The AISafe Blog

April 22, 2026

We independently discovered and chained two vulnerabilities in LiteLLM Proxy into unauthenticated RCE. Upgrade to v1.83.7-stable.

April 9, 2026

Paint HTML as visible text on a 360° image. PaddleOCR extracts it, the database stores it, and the panorama viewer hands it to innerHTML. Any user who opens the OCR overlay runs your JavaScript.

March 26, 2026

A single POST request can exhaust your server's memory. The vulnerable endpoint is registered by default, even if you don't use Server Islands.

March 16, 2026

How Claude Code or Codex won't secure your application, and why AISafe found 7 CVEs in a file hosting app where they couldn't.