself as “CVE-Detector/1.0” was already looking through the exposed PraisonAI instances…

Read more →
Ollama vulnerability highlights danger of AI frameworks with unrestricted access

A critical vulnerability in Ollama poses a direct risk of sensitive information leaks to more than 300,000 internet-exposed servers, researchers have found.

The flaw, tracked as CVE-2026-7482, stems from an out-of-bounds heap read in Ollama’s model quantization pipeline. Ollama is one of the most popular frameworks for running AI models on local hardware. The flaw also subjects servers on local…

Read more →
AI finds 20-year-old bugs in PostgreSQL and MariaDB

Open-source databases are facing a bit of a memory problem as AI helps surface decades-old buffer overflow issues in widely used components. Security researchers have disclosed a set of high and critical-severity vulnerabilities affecting PostgreSQL and MariaDB, with two bugs reportedly tracing their roots back more than 20 years.

At Wiz’s zeroday.cloud hacking event, researchers using the…

Read more →
Max-severity RCE flaw found in Google Gemini CLI

Security researchers are warning about a max severity vulnerability in Google Gemini CLI that could allow remote code execution (RCE) in environments where the tool processes untrusted inputs.

The issue was disclosed by Novee Security researchers and affects the @google/gemini-cli package and its associated GitHub Action, widely used in CI/CD workflows.

“Gemini CLI (@google/gemini-cli) and the…

Read more →
Microsoft patched an ‘agent-only’ role that was not

An administrative role meant for AI agents within Microsoft’s Entra ID ecosystem could allow privilege escalation and tenant takeover attacks, as it had privileges over more than agent-related objects.

Researchers at Silverfort found that users assigned to Microsoft’s “Agent ID Administrator” role, scoped to agent-related objects like blueprints and agent identities, could take ownership of…

Read more →
Thousands of Apache ActiveMQ instances still unpatched, weeks after an actively exploited hole discovered

Two weeks after researchers using an AI tool discovered a major hole in Apache’s ActiveMQ messaging middleware, there are still thousands of unpatched instances open to the internet, more evidence that many application developers and IT leaders aren’t paying close attention to warnings about vulnerabilities.

While the remote code injection vulnerability [CVE-2026-34197] was revealed on April 7,…

Read more →
Copilot & Agentforce offen für Prompt-Injection-Tricks

KI-Agenten sind populär – und anfällig dafür, missbraucht zu werden.

DC Studio / Shutterstock

KI-Agenten fürs Enterprise können bekanntlich Arbeitsabläufe optimieren. Aber auch die Datenexfiltration – wie Sicherheitsforscher von Capsule Security herausgefunden haben. Sie haben sowohl in Microsoft Copilot Studio als auch Salesforce Agentforce Prompt-Injection-Schwachstellen entdeckt.

Diese…

Read more →
Behind the Mythos hype, Glasswing has just one confirmed CVE

Efforts to cut through the buzz surrounding Anthropic’s Mythos are emerging. As OpenAI moves to counter the hype around it with its own cybersecurity model, VulnCheck is reporting that the model’s publicly attributable output amounts to just one confirmed CVE.

While Project Glasswing, the controlled access program for Mythos, promises a powerful offensive capability, gated behind vetted…

Read more →
Copilot and Agentforce fall to form-based prompt injection tricks

Enterprise AI agents are supposed to streamline workflows. Instead, two fresh findings show they can just as easily streamline data exfiltration.

Security researchers have uncovered prompt-injection vulnerabilities in both Microsoft Copilot Studio and Salesforce Agentforce that allow attackers to execute malicious instructions via seemingly harmless prompts.

According to Capsule Security…

Read more →
Claude uncovers a 13‑year‑old ActiveMQ RCE bug within minutes

Anthropic’s Claude dug up a critical remote code execution (RCE) bug that sat quietly inside Apache ActiveMQ Classic for over a decade.

Researchers at Horizon3.ai say that it only took minutes for their team to work out an exploit chain for the bug with the help of AI. The researcher behind the work, Naveen Sunkavally, described the process as “80% Claude with 20% gift-wrapping by a human.”

The…

Read more →
Hackers exploit a critical Flowise flaw affecting thousands of AI workflows

Threat actors have found a way to inject arbitrary JavaScript into the Flowise low-code platform for building custom LLM and agentic systems.

The code injection was possible due to a design oversight, rated at max-severity, in the platform’s custom MCP node, which acts as a plug-in connector for an application’s AI agent to talk to external tools via MCP servers.

According to a recent VulnCheck…

Read more →
Zero‑click Grafana AI attack can enable enterprise data exfiltration

Indirect prompt injection is possible on AI-powered dashboards, allowing exfiltration of sensitive enterprise data without user authentication.

Security researchers are warning about a critical Grafana issue, dubbed GrafanaGhost, that allows attackers to leak sensitive data from Grafana environments, including financial metrics, infrastructure health data, private customer data, and operational…

Read more →
Vim and GNU Emacs: Claude Code helpfully found zero-day exploits for both

Developers can spend days using fuzzing tools to find security weaknesses in code. Alternatively, they can simply ask an LLM to do the job for them in seconds.

The catch: LLMs are evolving so rapidly that this convenience might come with hidden dangers.

The latest example is from researcher Hung Nguyen from AI red teaming company Calif, who, with simple prompts to Anthropic’s Claude Code, was…

Read more →
OpenAI patches twin leaks as Codex slips and ChatGPT spills

OpenAI has fixed two flaws in its AI stack that could allow AI agents to move sensitive data in unintended ways.

The issues, disclosed by researchers at BeyondTrust and Check Point Research, affect the OpenAI Codex coding agent and ChatGPT’s code execution environment, respectively. One enabled GitHub token theft through command injection, while the other exposed a hidden channel for silently…

Read more →
OAuth vulnerability in n8n automation platform could lead to system compromise

A weakness in the configuration of OAuth credentials opens up a stored XSS vulnerability in the n8n automation platform, researchers at Imperva have discovered.

Setting up OAuth allows n8n to connect to services such as Google Workspace, Microsoft 365, Slack, or GitHub without having to expose service passwords.

This is core to automation platforms like n8n because it allows organizations to…

Read more →
Challenges and projects for the CISO in 2026

Sophisticated attacks and the incorporation of AI tools, talent shortages, and tight budgets are some of the challenges commonly cited when it comes to managing cybersecurity in organizations. In a changing environment, the key is no longer to stay one step ahead, but to maintain a resilient infrastructure that ensures a rapid response when — not if — a cyberattack occurs. In the coming months,…

Read more →
Your personal OpenClaw agent may also be taking orders from malicious websites

If you thought running an AI agent locally kept it safely inside your machine’s walls, you’re in for a surprise. Researchers at Oasis Security have disclosed a flaw chain that allowed a malicious website to quietly connect to a locally running OpenClaw agent and take full control.

The issue stems from a fundamental assumption baked into developer tools that anything coming from “localhost” can…

Read more →
Anthropic’s DXT poses “critical RCE vulnerability” by running with full system privileges

When LayerX Security published a report on Monday describing what it called “a critical zero-click RCE vulnerability in [Anthropic’s] Claude Desktop Extensions (DXT) that allows a malicious Google Calendar invite to silently compromise an entire system,” analysts, consultants, security leaders, and even Anthropic didn’t dispute the facts.

But the revelation did reignite the debate about whether…

Read more →
Microsoft develops a new scanner to detect hidden backdoors in LLMs

Microsoft has developed a scanner designed to detect backdoors in open-weight AI models, addressing a critical blind spot for enterprises increasingly dependent on third-party LLMs.

In a blog post, the company said its research focused on identifying hidden triggers and malicious behaviors embedded during the training or fine-tuning of language models, which can remain dormant until activated by…

Read more →
Page 1