When should an AI system be security tested?

Before production, after major model or tool changes, and whenever the system gains access to sensitive data, actions, or external integrations.

Is AI security only prompt testing?

No. Serious AI security covers identity, data boundaries, retrieval, tools, model files, logging, monitoring, and incident response.

AI Security / Resources

AI Security Hub

A practical hub for LLM, RAG, agent, MCP, model file, and MLOps security decisions before AI systems reach production.

Talk to Eresus View Sentinel

Risk signals

Prompt injection that becomes data exposure or unauthorized tool use.

RAG systems that retrieve sensitive content without permission-aware controls.

Untrusted model artifacts entering production without quarantine or provenance.

What you will find here

Model risks

Unsafe file formats, model intake decisions, source trust, and supply-chain exposure.

Agent and MCP security

Tool permissions, MCP registration, identity boundaries, and unintended action paths.

RAG and data boundaries

Retrieval rules, sensitive content leakage, tenant boundaries, and audit evidence.

Model and AI security knowledge base

This first version uses Eresus resources, advisories, and tools. It does not import third-party scan results or invent model status.

Foundation Model ReportsResource hubModel-specific notesLive Language Model Security DBKnowledge baseAttack classesCurated SentinelOpen-source toolAI model, MCP, promptAvailable ModelScan+Open-source toolModel file hygieneAvailable

Open data sources

A ProtectAI-style view should combine public risk databases, model metadata, and Eresus validation. External records stay labeled as signals until Sentinel or an Eresus review verifies them.

AVID

AI vulnerability database

Open database of GPAI failure modes, reports, vulnerabilities, and measurements with evidence metadata.

Use for model, agent, and AI application risk signals.

OSV

Open-source vulnerability API

Package and version-level vulnerability data for open-source dependencies in ecosystems like PyPI, npm, Go, and Rust.

Use for AI stack dependencies such as transformers, gradio, llama-index, langchain, torch, and tensorflow.

Hugging Face Hub

Model metadata

Model repository metadata such as tags, files, last modification date, safetensors info, and security scan status fields.

Use for inventory fields; do not treat metadata alone as a security verdict.

MITRE ATLAS

AI attack taxonomy

Tactics, techniques, mitigations, and case studies for adversarial threats against AI systems.

Use for classification and shared vocabulary, not model scan status.

AI Incident Database

Incident database

Real-world AI incidents and near harms collected for learning from deployed system failures.

Use for context and trend evidence around deployed AI harms.

Recent open risk signals

invoke-ai/invokeai

AVID / AVID-2026-R0023

Advisory · 2025-03-20

Model installation flow with unsafe model deserialization risk.

CVE-2024-12029CWE-502model loading

External signal

Keras

AVID / AVID-2026-R0034

Advisory · 2025-03-11

Crafted model archive configuration can affect model loading safety.

CVE-2025-1550CWE-94model loading

External signal

picklescan

AVID / AVID-2026-R0035

Advisory · 2025-02-26

Scanner bypass signal around unsafe pickle globals in model files.

CVE-2025-1716CWE-184pickle

External signal

Multiple models

AVID / AVID-2026-R0062

Measurement · 2026-02-19

Prompt injection measurement across multiple model families.

prompt injectionguardrailmeasurement

External signal

Featured resources

Advisory Analysis

CVE-2026-7482: Ollama GGUF Heap Out-of-Bounds Read — Full Technical Analysis

CVE-2026-7482 is a critical heap out-of-bounds read in Ollama's GGUF model loader (CVSS 9.1). Unauthenticated remote attackers can leak ~2 MB of heap memory per request — including environment variables, API keys, system prompts, and concurrent users' conversation data. Two-bug chain, full PoC, patch diff, and Ollama 0.17.1 fix.

2026-05-05Read

Related advisories

Security Vulnerability

Unauthenticated Remote Code Execution via Arbitrary Command Injection in MCPHub Server Registration

MCPHub accepts attacker-controlled command and args values during server registration and spawns them through STDIO, enabling full remote code execution on the host.

2026-04-22Read

Security Vulnerability

Authentication Bypass via skipAuth Configuration Grants Full Admin Access in MCPHub

When skipAuth is enabled, MCPHub bypasses both authentication and admin authorization checks, allowing any unauthenticated user to access privileged API functionality.

2026-04-22Read