groundy

security

  1. jun 02securityAfrican Languages Are a Jailbreak Blind Spot for English-Tuned LLM Safety
  2. jun 02securityPoisoning Open-Source LLM Merges: One Bad Checkpoint Hijacks the Result
  3. jun 02securityAn Autonomous Research Agent Now Discovers SOTA LLM Jailbreak Attacks
  4. jun 02securityMalware Can Prompt-Inject the AI Agent Reverse-Engineering It
  5. jun 02securityCVE-Factory Turns Published CVEs Into Security Agent Training Data. A 32B Model Beats Claude 4.5 Sonnet.
  6. jun 01securityLLM Reasoning Traces Leak the Private Data They're Told to Hide
  7. jun 01securityVideo Jailbreaks Hit Multimodal LLMs by Splitting Payloads Across Clips
  8. may 31securityVercel AI SDK CVE-2025-48985: Input Validation Bypass Hits LLM App Builders
  9. may 31securityHijacking AI Agent Memory: One Conversation Can Plant a Persistent Trojan
  10. may 31securityWhy Attack Success Rate Misleads LLM Jailbreak Benchmarks
  11. may 30securityJob Seekers Are Prompt-Injecting AI Resume Screeners. New Study Measures the Hit Rate
  12. may 30securityWhy Audio Jailbreaks Slip Past the Safety Training Built for Text LLMs
  13. may 30securityLoRA Adapter Backdoors Generalize Beyond Their Trigger Tokens
  14. may 28securityThree Labs Concede Browser Agents Cannot Stop Prompt Injection
  15. may 28securityVercel Firewall Now Blocks SAMLStorm. Can an Edge WAF Fix a SAML Signature Flaw?
  16. may 26securityVercel Could Block React2Shell at the Edge. Its Next 13 CVEs Had No Shortcut.
  17. may 26securityOpenAI Adds a GPT-5 System Card Addendum on Sensitive Conversations
  18. may 26securityMCP Tool Description Poisoning: New Benchmark Shows Agents Trust Manuals That Lie
  19. may 26securityOpenAI's New Safety Bug Bounty Pays Researchers for Jailbreaks and Policy Bypasses
  20. may 26securityAxios npm Compromise Forces Vercel Into Platform-Level Remediation
  21. may 26securityNext.js Dev Server CVE-2025-48068: Any Web Page Could Read Your Source Files
  22. may 25securityApple Names Claude in CVE Credit Line, Setting Vendor Attribution Precedent
  23. may 24securityCISA's Internal Data Leak Tests the Disclosure Standards It Sets for Others
  24. may 24securityTanStack npm Attack: When OIDC Trusted Publishing Becomes the Attack Vector
  25. may 24securityNx s1ngularity Attackers Used Local Claude Code and Gemini CLI to Steal Developer Tokens
  26. may 23securityOpenAI Ships Lockdown Mode and Elevated Risk Labels for ChatGPT Sessions
  27. may 22securityAI Jailbreaks Are Now a Reasoning Problem, Not a Prompt Problem
  28. may 22securityJailbreak Defense Now Lives in Model Weights, Not in Prompt Filters
  29. may 22securityVercel Blocks Deploys With Vulnerable next-mdx-remote by Default: Platform Mitigation Outpaces the CVE Cycle
  30. may 22securityVercel's Next.js Middleware Bypass Postmortem: What the Fix Reveals About Edge Runtime Auth
  31. may 22securityOpenAI's New Agent Defense Post Concedes Prompt Injection Is Architectural, Not Patchable
  32. may 22securityWhen Stronger Backdoor Triggers Backfire: An arXiv Theory Paper Inverts a Core Defense Assumption
  33. may 17securityDPrivBench: LLMs Score 99.5% on Textbook DP but Collapse on Advanced Reasoning
  34. may 17securityCatching Graph Neural Net Backdoors by Influence, Not Pattern
  35. may 17securityTrustFall: One Keypress in Claude Code, Gemini CLI, Cursor, and Copilot CLI Triggers Unsandboxed RCE
  36. may 17securityMini Shai-Hulud Ships the First Malicious npm With Valid SLSA Provenance
  37. may 17securityMultiBreak Benchmark: 10,389 Multi-Turn Jailbreak Prompts Raise ASR 54pp on DeepSeek-R1-7B
  38. may 17securityNext.js CVE-2026-44578: WebSocket Upgrade SSRF Hits 79,000 Self-Hosted Instances From 13.4.13 Onward
  39. may 17securityPraisonAI CVE-2026-44338: Legacy Flask API Ships With AUTH_ENABLED=False, First Scan in 3h44m
  40. may 16securityMicrosoft Semantic Kernel Patches Two RCE Paths: eval() in Vector Filter, DownloadFileAsync Escape to Host
  41. apr 28securityWindsurf CVE-2026-30615 Is the Only Zero-Click in the April MCP RCE Wave: HTML Rewrites the Config
  42. apr 28securityPaperclip CVE-2026-41208: Agents Can Mutate Their Own provisionCommand Into Server-Side Shell Injection
  43. apr 28securitySpring AI 1.0.6 Patches Five CVEs Including CVSS 8.8 SQL Injection in CosmosDBVectorStore.doDelete
  44. apr 28securityLMDeploy CVE-2026-33626: Vision-LLM SSRF Exploited Within 12 Hours of GHSA Publication
  45. apr 28securityInstructLab CVE-2026-6859: Hardcoded trust_remote_code=True Turns Any HuggingFace Model Into RCE
  46. apr 28securityPickleScan 1.0.4 Patches a CVSS 10.0 pkgutil.resolve_name Bypass and Six Missing Stdlib RCE Modules
  47. apr 28securityMercor's 4TB Lapsus$ Breach Hands Voice-Clone Attackers 40,000 Pre-Verified Targets
  48. apr 27securityVercel's April 2026 Database Leak Pivoted From Lumma Stealer at Context AI via a Chrome Extension
  49. apr 27securityBitwarden CLI Compromise Extends the Checkmarx Supply-Chain Campaign to Credential Tooling
  50. apr 23securityFlowise's CVE-2026-41264: LLM-Written `import` Becomes Unauthenticated RCE