Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-47398 | PraisonAI: RCE via ungated exec_module in agent config | PraisonAI | 8.1 |
| MEDIUM | CVE-2026-47213 | BoxLite: sandbox timeout bypass enables DoS via SIGALRM | boxlite | 6.5 |
| HIGH | CVE-2026-47412 | praisonai-platform: member can wipe entire workspace | praisonai-platform | 8.1 |
| HIGH | CVE-2026-47415 | praisonai-platform: IDOR exposes cross-workspace tenant data | praisonai-platform | 8.3 |
| CRITICAL | CVE-2026-47413 | praisonai-platform: member can escalate to workspace owner | praisonai-platform | 9.6 |
| MEDIUM | CVE-2026-47411 | PraisonAI: auth bypass allows workspace settings injection | praisonai-platform | 6.5 |
| HIGH | CVE-2026-47417 | praisonai-platform: IDOR enables cross-tenant comment exfil | praisonai-platform | 8.1 |
| HIGH | CVE-2026-47418 | praisonai-platform: IDOR exposes cross-workspace projects | praisonai-platform | 8.1 |
| MEDIUM | CVE-2026-47250 | mcp-server-kubernetes: flag injection steals K8s tokens | mcp-server-kubernetes | 6.1 |
| HIGH | CVE-2026-47419 | praisonai-platform: IDOR enables cross-workspace agent read/write/delete | praisonai-platform | 8.3 |
| HIGH | GHSA-wx3m-whqv-xv47 | skillctl: path traversal enables credential exfiltration | skillctl | - |
| CRITICAL | CVE-2026-46440 | Flowise: plaintext auth brute-force, no rate limit | flowise | 9.1 |
| CRITICAL | CVE-2026-46441 | Flowise: mass assignment breaks multi-tenant isolation | flowise | 9.6 |
| CRITICAL | CVE-2026-46442 | Flowise: sandbox escape enables authenticated RCE | flowise | 9.9 |
| MEDIUM | CVE-2026-46443 | Flowise: stored credentials exposed via API filter bug | flowise | 6.5 |
| HIGH | CVE-2026-46444 | Flowise: missing authz on vector store CRUD ops | flowise | 8.8 |
| HIGH | CVE-2026-46475 | Flowise: mass-assignment enables workspace takeover | flowise | 8.8 |
| HIGH | CVE-2026-46476 | Flowise: mass assignment enables cross-workspace takeover | flowise | 8.8 |
| HIGH | CVE-2026-46477 | Flowise: mass-assignment cross-workspace dataset takeover | flowise | 8.8 |
| HIGH | CVE-2026-46478 | Flowise: mass-assignment allows cross-workspace data takeover | flowise | 8.8 |