Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-33989 | @mobilenext/mobile-mcp: path traversal via AI agent tool | @mobilenext/mobile-mcp | 8.1 |
| MEDIUM | GHSA-364x-8g5j-x2pr | n8n: stored XSS via malicious OAuth2 Authorization URL | n8n | 5.4 |
| MEDIUM | GHSA-3c7f-5hgj-h279 | n8n: Stored XSS in Chat Trigger via CSS injection | n8n | 5.4 |
| MEDIUM | GHSA-w673-8fjw-457c | n8n: stored XSS enables phishing via Form Node | n8n | 4.1 |
| MEDIUM | GHSA-q4fm-pjq6-m63g | n8n: Stored XSS in Form Trigger enables phishing | n8n | 5.4 |
| CRITICAL | CVE-2026-2275 | CrewAI: RCE via Docker fallback in CodeInterpreter | 9.6 | |
| HIGH | CVE-2026-2285 | CrewAI: arbitrary file read via JSON loader tool | 7.5 | |
| CRITICAL | CVE-2026-2286 | CrewAI: SSRF via unvalidated RAG tool URLs exposes internal services | 9.8 | |
| CRITICAL | CVE-2026-2287 | CrewAI: Docker sandbox fallback enables RCE | 9.8 | |
| CRITICAL | GHSA-955r-262c-33jc | telnyx: PyPI supply chain attack steals cloud creds | - | |
| HIGH | GHSA-m3mh-3mpg-37hw | OpenClaw: .npmrc hijack enables RCE on plugin install | openclaw | 8.6 |
| HIGH | GHSA-hr5v-j9h9-xjhg | OpenClaw: sandbox escape via mediaUrl path traversal | openclaw | 7.7 |
| HIGH | CVE-2026-29872 | awesome-llm-apps MCP Agent: cross-session credential theft | 8.2 | |
| HIGH | CVE-2026-4399 | 1millionbot Millie: Boolean prompt injection bypasses restrictions | 7.5 | |
| MEDIUM | CVE-2026-34451 | anthropic-ai/sdk: memory tool path traversal escape | @anthropic-ai/sdk | - |
| MEDIUM | CVE-2026-34450 | anthropic-sdk: insecure file perms expose agent memory | anthropic | - |
| MEDIUM | CVE-2026-34452 | Anthropic SDK: TOCTOU symlink escape in async memory tool | anthropic | - |
| HIGH | CVE-2026-34954 | praisonaiagents: SSRF leaks cloud IAM credentials | praisonaiagents | 8.6 |
| HIGH | CVE-2026-34955 | PraisonAI: sandbox escape via shell=True blocklist bypass | praisonai | 8.8 |
| HIGH | CVE-2026-34936 | PraisonAI: SSRF via api_base steals cloud IAM credentials | praisonai | 7.7 |