letsdatascience.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-05-13.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-05-13 2026 | OpenAI Launches GPT-5.5 Bio Bug Bounty ProgramBug Bounty | Bounty program from OpenAI targets universal jailbreaks of GPT-5.5 to prevent harmful biological outputs, offering $25,000 for the first successful prompt. Applications for the restricted program, running April 23 to June 22, 2026, are invite- or application-only with vetting and NDA requirements, focusing testing on Codex Desktop between April 28 and July 27, 2026. |
| 2026-05-12 2026 | Mini Shai-Hulud malware compromises open-source packagesSupply Chain | The Mini Shai-Hulud malware is targeting open-source packages. It's designed to steal sensitive information, including credentials and API keys, from infected systems. The malware achieves its distribution by compromising legitimate open-source projects, making it difficult to detect. Users are advised to exercise caution when updating or installing open-source software and to maintain vigilance against potential security threats. No specific bounty payout amount was mentioned in this content. |
| 2026-05-11 2026 | Ollama Vulnerability Exposes Remote Process MemoryAPI Sec | Writeup of CVE-2026-7482, "Bleeding Llama," a critical heap out-of-bounds read in Ollama's GGUF model loader. This vulnerability allows for the leakage of process memory, including API keys and user conversation data, through the `/api/create` and `/api/push` endpoints, especially when Ollama is configured to bind to `0.0.0.0`. Versions prior to 0.17.1 are affected, with remediation involving an immediate upgrade and auditing of network-exposed instances. |
| 2026-05-10 2026 | Ollama contains critical GGUF out-of-bounds readAPI Sec | Writeup on CVE-2026-7482 details a critical heap out-of-bounds read in Ollama's GGUF model loader, affecting versions before 0.17.1. Exploitable via the unauthenticated /api/create endpoint with a crafted GGUF file, the vulnerability allows reading past allocated heap buffers, potentially leaking environment variables, API keys, and user data. This leaked data can be exfiltrated using the /api/push endpoint. Roughly 300,000 Ollama deployments are estimated to be publicly reachable, increasing the attack surface. |
| 2026-05-08 2026 | Mozilla Uses Mythos to Find Hundreds of FlawsFuzzing | Library using Anthropic's Claude Mythos Preview and custom orchestration identified 271 security bugs in Firefox, including a 15-year-old defect missed by fuzzers. This AI-assisted approach yielded high-signal findings with minimal false positives, suggesting maturing capabilities for vulnerability discovery. The findings raise considerations for disclosure processes and the dual-use potential of such powerful models. |
| 2026-05-01 2026 | Open-source Models Match Mythos in Bug FindingFuzzing | Tooling enables open-source models to match Anthropic's Mythos in bug finding by creating orchestration pipelines that run multiple models in harness, providing defense in depth and covering individual model blind spots. This approach replicates Mythos's ability to find both shallow and complex vulnerabilities, offering a cost-effective alternative to proprietary models. Human experts are crucial for orchestrating these ensembles, triaging findings, and validating exploitability, ensuring improved security practices through AI-assisted testing and fuzzing pipelines. |
| 2026-04-29 2026 | Cursor Vulnerability Exposes Developer API TokensAPI Sec | A security vulnerability in Cursor has been disclosed, potentially exposing developer API tokens. The vulnerability, detailed in a linked article, raises concerns about the security of sensitive credentials used by developers on the platform. Specific details on the vulnerability's nature and impact, or any associated bug bounty payout, are not provided in the given content. |
| 2026-04-29 2026 | LeRobot Vulnerability Enables Unauthenticated Remote Code ExecutionPythonRCE | A critical vulnerability in LeRobot allows unauthenticated remote code execution. This means attackers can exploit the flaw to run their own code on a vulnerable LeRobot system without needing any credentials. The specific details of the exploit and its impact are available via the provided link. |
| 2026-04-29 2026 | Cursor AI Vulnerability Enables Remote Code ExecutionAIRCE | A security researcher discovered a critical vulnerability in Cursor AI that allows for remote code execution. This exploit could enable attackers to gain unauthorized access and control over affected systems. The vulnerability's nature suggests a significant security risk, potentially impacting users of the AI platform. Further details regarding the specific exploit mechanism and potential mitigations were not provided in the initial announcement. |
| 2026-04-28 2026 | LiteLLM Contains Critical SQL Injection VulnerabilityAPI SecSQLi | LiteLLM, a popular open-source library for interacting with large language models, has a critical SQL injection vulnerability. This flaw could allow attackers to execute arbitrary SQL commands, potentially leading to data theft or unauthorized modifications. The vulnerability is found in the library's handling of user inputs. Further details can be found at the provided link. |
| 2026-04-22 2026 | Anthropic AI Finds 271 Vulnerabilities in FirefoxFuzzing | Anthropic AI Finds 271 Vulnerabilities in Firefox https://ift.tt/61geSjc |
| 2026-04-21 2026 | SGLang Enables Remote Code Execution via Malicious GGUF ModelsRCE | SGLang Enables Remote Code Execution via Malicious GGUF Models https://ift.tt/IRetcHV |
| 2026-04-17 2026 | Marimo Exploits Enable Blockchain Backdoor SpreadRCE | Marimo Exploits Enable Blockchain Backdoor Spread https://ift.tt/vhVgxEe |
| 2026-04-16 2026 | Anthropic Defends MCP Design Despite Server Takeover RiskAI | Anthropic Defends MCP Design Despite Server Takeover Risk https://ift.tt/IsVue9D |
| 2026-04-16 2026 | OpenAI Revokes macOS Signing Certificate After Axios Supply-Chain AttackSupply Chain | OpenAI Revokes macOS Signing Certificate After Axios Supply-Chain Attack https://ift.tt/E3RXm9G |
| 2026-04-14 2026 | AI Agents Drive Exposure of 29 Million CredentialsAI | AI Agents Drive Exposure of 29 Million Credentials https://ift.tt/zyb7MrR |
| 2026-04-09 2026 | Claude Code Executes SQL Injection via CLAUDE.mdSQLi | Claude Code Executes SQL Injection via CLAUDE.md https://ift.tt/4pAwbMP |
| 2026-04-06 2026 | Anthropic Patches Claude Code Bypass VulnerabilityAPI Sec | Anthropic Patches Claude Code Bypass Vulnerability https://ift.tt/MXrTcEF |