Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| UNKNOWN | CVE-2024-12775 | Dify: SSRF via custom tool URL enables credential theft | - | |
| MEDIUM | CVE-2025-7021 | OpenAI Operator: fullscreen spoofing captures credentials | operator | 6.5 |
| MEDIUM | CVE-2025-54558 | OpenAI Codex CLI: sandbox bypass via ripgrep flag abuse | 4.1 | |
| CRITICAL | CVE-2025-59434 | Flowise Cloud: cross-tenant env var exposure leaks API keys | 9.6 | |
| UNKNOWN | CVE-2025-59532 | OpenAI Codex CLI: sandbox escape via model-generated cwd | - | |
| HIGH | CVE-2025-65098 | typebot: XSS enables session hijacking | 7.4 | |
| UNKNOWN | CVE-2024-48919 | Cursor IDE: prompt injection triggers terminal RCE | - | |
| CRITICAL | CVE-2024-12366 | PandasAI: prompt injection enables unauthenticated RCE | 9.8 | |
| HIGH | CVE-2024-12911 | llama-index: SQLi+DoS via prompt injection in query engine | llamaindex | 7.1 |
| HIGH | CVE-2025-66404 | mcp-server-kubernetes: Command Injection enables RCE | 8.8 | |
| LOW | CVE-2026-24764 | OpenClaw: indirect prompt injection via Slack metadata | openclaw | 3.7 |
| HIGH | CVE-2026-26321 | OpenClaw: path traversal enables local file exfiltration | openclaw | 7.5 |
| CRITICAL | CVE-2025-5120 | smolagents: sandbox escape enables unauthenticated RCE | smolagents | 10.0 |
| CRITICAL | CVE-2026-2654 | smolagents: SSRF allows internal network access | smolagents | 9.8 |
| UNKNOWN | CVE-2025-15063 | Ollama: Command Injection enables RCE | - | |
| CRITICAL | CVE-2024-37014 | Langflow: unauthenticated RCE via custom component API | langflow | 9.8 |
| HIGH | CVE-2024-7297 | Langflow: mass assignment grants super admin access | langflow | 8.8 |
| CRITICAL | CVE-2024-42835 | Langflow: Unauthenticated RCE via PythonCodeTool | langflow | 9.8 |
| CRITICAL | CVE-2024-48061 | Langflow: RCE via unsandboxed code component execution | langflow | 9.8 |
| CRITICAL | CVE-2025-3248 | Langflow: Unauth RCE via code injection endpoint | langflow | 9.8 |