Domain-Conditioned Safety in Frontier Computer-Using Agents: A 793-Episode Browser Benchmark, a Coding-Domain Cross-Reference, and a Reproducibility Audit of Recent Red-Teaming

Recent computer-using-agent CUA red-teaming papers report prompt-injection attack success rates ASR of 42-98%, but these headline numbers cluster on retired models and on the most-vulnerable model in each paper's panel. We ask whether those techniques, reproduced as hand-crafted templates, still...

CVE-2026-45351

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.9, when a regular user non-admin logs into the application, a http://IP:8080/api/models? web request is initiated by the application and in response, it reveals the system prompt of...

CVE-2026-45351 Open WebUI: Exposure of System Prompt to Regular User [Non-Admin]

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.9, when a regular user non-admin logs into the application, a http://IP:8080/api/models? web request is initiated by the application and in response, it reveals the system prompt of...

CVE-2026-45351 Open WebUI: Exposure of System Prompt to Regular User [Non-Admin]

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.9, when a regular user non-admin logs into the application, a http://IP:8080/api/models? web request is initiated by the application and in response, it reveals the system prompt of...

CVE-2026-45351

Open WebUI vulnerability CVE-2026-45351: A non-admin user could trigger a request to /api/models? and receive the system prompt of available models, revealing admin-set backend prompts and compromising confidentiality. This affects Open WebUI self-hosted offline AI platform versions prior to 0.8....

Open WebUI 信息泄露漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI under open source. Versions of Open WebUI prior to 0.8.9 contained a vulnerability related to information leakage. This vulnerability occurred when non-administrator users logged in, causing the application to send...

SecureForge: Finding and Preventing Vulnerabilities in LLM-Generated Code Via Prompt Optimization

LLM coding agents now generate code at an unprecedented scale, yet LLM-generated code introduces cybersecurity vulnerabilities into codebases without human involvement. Even when frontier models are explicitly asked to write secure production code with relevant weaknesses to avoid in context, we...

SUSE CVE-2026-7482

Ollama before 0.17.1 contains a heap out-of-bounds read vulnerability in the GGUF model loader. The /api/create endpoint accepts an attacker-supplied GGUF file in which the declared tensor offset and size exceed the file's actual length; during quantization in fs/ggml/gguf.go and...

Honeypot Protocol

Trusted monitoring, the standard defense in AI control, is vulnerable to adaptive attacks, collusion, and strategic attack selection. All of these exploit the fact that monitoring is passive: it observes model behavior but never probes whether the model would behave differently under different...

PT-2026-24209

Name of the Vulnerable Software and Affected Versions openclaw-core versions 0.3.x Description A critical deserialization issue exists in openclaw-core that allows arbitrary instruction injection through specially crafted system prompts. This affects all deployed instances. The issue requires...

OpenClaw Command Injection Vulnerability

OpenClaw is openclaw open source an intelligent artificial assistant. OpenClaw suffers from a command injection vulnerability that stems from improper cleanup of workspace paths when embedded in system prompts, which can be exploited by an attacker to cause command injection...

OpenClaw Code Injection Vulnerability

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a code injection vulnerability. The vulnerability stems from the fact that channel metadata may be included in the model's system prompts when the Slack integration is enabled, increasing the attack...

CVE-2026-24764

OpenClaw formerly Clawdbot is a personal AI assistant users run on their own devices. In versions 2026.2.2 and below, when the Slack integration is enabled, channel metadata topic/description can be incorporated into the model's system prompt. Prompt injection is a documented risk for LLM-driven...

OpenClaw 命令注入漏洞

OpenClaw is openclaw open source an intelligent artificial assistant. OpenClaw suffers from a command injection vulnerability that stems from improper cleanup of workspace paths when embedded in system prompts, which can be exploited by an attacker to cause command injection...

OpenClaw 代码注入漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a code injection vulnerability. The vulnerability stems from the fact that channel metadata may be included in the model's system prompts when the Slack integration is enabled, increasing the attack...

Arbitrary Code Injection

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Arbitrary Code Injection via the incorporation of untrusted Slack channel metadata into the system prompt. An attacker can execute unauthorized commands or access sensitive information by...

EUVD-2025-204305

An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fails to implement proper authentication checks, allowing unauthenticated remote attackers to enumerate and retrieve detailed information about all configured workspaces. Exposed...

CVE-2025-63390

An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fails to implement proper authentication checks, allowing unauthenticated remote attackers to enumerate and retrieve detailed information about all configured workspaces. Exposed...

CVE-2025-63390

An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fails to implement proper authentication checks, allowing unauthenticated remote attackers to enumerate and retrieve detailed information about all configured workspaces. Exposed...

PT-2025-52256

Name of the Vulnerable Software and Affected Versions AnythingLLM version 1.8.5 Description An authentication bypass allows unauthenticated remote attackers to enumerate and retrieve detailed information about all configured workspaces. The issue is due to missing authentication checks in the...