Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-60089 | PraisonAI: config.toml path traversal overwrites files | praisonaiagents | 5.5 |
| HIGH | CVE-2026-60091 | PraisonAI: SSRF via webhook_url DNS rebinding | praisonai | 7.2 |
| MEDIUM | CVE-2026-61431 | PraisonAI: path traversal leaks arbitrary files | praisonai | 5.5 |
| MEDIUM | CVE-2026-61432 | PraisonAI: FastContext path traversal leaks host files | praisonaiagents | 5.7 |
| HIGH | CVE-2026-61434 | PraisonAI: allowlist bypass enables RCE via find -exec | praisonai | 8.8 |
| HIGH | CVE-2026-61437 | PraisonAI: unsafe dynamic import enables RCE | praisonaiagents | 7.8 |
| MEDIUM | CVE-2026-61441 | PraisonAI: IDOR lets members delete owner dependencies | 6.5 | |
| CRITICAL | CVE-2026-61444 | PraisonAI: code injection via f-string in deploy API | praisonai | 9.1 |
| HIGH | GHSA-g5r6-gv6m-f5jv | mcp-atlassian: path traversal leaks secrets via injection | mcp-atlassian | 7.7 |
| HIGH | GHSA-wm45-qh3g-v83f | mcp-atlassian: path traversal leaks server files+creds | mcp-atlassian | 7.7 |
| MEDIUM | GHSA-489g-7rxv-6c8q | mcp-atlassian: DNS-rebind bypass revives header SSRF | mcp-atlassian | 6.5 |
| CRITICAL | CVE-2026-61459 | mcp-server-kubernetes: arg injection exfils bearer token | mcp-server-kubernetes | 9.8 |
| HIGH | CVE-2026-61439 | PraisonAI: umbral de bloqueo mal configurado permite prompt injection | praisonai | 7.5 |
| CRITICAL | CVE-2026-61447 | PraisonAI: RCE via unsandboxed LLM code execution | praisonai | 10.0 |
| MEDIUM | CVE-2026-60088 | PraisonAI: path traversal leaks files into LLM prompts | praisonai | 5.5 |
| HIGH | CVE-2026-61426 | PraisonAI: insecure defaults expose agent secrets | praisonai | 8.6 |
| HIGH | CVE-2026-61428 | PraisonAI: webhook signature bypass enables spoofing | praisonai | 7.3 |
| HIGH | CVE-2026-61429 | PraisonAI: SSRF bypass via DNS rebinding/redirects | praisonai | 8.5 |
| HIGH | CVE-2026-61442 | PraisonAI Platform: workspace members bypass owner authz | 7.1 | |
| CRITICAL | CVE-2026-61445 | PraisonAI: AICoder root RCE via unsanitized tool calls | praisonai | 9.9 |
Page 56 of 56