A critical flaw in Hugging Face Transformers lets attackers execute arbitrary code on anyone who loads a poisoned model, silently bypassing the trust_remote_code=False safety flag. 232 million vulnerable downloads preceded the March patch.
A critical flaw in Hugging Face Transformers lets attackers execute arbitrary code on anyone who loads a poisoned model, silently bypassing the trust_remote_code=False safety flag. 232 million vulnerable downloads preceded the March patch.
A path traversal vulnerability in Langflow's file API allows unauthenticated attackers to overwrite arbitrary files and chain to RCE. Active exploitation confirmed in June 2026. Fix is in version 1.9.0.
A new critical authentication bypass in LiteLLM lets attackers manipulate the HTTP Host header to access protected management endpoints without credentials. Fixed in version 1.84.0, disclosed June 17.
Varonis Threat Labs chained three bugs in Microsoft 365 Copilot Enterprise Search to build a one-click exfiltration path that pulls emails, files, and live MFA codes without any OAuth prompt or user consent beyond clicking a Microsoft-domain URL.
Fifteen malicious IDE plugins on the JetBrains Marketplace, posing as AI coding assistants powered by DeepSeek and OpenAI, have been silently exfiltrating AI API keys since October 2025. Researchers say the plugins are still live and the install count has passed 70,000.