The Intelligence Layer
for AI Risk Research

[P0 / Blocker] Remote compact task fails 100% with "tools.defer_loading requires tools.tool_search" — GPT-5.5 unusable at context limit, no client-side workaround

A user working with GPT-5.5 on Codex desktop with default plugins reaches the conversation compact threshold. The server-side compact endpoint fails with a 400 error because it constructs a payload with 'defer_loading' on individual tool entries but omits the required 'tool_search' entry at the top level, violating its own schema validation.

Google Fixes CVSS 10 Gemini CLI CI RCE and Cursor Flaws Enable Code Execution

A maximum severity security flaw in Gemini CLI npm package and GitHub Actions workflow allowed an unprivileged external attacker to force malicious content to load as Gemini configuration, enabling arbitrary command execution on host systems.

SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files

A critical remote code execution vulnerability (CVSS 9.8) was discovered in SGLang, a Python ML serving infrastructure, allowing attackers to achieve RCE by providing malicious GGUF model files. This expands the attack surface in Python ML infrastructure and poses a direct threat to AI coding agents and systems that pull in ML dependencies.

Security: Unsandboxed exec() with pre-injected os/sys modules in PyInterpreter

The PyInterpreter.execute() method in the agenticSeek project runs LLM-generated Python code via exec() with no sandboxing, pre-injecting os and sys modules and full __builtins__, allowing arbitrary code execution through prompt injection.

Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover

A critical authentication bypass vulnerability (CVE-2026-33032, CVSS 9.8) in nginx-ui, an open-source web-based Nginx management tool, is being actively exploited in the wild, allowing threat actors to fully compromise the Nginx service.

[security] command injection in uploadMedia via shell concatenation (server.ts:665)

A malicious WhatsApp message achieving prompt injection can craft a files array entry that breaks out of a curl invocation and executes arbitrary shell commands as the user running Claude Code, due to string concatenation in execSync.