Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-7574 | Claude Desktop: VM integrity bypass enables RCE | Claude Desktop Cowork | 8.7 |
| MEDIUM | CVE-2025-71332 | Flowise: SQL injection exposes AI credential store | Flowise | 6.5 |
| MEDIUM | CVE-2026-56272 | Flowise: weak bcrypt enables 30x faster password cracking | Flowise | 4.1 |
| MEDIUM | CVE-2026-56269 | Flowise: hardcoded JWT secret leaks user/workspace IDs | Flowise | 4.6 |
| HIGH | CVE-2026-56270 | Flowise: auth bypass exposes OAuth secrets in cleartext | Flowise | 7.5 |
| HIGH | CVE-2026-56351 | n8n: SQL injection in DB nodes via identifier values | n8n | 8.2 |
| MEDIUM | CVE-2026-56358 | n8n: stored XSS in Form Trigger enables form hijacking | n8n | 5.4 |
| CRITICAL | CVE-2026-12537 | Gemini CLI: OS command injection enables pre-sandbox RCE | run-gemini-cli GitHub Action | - |
| MEDIUM | CVE-2026-54033 | LibreChat: SSRF via custom API baseURL exposes internal network | 6.5 | |
| MEDIUM | CVE-2026-46406 | Claude Code: predictable temp file leaks data, symlink write | claude-code | - |
| CRITICAL | CVE-2025-71327 | Flowise: auth bypass grants full API access | Flowise | 9.1 |
| HIGH | CVE-2025-71324 | Flowise: path traversal leaks database unauthenticated | Flowise | 7.5 |
| HIGH | CVE-2025-71328 | Flowise: unverified password change enables account takeover | Flowise | 8.3 |
| CRITICAL | CVE-2025-71338 | Flowise: unauthenticated file write enables RCE | Flowise | 10.0 |
| CRITICAL | CVE-2025-71334 | Flowise: path traversal → RCE via missing UUID validation | Flowise | 9.8 |
| HIGH | CVE-2025-71335 | Flowise: password change fails to revoke sessions | Flowise | 8.1 |
| CRITICAL | CVE-2025-71336 | Flowise: unauthenticated RCE via Custom MCP endpoint | Flowise | 9.8 |
| CRITICAL | CVE-2025-71333 | Flowise: unauth file upload + path traversal enables RCE | Flowise | - |
| MEDIUM | CVE-2026-58057 | Flowise: NODE_OPTIONS denylist bypass allows RCE | flowise | 5.0 |
| MEDIUM | CVE-2026-41863 | Spring AI: path traversal via LLM-chosen filenames | org.springframework.ai:spring-ai-anthropic | 6.5 |