Covering recent security vulnerability incidents, CVE information, and industry trends.
Last updated:
Loading news...
Wiz Research discovered that DeepSeek's ClickHouse database was publicly accessible without authentication on two subdomains. Over 1 million log entries contained plaintext chat history, API secret keys, and backend operational metadata. Attackers could steal passwords and local files directly from the server. Following responsible disclosure, DeepSeek immediately secured the database. A large-scale DDoS attack against the API and web chat interface had also occurred on January 27.
Source: Wiz Blog
An attacker registered a fake partner account on Dell's partner portal and gained access within 48 hours. The portal's API had no authorization checks or rate limiting. Over three weeks, the attacker sent approximately 5,000 requests per minute, stealing 49 million records containing names, addresses, service tags, and order information. The data was sold on a hacking forum.
Source: BleepingComputer
An attacker exploited Trello's unprotected REST API, which allowed unauthenticated queries by email address. By submitting email addresses from previously breached databases, the attacker scraped over 15 million user profiles (emails, full names, usernames, board information) and published them on a hacking forum. Atlassian subsequently restricted the endpoint.
Source: BleepingComputer
A U.S. Department of Government Efficiency (DOGE) employee committed a script (agent.py) containing xAI's private API key to a public GitHub repository. The key provided unrestricted access to over 52 LLM models, including "grok 4-0709," which had been created just four days earlier. GitGuardian detected the leak, but the key was not immediately revoked. A similar leak had also occurred in May 2025.
Source: Krebs on Security
A Server-Side Request Forgery (SSRF) vulnerability in ChatGPT's pictureproxy.php component. An unauthenticated attacker could inject crafted URLs to force the server to execute unauthorized internal requests. Over 10,000 attack attempts were recorded from a single IP address, with 33% of targets being U.S. organizations (financial, government, and healthcare sectors). The vulnerability is particularly dangerous because it can be exploited at scale without authentication.
Source: SecurityWeek
CVE-2024-27564 is a textbook example of OWASP API7 (SSRF). APIs that accept URL input from external sources require strict validation to prevent access to internal networks. See OWASP Top 10 → API7.
According to Wallarm's 2025 API ThreatStats report, 439 AI-related CVEs were recorded in 2024, a 1,025% increase year-over-year. Over 50% of CISA's Known Exploited Vulnerabilities (KEV) catalog entries are API-related. Access control failures increased by 40% overall, and critical authorization failures rose by 36%.
Wallarm 2025According to Salt Security's Q1 2025 report, 99% of surveyed organizations experienced at least one API security issue in the past 12 months. The primary risks were injection attacks and BOLA (Broken Object Level Authorization), accounting for more than one-third of all incidents. 95% of API attacks originated from authenticated sessions.
Salt Security Q1 2025Security researchers discovered 30,000 Postman workspaces publicly exposed without security controls. They contained live API keys, access tokens, and sensitive payloads, many providing direct access to production environments. This case highlights the risk of "shadow API" credentials in developer collaboration tools.
Wallarm 2025Vulnerabilities in AI-based APIs such as ChatGPT and DeepSeek are surging. Prompt injection, SSRF, and data exposure are the primary threats. Security measures are not keeping pace with the rapid adoption of AI.
BOLA (Broken Object Level Authorization) continues to be the most prevalent vulnerability. As seen in the Dell and Trello cases, the lack of basic authorization checks leads to large-scale data breaches.
95% of attacks occur after authentication has been passed. Attackers with legitimate access tokens exploit authorization flaws to move laterally, making this the dominant attack technique.
API key leaks from developer tools such as GitHub and Postman have become a critical problem. Adoption of automated detection tools (e.g., GitGuardian) and rigorous secret management practices are essential.
The information on this page is based on publicly available data from 2025. Please check the reference links above for the latest vulnerability information.