Security / AI CVEs / Research

Horizon3 — CVE-2026-42271 Chained with BadHost for Unauthenticated LiteLLM RCE — 2026-06-08
CVE-2026-45497 — Microsoft 365 Copilot Critical Command Injection RCE — 2026-06-05
CVE-2026-27735 — MCP Reference Servers git_add Path Traversal — 2026-06-04
DesktopCommanderMCP SSRF (CVE-2026-10690) — MCP File Tool Exposes IMDS — 2026-06-04
IBM Langflow CVE-2026-7524 — Unauthenticated RCE via Symlink Archive Abuse — 2026-06-03
NousResearch hermes-agent CVE-2026-10548 — Improper Auth in Credential Pool Sync — 2026-06-03
Microsoft — CVE-2026-35435 Azure AI Foundry Agent Privilege Escalation — 2026-06-02
Google MCP Toolbox CVE-2026-9739 — DNS Rebinding to Enterprise Databases — 2026-06-01
NousResearch Hermes-Agent CVE-2026-10221 — Context Compression Injection — 2026-06-01
STAR Labs — Four Full-Chain LiteLLM Exploits Across Versions — 2026-06-01
Palo Alto Networks — CVE-2026-0257 GlobalProtect Auth Bypass, CISA KEV — 2026-05-31
PraisonAI CVE-2026-47408 — Unauthenticated A2A eval() RCE — 2026-05-31
PraisonAI CVE-2026-47409/47414 — Workspace Takeover and Cross-Workspace IDOR — 2026-05-31
vLLM CVE-2026-22778/34756 — Heap Leak and DoS in Multimodal Serving — 2026-05-31
Langroid CVE-2026-25879 — Prompt-to-SQL Injection Leads to RCE — 2026-05-29
vLLM CVE-2026-4944 — Hardcoded trust_remote_code Bypass Enables RCE — 2026-05-29
Ars Technica — BadHost CVE-2026-48710: Starlette Host-Header Auth Bypass Hits AI Tooling — 2026-05-27
arXiv: Viper-MCP Finds 106 0-Day Vulnerabilities in MCP Servers — 2026-05-26
Network-AI CVE-2026-46701 — Unauthenticated Cross-Origin MCP Tool Invocation — 2026-05-26
Microsoft Semantic Kernel CVE-2026-26030/25592 — Prompt Injection to RCE — 2026-05-25
LMDeploy CVE-2026-46517 — hardcoded trust_remote_code bypasses HF default-secure — 2026-05-24
CISA Adds Langflow Origin Validation Flaw to KEV — Active Exploitation Confirmed — 2026-05-23
Splunk AI Toolkit — CVE-2026-20238 Improper Access Control — 2026-05-23
Trump Scraps AI Executive Order on Frontier Model Oversight — 2026-05-23
Nebula Security — Vega AI Discovers nginx-poolslip Zero-Day RCE in Patched nginx 1.31.0 — 2026-05-22
SGLang Three Unauthenticated RCEs (CVE-2026-7301/7302/7304) — 2026-05-22
Anthropic Silently Patches Claude Code Sandbox Bypass — 2026-05-21
ChromaDB CVE-2026-45829 — Unpatched RCE in Vector Database — 2026-05-21
NVIDIA Triton — CVE-2026-24207 Critical Auth Bypass in Inference Server — 2026-05-21
n8n — Five Critical CVEs Including Prototype Pollution RCE in AI Workflow Platform — 2026-05-19
Cyera — Four Chainable OpenClaw CVEs Expose 180K+ AI Agent Servers — 2026-05-16
mlflow — CVE-2026-2652 Authentication Bypass Exposes ML Experiment Jobs — 2026-05-16
Azure AI Foundry CVE-2026-35435 — Privilege Escalation in M365 Published Agents — 2026-05-15
NGINX Rift — LLM-Powered Researcher Finds 18-Year-Old RCE (CVSS 9.2) in 1/3 of All Websites — 2026-05-15
Open WebUI — Path Traversal Arbitrary File Write/Delete (CVE-2026-44565, CVE-2026-44566) — 2026-05-14
vm2 — Dozen Critical Sandbox Escape CVEs in Node.js Code Execution Library — 2026-05-14
Cline Kanban — Cross-Origin WebSocket Hijack → RCE (CVE-2026-44211) — 2026-05-13
DeepChat — CVE-2026-43899 RCE via Electron Pop-up Bypass & CVE-2026-43900 XSS — 2026-05-13
PraisonAI — CVE-2026-44338 Auth Bypass Exploited in Under 4 Hours — 2026-05-13
CISA KEV — LiteLLM CVE-2026-42208 SQL Injection Under Active Exploitation — 2026-05-12
OpenClaw — CVE-2026-44995 MCP Stdio Server Environment Variable RCE — 2026-05-12
banks CVE-2026-44209 — Jinja2 SSTI in Prompt Template Library Leads to RCE — 2026-05-10
CVE-2026-44843 — LangChain Unsafe Deserialization via Overly Broad load() Allowlists — 2026-05-10
FastGPT CVE-2026-42302 — Agent Sandbox RCE via Disabled Authentication — 2026-05-10
CVE-2026-34070 — LangChain Path Traversal in Legacy Prompt Template Loading — 2026-05-10
FastGPT — SSRF Cluster in AI Agent Platform — 2026-05-09
vm2 — CVE-2026-26956 Sandbox Escape with Published PoC — 2026-05-07
NVIDIA NemoClaw — Sandbox Environment-Variable Exfiltration and SSRF via Blueprint Config (CVE-2026-24222 / CVE-2026-24231) — 2026-05-04
Hugging Face LeRobot — CVE-2026-25874 Unauthenticated RCE via Pickle Deserialization — 2026-05-03
LiteLLM — CVE-2026-42208 SQL Injection Exploited Within 36 Hours — 2026-05-03
Sunwood-ai-labs MCP Server — CVE-2026-7593 OS Command Injection — 2026-05-03
Anthropic SDK — CVE-2026-41686 Insecure File Permissions — 2026-05-01
IBM Langflow Desktop — CVE-2026-6543 Command Injection (CVSS 8.8) — 2026-05-01
Novee — Cursor IDE CVE-2026-26268: Git Hooks Enable RCE via AI Coding Agent — 2026-04-30
Wiz — GitHub CVE-2026-3854 RCE via Single Git Push — 2026-04-29
LiteLLM Pre-Auth SQL Injection Exploited Within 36 Hours — 2026-04-28
OpenClaw — Six CVEs Cover Agentic Consent Bypass, RCE, SSRF, and Authorization Gaps — 2026-04-24
Anthropic MCP Design Flaw Enables RCE Across the AI Ecosystem — 2026-04-22
Apache ActiveMQ CVE-2026-34197 — Claude Discovers 13-Year-Old RCE in 10 Minutes — 2026-04-22
MCPwn: Actively Exploited nginx-ui Auth Bypass (CVE-2026-33032) — 2026-04-22
CERT — CVE-2026-5752 Terrarium Sandbox Escape via Pyodide Prototype Chain Traversal — 2026-04-22
LMDeploy CVE-2026-33626 — SSRF in LLM Serving Toolkit Vision Module — 2026-04-21
SGLang CVE-2026-5760 — RCE via Malicious GGUF Model Files — 2026-04-20
vLLM Patches protobuf.js Remote Code Execution — 2026-04-19
FastGPT NoSQL Injection Auth Bypass (CVE-2026-40351/40352) — 2026-04-18
mcp-neo4j-cypher Read-Only Mode Bypass via Stored Procedures (CVE-2026-35402) — 2026-04-18
OpenClaw — CVE-2026-33579 Privilege Escalation via Missing Scope Validation in Device Pairing — 2026-04-16
GitHub Advisories — MCP Security Vulnerabilities Cluster (CVE-2026-40159, CVE-2026-39885) — 2026-04-12 12:30
LiteLLM — Critical bytecode rewriting RCE (CVE-2026-40217) — 2026-04-11
lollms — Critical stored XSS in social features (CVE-2026-1115) — 2026-04-11
badlogic — pi-mono code injection CVE-2026-5556 exposes AI coding agents — 2026-04-01
griptape — Path traversal CVE-2026-5595 affects AI agent file operations — 2026-04-01
OpenClaw — Critical privilege escalation vulnerability CVE-2026-33579 — 2026-04-01
TheHackerWire — MLflow RCE via model artifact command injection (CVE-2025-15379) — 2026-03-31
BSI Advisory — vLLM Hardcoded trust_remote_code Bypasses User Security (CVE-2026-27893) — 2026-03-30
Azure Data Explorer MCP Server — KQL injection allows arbitrary query execution (CVE-2026-33980) — 2026-03-29
GitHub Advisory — Langflow public flow build RCE (CVE-2026-33017) — 2026-03-21
GitHub Advisory — MCP Go SDK Cross-Site Tool Execution (CVE-2026-33252) — 2026-03-21
Spring AI — FilterExpressionConverter Injection Flaws (CVE-2026-22729, CVE-2026-22730) — 2026-03-20
AWS — API MCP File Access Restriction Bypass (CVE-2026-4270) — 2026-03-19
Miggo Security — LangSmith Account Takeover (CVE-2026-25750) — 2026-03-18
ONNX — Zero-interaction model supply-chain attack (CVE-2026-28500) — 2026-03-18
Orca Security — Pickle RCE in SGLang LLM Framework (CVE-2026-3059/3060) — 2026-03-18
Microsoft — Azure MCP Server SSRF enables managed identity token theft (CVE-2026-26118) — 2026-03-14
Microsoft — Excel XSS weaponizes Copilot Agent for zero-click data exfil (CVE-2026-26144) — 2026-03-14
GitHub Advisory — LangChainJS serialization injection (CVE-2025-68665) — 2026-03-11
OffSec — MLflow LFI via URI fragment (CVE-2024-2928) — 2026-03-11
vLLM — Speculative decoding cache poisoning (CVE-2026-3108) — 2026-03-11
vLLM — SSRF protection bypass via parser differential (CVE-2026-25960) — 2026-03-09
GitHub Advisory — Copilot CLI shell expansion RCE (CVE-2026-29783) — 2026-03-07
GitLab Advisory — mcp-memory-service info disclosure (CVE-2026-29787) — 2026-03-07
GitHub Advisory — Agentgateway MCP→OpenAPI parameter injection (CVE-2026-29791) — 2026-03-06
Arctic Wolf — mcp-atlassian unauth RCE/SSRF (CVE-2026-27825/27826) — 2026-03-05
GitLab Advisory — mcp-nmap-server command injection (CVE-2026-3484) — 2026-03-05
CERT/CC — MS-Agent shell tool command injection (CVE-2026-2256) — 2026-03-05
GitHub Advisory — Langflow CSV Agent RCE (CVE-2026-27966) — 2026-03-04
NVD — MCP TypeScript SDK cross-client data leak (CVE-2026-25536) — 2026-03-03
GitLab Advisory — MCPJam Inspector RCE (CVE-2026-23744) — 2026-03-03
ServiceNow — AI Platform RCE (CVE-2026-0542) — 2026-03-02
GitHub Advisory — vLLM trust_remote_code bypass RCE — 2026-03-02
GitLab Advisory — MCP Go SDK case-folding bug (CVE-2026-27896) — 2026-03-01
GitLab Advisory — mcp-server-git path traversal (CVE-2026-27735) — 2026-03-01
Endor Labs — Six OpenClaw vulnerabilities via AI SAST — 2026-02-28
GitHub Advisory — Cursor Agent MCP special-files prompt injection (CVE-2025-54135) — 2026-02-24
GitHub Advisory — fermat-mcp eqn_chart code injection (CVE-2026-2008) — 2026-02-24
GitHub Advisory — GitHub Kanban MCP Server command injection (CVE-2025-53818) — 2026-02-24
GitHub Advisory — sf-mcp-server command injection RCE (CVE-2026-26029) — 2026-02-24
GitLab Advisory — ebay-mcp env var injection (CVE-2026-27203) — 2026-02-21
ZDI Advisory — gemini-mcp-tool command injection (CVE-2026-0755) — 2026-02-18
GitHub Advisory — vLLM trust_remote_code bypass RCE — 2026-02-17
GitHub Advisory — vLLM Completions API RCE (CVE-2025-62164) — 2026-02-16
NVD — Cloudflare Agents SDK OAuth callback XSS (CVE-2026-1721) — 2026-02-15
GitHub Advisory — godot-mcp command injection RCE (CVE-2026-25546) — 2026-02-08
n8n — CVE-2026-25049: New Sandbox Escape Bypass Enables Full Server Takeover — 2026-02-06
Zafran — ChainLeak: Chainlit AI Framework Bugs Enable Cloud Takeover — 2026-02-05
GitHub Advisory — vLLM RCE in Video Processing (CVE-2026-22778) — 2026-02-04
ZDI — Unpatched RCE in Gemini MCP Tool via command injection (CVE-2026-0755) — 2026-02-03
OX Security — Critical vLLM RCE via malicious video URL (CVE-2026-22778) — 2026-02-03
AISLE — AI Discovers 12 OpenSSL Zero-Days Including a 27-Year-Old Bug — 2026-02-01
INCIBE-CERT — github-kanban-mcp-server command injection (CVE-2026-0756) — 2026-01-31
Microsoft Security Blog — LangChain Core serialization injection (CVE-2025-68664) — 2026-01-31
Obsidian Security — Langflow account takeover + RCE chain (CVE-2025-34291) — 2026-01-31
GitHub Advisory — vLLM DoS via 1×1 image (CVE-2026-22773) — 2026-01-31
GitHub Advisory — vLLM multimodal SSRF (CVE-2026-24779) — 2026-01-31
Cyata — Prompt-injection reachable CVEs in Anthropic’s official Git MCP server — 2026-01-30
Fortinet — FortiCloud SSO auth bypass exploited in the wild (CVE-2026-24858) — 2026-01-30
Kyverno (CVE-2026-22039) — Namespaced Policy apiCall can cross namespace boundaries — 2026-01-30
NVD — MCP TypeScript SDK UriTemplate ReDoS (CVE-2026-0621) — 2026-01-30
Microsoft — CVE-2026-21509 (Office) emergency out-of-band fix — 2026-01-30
GitHub Advisory — Orval MCP generation code injection risk (CVE-2026-22785) — 2026-01-30
GitHub Advisory — vLLM model-load RCE risk via auto_map (CVE-2026-22807) — 2026-01-30
GitHub/NVD: vm2 sandbox escape (CVE-2026-22709) enables host code execution — 2026-01-30
AI-related CVEs: a practical tracker and triage workflow — 2026-01-29