Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | GHSA-rh7v-6w34-w2rr | Flowise: MIME bypass enables persistent Node.js web shell RCE | flowise | 7.1 |
| HIGH | GHSA-cvrr-qhgw-2mm6 | Flowise: unauthenticated RCE via FILE-STORAGE bypass | flowise-components | 7.7 |
| HIGH | GHSA-4jpm-cgx2-8h37 | Flowise: unauth API exposes plaintext API keys and tokens | flowise | - |
| HIGH | GHSA-48m6-ch88-55mj | Flowise: Mass Assignment allows cross-tenant org takeover | flowise | 8.1 |
| CRITICAL | GHSA-9wc7-mj3f-74xv | Flowise CSVAgent: RCE via Python code injection | flowise-components | - |
| HIGH | GHSA-f228-chmx-v6j6 | Flowise: prompt injection RCE via AirtableAgent | flowise-components | 8.3 |
| MEDIUM | GHSA-9hrv-gvrv-6gf2 | Flowise: SSRF bypass enables cloud metadata access | flowise-components | - |
| MEDIUM | GHSA-qqvm-66q4-vf5c | Flowise: SSRF bypass enables cloud credential theft | flowise-components | - |
| MEDIUM | GHSA-w6v6-49gh-mc9w | Flowise: path traversal allows arbitrary file write via vector store | flowise-components | - |
| MEDIUM | GHSA-m7mq-85xj-9x33 | Flowise: hardcoded default key enables JWT token forgery | flowise | 5.6 |
| MEDIUM | GHSA-2qqc-p94c-hxwh | Flowise: hardcoded session secret enables auth bypass | flowise | 5.6 |
| MEDIUM | GHSA-cc4f-hjpj-g9p8 | Flowise: hardcoded JWT defaults enable full auth bypass | flowise | 5.6 |
| MEDIUM | GHSA-6pcv-j4jx-m4vx | Flowise: unauthenticated SSO config exposes OAuth secrets | flowise | 5.3 |
| LOW | GHSA-gj9q-8w99-mp8j | openclaw: TOCTOU race bypasses exec script preflight | openclaw | - |
| CRITICAL | CVE-2026-40933 | Flowise: RCE via MCP stdio command injection | flowise-components | 9.9 |
| HIGH | GHSA-rg3h-x3jw-7jm5 | PraisonAI: SQL injection across 9 DB backends | praisonaiagents | 8.1 |
| CRITICAL | GHSA-9qhq-v63v-fv3j | PraisonAI: RCE via MCP command injection | praisonai | 9.8 |
| MEDIUM | GHSA-f934-5rqf-xx47 | OpenClaw: path traversal in memory_get reads arbitrary workspace files | openclaw | - |
| HIGH | GHSA-mr34-9552-qr95 | openclaw: path traversal leaks files and NTLM credentials | openclaw | - |
| CRITICAL | GHSA-xh72-v6v9-mwhc | OpenClaw: auth bypass enables unauthenticated command exec | openclaw | - |