DemoCorp AI Project Exposed: Critical 7.5-Severity Vulnerabilities Found in Grunt Dependency

A critical security exposure has been identified within the DemoCorp AI-Based-Classification project on GitHub. The automated scan reveals six distinct vulnerabilities embedded in the project's dependency chain, with the highest severity rated at a critical 7.5 CVSS score. The flaw originates from the `grunt-1.6.1.tgz` package, specifically within its `picomatch` dependency, and is present in the project's main branch as of the latest commit.

The vulnerable library path points directly to `/node_modules/picomatch/package.json`, indicating the issue is not in the primary `grunt` tool itself but in a sub-dependency used for file globbing. The specific vulnerability, tracked as CVE-2026-33671, is classified with a high exploit maturity score and a significant EPSS (Exploit Prediction Scoring System) probability, suggesting it is a known and actively exploitable weakness. This finding was surfaced by automated security tooling, highlighting a gap in the project's dependency management and update practices.

This exposure places the entire DemoCorp AI project at immediate risk. Unpatched dependencies in AI and classification systems can serve as a direct vector for supply chain attacks, potentially allowing malicious actors to inject code, exfiltrate training data, or compromise the classification logic. The presence of such a high-severity flaw in a foundational build tool underscores the persistent security challenges within open-source software ecosystems and the critical need for continuous vulnerability scanning and timely remediation in AI development pipelines.