Agent
Agents are LLM applications that can take actions — call tools, write files, hit APIs, browse the web, or invoke other agents. That capability shifts the security model fundamentally: a prompt-injection payload in a chat app is annoying, but the same payload in an agent can trigger real actions (send email, transfer funds, push code). Indirect prompt injection is especially dangerous here because agents routinely consume untrusted content (web pages, emails, files) where attacker instructions can hide. The OWASP LLM Top 10 added "Excessive Agency" as LLM08 specifically for this class. AI Threat Alert tracks CVEs in popular agent frameworks (LangGraph, CrewAI, AutoGen, AutoGPT, LangChain agents) and incident reports from AIID for production agent misuse. Defenses: human-in-the-loop for irreversible actions, scoped tool permissions, separate trust boundaries between agent-controlled and user-controlled context, and budget caps on tool invocation.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2025-63390 | anythingllm: Missing Auth allows unauthenticated access | 5.3 | |
| CRITICAL | CVE-2025-13374 | Kalrav: Arbitrary File Upload enables RCE | 9.8 | |
| MEDIUM | CVE-2026-25475 | OpenClaw: path traversal enables arbitrary file read | openclaw | 6.5 |
| MEDIUM | CVE-2026-25640 | pydantic-ai: Path Traversal enables file access | pydantic-ai-slim | 5.4 |
| HIGH | CVE-2026-25580 | pydantic-ai: SSRF allows internal network access | pydantic-ai-slim | 8.6 |
| CRITICAL | CVE-2026-25592 | semantic-kernel: Path Traversal enables file access | semantic-kernel | 9.9 |
| MEDIUM | CVE-2026-26320 | OpenClaw: UI deception enables arbitrary command execution | openclaw | 6.5 |
| MEDIUM | CVE-2026-26972 | OpenClaw: path traversal allows arbitrary file write | openclaw | 6.7 |
| HIGH | CVE-2026-27001 | OpenClaw: prompt injection via unsanitized workspace path | openclaw | 7.8 |
| HIGH | CVE-2026-24780 | agpt: Code Injection enables RCE | 8.8 | |
| HIGH | CVE-2024-36420 | Flowise: unauthenticated arbitrary file read via API | flowise | 7.5 |
| HIGH | CVE-2024-36421 | Flowise: CORS wildcard enables file read and data theft | flowise | 7.5 |
| MEDIUM | CVE-2024-36422 | Flowise: reflected XSS enables session hijack and file read | flowise | 6.1 |
| MEDIUM | CVE-2024-36423 | Flowise: reflected XSS in chatflow API enables session hijack | flowise | 6.1 |
| MEDIUM | CVE-2024-37145 | Flowise: reflected XSS enables file read chain via chatflow | flowise | 6.1 |
| MEDIUM | CVE-2024-37146 | Flowise: reflected XSS enables credential theft | flowise | 6.1 |
| HIGH | CVE-2025-30358 | Mesop: class pollution enables DoS and LLM jailbreak | 8.1 | |
| CRITICAL | CVE-2025-58434 | Flowise: auth bypass in reset flow allows full ATO | flowise | 9.8 |
| HIGH | CVE-2025-59527 | Flowise: unauthenticated SSRF exposes internal network | flowise | 7.5 |
| CRITICAL | CVE-2025-59528 | Flowise: Unauthenticated RCE via MCP config injection | flowise | 10.0 |