Private LoRA Fine-Tuning of Open-Source LLMs with Homomorphic Encryption

Preserving data confidentiality during the fine-tuning of open-source Large Language Models LLMs is crucial for sensitive applications. This work introduces an interactive protocol adapting the Low-Rank Adaptation LoRA technique for private fine-tuning. Homomorphic Encryption HE protects the...

EspoCRM 注入漏洞

EspoCRM is an open source web-based customer relationship management CRM system from EspoCRM Open Source. The system provides features such as sales automation, community and customer support. An injection vulnerability exists in EspoCRM versions prior to 9.0.8 that stems from excessive HTML...

Evaluating Explanation Quality in X-IDS Using Feature Alignment Metrics

Explainable artificial intelligence XAI methods have become increasingly important in the context of explainable intrusion detection systems X-IDSs for improving the interpretability and trustworthiness of X-IDSs. However, existing evaluation approaches for XAI focus on model-specific properties...

PT-2025-20690 · Espocrm · Espocrm

Name of the Vulnerable Software and Affected Versions: EspoCRM versions prior to 9.0.8 Description: The issue allows for HTML Injection in Knowledge Base KB articles, leading to complete page defacement that can imitate the login page. Authenticated users with the read knowledge article privilege...

CVE-2025-4546

A vulnerability was found in 1Panel-dev MaxKB up to 1.10.7. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Knowledge Base Module. The manipulation leads to csv injection. The attack can be launched remotely. The exploit has been...

CVE-2025-4546 1Panel-dev MaxKB Knowledge Base Module csv injection

A vulnerability was found in 1Panel-dev MaxKB up to 1.10.7. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Knowledge Base Module. The manipulation leads to csv injection. The attack can be launched remotely. The exploit has been...

CVE-2025-4546 1Panel-dev MaxKB Knowledge Base Module csv injection

A vulnerability was found in 1Panel-dev MaxKB up to 1.10.7. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Knowledge Base Module. The manipulation leads to csv injection. The attack can be launched remotely. The exploit has been...

CVE-2025-4546

CVE-2025-4546 affects 1Panel-dev MaxKB, specifically the Knowledge Base Module up to version 1.10.7. The issue enables csv injection via an unknown functionality in the Knowledge Base Module, with remote exploitation possible. Upgrading to version 1.10.8 addresses the vulnerability. If applying r...

MaxKB 安全漏洞

MaxKB is a 1Panel-dev open source open source knowledge base question and answer system based on a large language model and RAG. A security vulnerability exists in MaxKB 1.10.7 and earlier versions, which stems from a CSV injection in the component Knowledge Base Module...

PT-2025-20668 · Unknown · 1Panel-Dev Maxkb

Name of the Vulnerable Software and Affected Versions: 1Panel-dev MaxKB versions up to 1.10.7 Description: A critical issue was found in the Knowledge Base Module component, leading to csv injection. This issue can be exploited remotely. The estimated number of potentially affected devices...

Breaking the Sound Barrier Part I: Fuzzing CoreAudio with Mach Messages

Guest post by Dillon Franke, Senior Security Engineer, 20% time on Project Zero Every second, highly-privileged MacOS system daemons accept and process hundreds of IPC messages. In some cases, these message handlers accept data from sandboxed or unprivileged processes. In this blog post, I’ll...

Security Bulletin: Multiple security vulnerabilities affecting IBM Knowledge Catalog for IBM Cloud Pak for Data

Summary Multiple security vulnerabilities impacting IBM Knowledge Catalog for IBM Cloud Pak for Data. These vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2024-11393 DESCRIPTION: Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Executi...

Security Bulletin: Multiple security vulnerabilities affecting IBM Knowledge Catalog for IBM Cloud Pak for Data

Summary Multiple security vulnerabilities impacting IBM Knowledge Catalog for IBM Cloud Pak for Data. These vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2023-45133 DESCRIPTION: Babel could allow a local attacker to execute arbitrary code on the system, caused by a flaw in...

DEBIAN-CVE-2025-37828

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: mcq: Add NULL check in ufshcdmcqabort A race can occur between the MCQ completion path and the abort handler: once a request completes, blkmqfreerequest sets rq-mqhctx to NULL, meaning the subsequent ufshcdmcqreqtohwq...

FedTDP: a Privacy-Preserving and Unified Framework for Trajectory Data Preparation Via Federated Learning

Trajectory data, which capture the movement patterns of people and vehicles over time and space, are crucial for applications like traffic optimization and urban planning. However, issues such as noise and incompleteness often compromise data quality, leading to inaccurate trajectory analyses and...

A Survey on Privacy Risks and Protection in Large Language Models

Although Large Language Models LLMs have become increasingly integral to diverse applications, their capabilities raise significant privacy concerns. This survey offers a comprehensive overview of privacy risks associated with LLMs and examines current solutions to mitigate these challenges. Firs...

How to Backdoor the Knowledge Distillation

Knowledge distillation has become a cornerstone in modern machine learning systems, celebrated for its ability to transfer knowledge from a large, complex teacher model to a more efficient student model. Traditionally, this process is regarded as secure, assuming the teacher model is clean. This...

VDDP: Verifiable Distributed Differential Privacy under the Client-Server-Verifier Setup

Despite differential privacy DP often being considered the de facto standard for data privacy, its realization is vulnerable to unfaithful execution of its mechanisms by servers, especially in distributed settings. Specifically, servers may sample noise from incorrect distributions or generate...

Traceback of Poisoning Attacks to Retrieval-Augmented Generation

Large language models LLMs integrated with retrieval-augmented generation RAG systems improve accuracy by leveraging external knowledge sources. However, recent research has revealed RAG's susceptibility to poisoning attacks, where the attacker injects poisoned texts into the knowledge database,...

Towards Fuzzing Zero-Knowledge Proof Circuits (Short Paper)

Whitepaper called Towards Fuzzing Zero-Knowledge Proof Circuits Short Paper...