7,000 Langflow servers are under attack. LangGraph and LangChain have the same holes

Attackers are actively exploiting path traversal and SQL injection in Langflow, LangGraph, and LangChain — below where your ...
techtimes

AI Agent Security Hits Its Reckoning: Prompt Injection May Be a Permanent Flaw, Not a Patchable Bug

Prompt injection is the technique of smuggling instructions to an AI agent through content the agent reads — a document, a calendar invite, a web page, a code comment — so that hostile text carries ...
Tech Times

GitHub Copilot CLI Adds Pre-Commit Security Scanner: LLM Inference at the Detection Layer

GitHub Copilot security scanning arrives in the terminal with /security-review, an experimental pre-commit slash command that uses LLM inference to flag injection flaws, XSS, path traversal, and weak ...
decrypt

What Is an AI Prompt Injection Attack? The Hidden Threat Hijacking Your Chatbots

Add Decrypt as your preferred source to see more of our stories on Google. Prompt injection is the number one security risk for AI applications. The attack works by tricking a chatbot into following ...
Bleeping Computer

Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows. The campaign was ...
cybernews

Researchers hijack popular AI agents from Anthropic, Google, and Microsoft: vendors choose to stay silent

Security researchers have hijacked three popular AI agents that integrate with GitHub Actions using a new type of prompt-injection attack to steal API keys and access tokens. The problem is most ...
Bleeping Computer

Google says hackers are abusing Gemini AI for all attacks stages

State-backed hackers are using Google's Gemini AI model to support all stages of an attack, from reconnaissance to post-compromise actions. Bad actors from China (APT31, Temp.HEX), Iran (APT42), North ...
LinkedIn

Case Study: From SQL Injection to Remote Code Execution (RCE) – A Blackbox Penetration Test Analysis

In the domain of offensive security, a Blackbox Penetration Test is the ultimate simulation of a real-world threat actor. Without prior knowledge of the internal architecture or source code, the ...
theregister

Contagious Claude Code bug Anthropic ignored promptly spreads to Cowork

Anthropic's tendency to wave off prompt-injection risks is rearing its head in the company's new Cowork productivity AI, which suffers from a Files API exfiltration attack chain first disclosed last ...
GitHub

Dynamic application security testing (DAST)

Dynamic application security testing (DAST) is a method of testing the security of an application while it’s running. DAST tools test web applications during their operating states to find security ...
GitHub

What is static application security testing (SAST)?

Static application security testing (SAST) is a method for analyzing source code, bytecode, or binaries to identify security vulnerabilities before software runs. Unlike dynamic testing, which ...
Android

[UPDATE: Fix Coming] OnePlus OxygenOS Hit by Major Vulnerability Allowing SMS Data Theft

UPDATE (September 26, 2025): OnePlus has issued a statement to 9to5Google. The company confirms it is aware of the issue and will roll out a fix mid-October. “We acknowledge the recent disclosure of ...