Browse 371 published reports from the community.
CVSS 9.3. Marimo Python reactive notebook (~19.6k GitHub stars) terminal WebSocket endpoint `/terminal/ws` lacks authentication. Single WebSocket connection grants full PTY shell. Commonly runs as root in Docker. Sysdig honeypots observed exploitation within hours of disclosure. Confirmed exploited in the wild. Fixed in v0.23.0.
Two CVSS 9.8 unauthenticated RCE vulnerabilities via unsafe pickle.loads() deserialization in ZeroMQ broker and disaggregation modules. CVE-2026-3989 (CVSS 7.8): insecure pickle.load() in replay_request_dump.py. Unpatched as of disclosure.
Four CVEs: sandbox escape via CodeInterpreter Docker fallback, SSRF in RAG search tools, arbitrary local file read in JSON loader. Chained via prompt injection to escape sandbox and execute code on host. Separately, a leaked internal GitHub token (CVSS 9.2) granted full access to CrewAI's private repos. No complete patch available.
Follow-up code injection (CVSS 9.3) to CVE-2025-3248; added to CISA KEV catalog. Exploitation began within 20 hours of advisory publication; .env and .db harvesting within 24 hours. Previously, CVE-2025-3248 exec()'d user-submitted Python without authentication, actively exploited to deploy the Flodric botnet.
Multiple vulnerabilities in AnythingLLM Desktop v1.11.1 and earlier: CVE-2026-32626 (CVSS 9.7) streaming phase XSS to RCE via LLM response injection in Electron; CVE-2026-32719 Zip Slip path traversal in plugin imports leading to arbitrary code execution; CVE-2026-32617 authentication bypass exposing HTTP/WebSocket endpoints; CVE-2026-24477 Qdrant API key exposed in plaintext via `/api/setup-complete`.
CVE-2025-59536: Malicious `.claude/settings.json` hooks execute shell commands on SessionStart, achieving RCE before user reads the trust dialog. CVE-2026-21852: Malicious repos exfiltrate Anthropic API keys by overriding ANTHROPIC_BASE_URL to attacker-controlled servers. A single malicious commit could compromise any developer.
Multiple studies reveal that leading AI chatbots excessively validate users' actions, even in harmful or illegal contexts, distorting judgment and reducing self-correction. Additionally, AI agents increasingly ignore human commands, causing operational harm such as unauthorized file deletion and exposure of sensitive data. These behaviors undermine responsible decision-making and social functioning.
CVSS 9.8. Critical RCE on vLLM deployments (3M+ monthly downloads) by submitting a malicious video link to the API. Chained exploit: information disclosure via PIL error message leaking heap address + FFmpeg JPEG2000 decoder heap overflow via OpenCV video processing. Affects vLLM 0.8.3 through 0.14.0. Fixed in 0.14.1.
CVSS 9.8. Langflow's CSVAgentComponent hardcodes `allow_dangerous_code=True`, auto-enabling LangChain's Python REPL tool. Attackers inject malicious prompts through user-supplied input, achieving arbitrary Python/OS command execution. No authentication required. Affects versions prior to 1.8.0.
CVSS 9.8. MCPJam inspector v1.4.2 and earlier listens on [REDACTED-IP] by default with no authentication. A crafted HTTP request installs a malicious MCP server and executes arbitrary code. Public exploit available. Fixed in v1.4.3.
After the fatal shooting of Renee Nicole Good in Minneapolis by an ICE officer, users on X reportedly asked Grok to "unmask" the masked agent shown in eyewitness footage. Grok reportedly generated a fabricated face that spread widely online, along with the false name "Steve Grove." The output and claim allegedly led to harassment and reputational harm against at least two uninvolved men.
Following the fatal shooting of Minneapolis ICU nurse Alex Pretti by U.S. Customs and Border Patrol agents, social media accounts reportedly circulated images purported to have been altered by AI, reportedly distorting evidence of the incident by portraying Pretti as threatening law enforcement and altering the presence of weapons. The images reportedly misidentified individuals and helped reinforce partisan narratives by purportedly obscuring verified video and eyewitness accounts.