Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | GHSA-fq2m-6wqh-x44g | praisonai: unauthenticated Jobs API enables remote agent RCE | praisonai | 9.8 |
| HIGH | GHSA-2rcg-mm5h-xchx | praisonaiagents: @file: path traversal reads arbitrary files | praisonaiagents | 7.5 |
| CRITICAL | GHSA-j4hj-7hfh-g2f4 | praisonai: silent auth bypass exposes agent exec endpoints | praisonai | 9.8 |
| HIGH | GHSA-vxgj-xg5c-p4h7 | praisonaiagents: SSRF DNS bypass exposes internal services | praisonaiagents | 8.5 |
| CRITICAL | GHSA-4869-x4pr-q22x | PraisonAI: Unauthenticated RCE via Jobs API auth bypass | praisonaiagents | 9.8 |
| HIGH | GHSA-p4pj-vh7h-6cqh | praisonai: unauthenticated path traversal leaks server files | praisonai | 7.5 |
| CRITICAL | GHSA-x227-pf99-vffg | praisonaiagents: unauthenticated MCP SSE server enables RCE | praisonaiagents | 9.8 |
| MEDIUM | GHSA-pv2j-rghr-v5r9 | praisonaiagents: sandbox escape via format-spec read | praisonaiagents | 6.5 |
| MEDIUM | GHSA-6h9p-93hq-q7h6 | praisonaiagents: SSRF bypass via SpiderTools redirect | praisonaiagents | 6.5 |
| HIGH | GHSA-w6h2-fr4q-xvxv | PraisonAI: file tool shell injection enables RCE | praisonai | 8.8 |
| HIGH | GHSA-v847-hxxw-3pxg | PraisonAI: streaming bypass enables dangerous tool execution | praisonai | 7.8 |
| HIGH | GHSA-63v4-w882-g4x2 | PraisonAI: XSS bypasses human-in-the-loop tool approval | praisonai | 8.8 |
| HIGH | GHSA-fc26-m9pf-v56q | PraisonAI LinearBot: webhook auth bypass enables agent exec | praisonai | 8.6 |
| HIGH | GHSA-j7qx-p75m-wp7g | PraisonAI: path traversal exposes arbitrary host files | praisonai | 7.5 |
| HIGH | GHSA-qvpf-j64c-jmhr | PraisonAI: auth bypass via Slack app_mention handler | praisonai | 8.3 |
| HIGH | GHSA-5qw8-f2g9-ff29 | PraisonAI: auth bypass exposes recipe API to unauthenticated callers | praisonai | 8.2 |
| HIGH | GHSA-vmf9-xx9w-86wx | PraisonAI: DNS rebinding exposes MCP agent tools | praisonai | 8.3 |
| HIGH | GHSA-22cj-m4wf-fv2c | PraisonAI: path traversal in agent tools exposes credentials | praisonai | 7.5 |
| HIGH | GHSA-8579-rgg5-ph2m | praisonai: Discord approval bypass executes agent tools | praisonai | 8.8 |
| MEDIUM | GHSA-35w5-pcw4-jx94 | praisonaiagents: unauth SSE endpoint enables event injection | praisonaiagents | 4.3 |