Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | GHSA-v38x-c887-992f | Flowise: prompt injection bypasses Python sandbox RCE | flowise-components | - |
| HIGH | CVE-2026-6596 | Langflow: unauthenticated file upload allows RCE | langflow-base | 7.3 |
| MEDIUM | CVE-2026-6599 | Langflow: MCP config injection via X-Forwarded-For header | langflow | 6.3 |
| LOW | CVE-2026-6600 | Langflow: stored XSS in chat message editor | langflow | 3.5 |
| HIGH | CVE-2026-39861 | Claude Code: sandbox escape via symlink allows arbitrary write | @anthropic-ai/claude-code | - |
| CRITICAL | CVE-2026-41264 | Flowise: prompt injection → unsandboxed RCE via CSV Agent | flowise-components | 9.8 |
| HIGH | GHSA-2r2p-4cgf-hv7h | engramx: CSRF injects persistent prompts into AI agents | - | |
| MEDIUM | CVE-2026-41495 | n8n-mcp: bearer tokens exposed in HTTP transport logs | n8n-mcp | 5.3 |
| HIGH | CVE-2026-41279 | Flowise: unauth API key abuse via TTS endpoint IDOR | flowise | 7.5 |
| CRITICAL | CVE-2026-41265 | Flowise: RCE via prompt injection in Airtable Agent | flowise | 9.8 |
| HIGH | CVE-2026-41137 | Flowise: RCE via CSVAgent unsanitized code injection | flowise | 8.8 |
| HIGH | CVE-2026-41138 | Flowise: RCE via unsanitized input in AirtableAgent | flowise | 8.8 |
| HIGH | CVE-2026-41266 | Flowise: unauthenticated API key exposure via chatbot config | flowise | 7.5 |
| CRITICAL | CVE-2026-41267 | Flowise: mass assignment auth bypass in registration | flowise | 9.8 |
| CRITICAL | CVE-2026-41268 | Flowise: unauthenticated RCE via NODE_OPTIONS env injection | flowise | 9.8 |
| HIGH | CVE-2026-41269 | Flowise: unrestricted file upload enables persistent RCE | flowise | 8.8 |
| HIGH | CVE-2026-41270 | Flowise: SSRF bypass exposes cloud metadata services | flowise | 8.3 |
| HIGH | CVE-2026-41271 | Flowise: SSRF via prompt template injection in API Chain | flowise | 8.3 |
| HIGH | CVE-2026-41272 | Flowise: SSRF bypass via DNS rebinding exposes internal networks | flowise | 7.1 |
| HIGH | CVE-2026-41273 | Flowise: auth bypass exposes OAuth 2.0 tokens | flowise | 8.2 |