Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-55447 | Langflow: TAR symlink traversal enables full RCE | langflow | 9.6 |
| MEDIUM | CVE-2026-55423 | Langflow: logout fails to clear session tokens | langflow | 6.1 |
| CRITICAL | CVE-2026-55255 | Langflow: IDOR allows cross-user flow execution | langflow | 9.9 |
| HIGH | GHSA-mrvx-jmjw-vggc | mcp-searxng: SSRF via DNS rebinding in web_url_read | 7.1 | |
| HIGH | GHSA-xcqx-9jf5-w339 | mcp-searxng: DoS via unbounded URL response read | 7.5 | |
| CRITICAL | CVE-2024-58351 | Flowise: RCE and sandbox escape via overrideConfig | Flowise | 9.8 |
| MEDIUM | CVE-2025-71331 | Flowise: XSS enables session hijacking in AI agent UI | Flowise | 6.1 |
| MEDIUM | CVE-2026-56267 | Flowise: PII exposure via unauthenticated password reset | Flowise | - |
| MEDIUM | CVE-2026-56276 | Flowise: mass assignment enables credential hash override | Flowise | - |
| MEDIUM | CVE-2026-12774 | litellm: SSRF in MCP server exposes cloud metadata | litellm | 6.3 |
| HIGH | CVE-2026-12773 | litellm: auth bypass in MCP proxy, no credentials required | litellm | 7.3 |
| MEDIUM | CVE-2026-12798 | litellm: SSRF in MCP OpenAPI spec loader endpoint | litellm | 6.3 |
| MEDIUM | CVE-2026-12821 | Flowise: path traversal in S3 loader exposes documents | Flowise | 6.3 |
| MEDIUM | CVE-2026-12822 | Langflow: code injection via Bundle URL Loader (PoC) | langflow | 5.3 |
| HIGH | CVE-2026-56104 | Chainlit: session hijacking via WebSocket restoration | chainlit | 8.2 |
| CRITICAL | CVE-2026-7664 | Langflow: auth bypass in MCP endpoint, CVSS 9.8 | Langflow OSS | 9.8 |
| MEDIUM | CVE-2026-55443 | LangChain: path traversal exposes files outside agent root | langchain | 5.5 |
| HIGH | CVE-2026-54353 | Budibase: SSRF via DNS rebinding in automation steps | @budibase/backend-core | 8.5 |
| HIGH | CVE-2026-50132 | Budibase: account hijack via chat identity CSRF | 7.3 | |
| HIGH | CVE-2026-56268 | Flowise: cross-workspace chatflow config disclosure | Flowise | 7.7 |