Claude AI turns MeshCentral XSS into RCE; Dify leaks AI chats

Researchers used Claude Code to automatically discover an XSS flaw in the open‑source remote‑management platform MeshCentral, then weaponised it to achieve remote code execution via a rogue client. The proof‑of‑concept shows LLM‑driven tooling can turn client‑side bugs into full system compromise, raising stakes for RMM security.

Zafran Labs uncovered four high‑severity flaws in Dify, the open‑source LLMOps platform used by over a million AI apps, that let attackers read chat histories, preview other tenants' files, and exploit an outdated PDFium component. The bugs, tracked as CVE‑2026‑41947 to CVE‑2026‑41950, are patched in version 1.15.0, but many deployments remain vulnerable.

A U.S. official told the AP that Anthropic’s Mythos model, used in Project Glasswing, uncovered multiple vulnerabilities in highly sensitive government software in just a few hours. The test proved the AI can spot critical bugs, though officials say it did not exploit them, highlighting a new defensive tool for national‑security cyber risk.

Australia’s spy agency disclosed that nation‑state hackers have infiltrated a key infrastructure provider, mapping the network and keeping footholds to enable sabotage later. The breach underscores a shift from espionage to potential disruption of essential services, prompting diplomatic calls to contain the threat.

A German court ruled that Google is liable for the AI-generated summaries in its search results, dismissing the argument that users must verify the information themselves. The decision treats AI overviews as editorial content, setting a precedent that could force other platforms to shoulder similar responsibility for AI‑driven summaries.

The US, UK, Canada, Australia and New Zealand cyber chiefs warned that frontier AI will shrink the time between vulnerability discovery and exploitation from years to months. They urge leaders to harden basic defenses, integrate AI responsibly, and treat cyber risk as a core business issue now.