OWASP LLM Top 10 Compliance Tracker

The OWASP Top 10 for LLM Applications identifies the most critical security risks for applications using Large Language Models. Each risk category below is mapped to real CVEs affecting AI/ML packages in production.

2247
CVEs Mapped
10
Controls with CVEs
2879
Total Mappings

Controls & Mapped Vulnerabilities

LLM01

Prompt Injection

80 CVEs
CRITICAL
CVE-2026-47392 CVSS 9.9

praisonaiagents: RCE via Python sandbox bypass

CRITICAL
CVE-2026-47391 CVSS 9.8

PraisonAI: Unauth RCE via A2A eval injection

CRITICAL
GHSA-4869-x4pr-q22x CVSS 9.8

PraisonAI: Unauthenticated RCE via Jobs API auth bypass

+ 77 more CVEs mapped to this control

LLM02

Sensitive Information Disclosure

157 CVEs
CRITICAL
CVE-2026-34938 CVSS 10.0

praisonaiagents: sandbox bypass enables full host RCE

CRITICAL
CVE-2026-33663 CVSS 10.0

n8n: member role steals plaintext HTTP credentials

CRITICAL
CVE-2026-25053 CVSS 9.9

n8n: Command Injection enables RCE

+ 154 more CVEs mapped to this control

LLM03

Supply Chain Vulnerabilities

147 CVEs
CRITICAL
CVE-2026-25115 CVSS 9.9

n8n: Protection Bypass circumvents security controls

CRITICAL
CVE-2025-54951 CVSS 9.8

ExecuTorch: heap buffer overflow RCE in model loading

CRITICAL
CVE-2024-11958 CVSS 9.8

llama-index DuckDB retriever: SQLi enables RCE

+ 144 more CVEs mapped to this control

LLM04

Data and Model Poisoning

178 CVEs
CRITICAL
CVE-2025-53002 CVSS 9.8

LLaMA-Factory: RCE via unsafe checkpoint deserialization

CRITICAL
CVE-2026-55450 CVSS 9.3

Langflow: unauthenticated upload → DoS + path disclosure

CRITICAL
CVE-2026-27493 CVSS 9.0

n8n: Code Injection enables RCE

+ 175 more CVEs mapped to this control

LLM05

Improper Output Handling

218 CVEs
CRITICAL
CVE-2025-71338 CVSS 10.0

Flowise: unauthenticated file write enables RCE

CRITICAL
CVE-2026-3490 CVSS 10.0

picklescan: blocklist bypass enables full RCE

CRITICAL
CVE-2026-35307 CVSS 10.0

Oracle Coherence: unauthenticated RCE, CVSS 10.0

+ 215 more CVEs mapped to this control

LLM06

Excessive Agency

346 CVEs
CRITICAL
CVE-2026-33663 CVSS 10.0

n8n: member role steals plaintext HTTP credentials

CRITICAL
CVE-2026-46695 CVSS 10.0

Boxlite: read-only bypass enables host code execution

CRITICAL
CVE-2026-25053 CVSS 9.9

n8n: Command Injection enables RCE

+ 343 more CVEs mapped to this control

LLM07

System Prompt Leakage

294 CVEs
CRITICAL
CVE-2025-14931 CVSS 10.0

smolagents: RCE via pickle deserialization in executor

CRITICAL
CVE-2025-53767 CVSS 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

CRITICAL
CVE-2026-26030 CVSS 10.0

semantic-kernel: Code Injection enables RCE

+ 291 more CVEs mapped to this control

LLM08

Vector and Embedding Weaknesses

273 CVEs
CRITICAL
CVE-2026-26030 CVSS 10.0

semantic-kernel: Code Injection enables RCE

CRITICAL
CVE-2025-14931 CVSS 10.0

smolagents: RCE via pickle deserialization in executor

CRITICAL
CVE-2026-39888 CVSS 10.0

praisonaiagents: sandbox escape enables host RCE

+ 270 more CVEs mapped to this control

LLM09

Misinformation

20 CVEs
CRITICAL
CVE-2024-39236 CVSS 9.8

Gradio: code injection via component metadata (CVSS 9.8)

CRITICAL
CVE-2025-61260 CVSS 9.8

OpenAI Codex CLI: RCE via malicious MCP config files

HIGH
GHSA-m3mh-3mpg-37hw CVSS 8.6

OpenClaw: .npmrc hijack enables RCE on plugin install

+ 17 more CVEs mapped to this control

LLM10

Unbounded Consumption

31 CVEs
HIGH
GHSA-5qw8-f2g9-ff29 CVSS 8.2

PraisonAI: auth bypass exposes recipe API to unauthenticated callers

HIGH
CVE-2025-48956 CVSS 7.5

vLLM: unauthenticated DoS via oversized HTTP header

HIGH
CVE-2022-35997 CVSS 7.5

TensorFlow: CHECK-fail DoS in tf.sparse.cross op

+ 28 more CVEs mapped to this control

Download Full Evidence Pack

Get the complete OWASP LLM Top 10 evidence pack with all CVE-to-control mappings, rationale, and audit-ready documentation. Exportable as CSV.

Get Evidence Pack