Plugin
Plugins and tools are the bridge between an LLM and the world outside it: a web-fetch tool, a code interpreter, a shell, an email API, a calendar integration. Each tool the agent can invoke is a new piece of attack surface, and the agent's prompt-injection problem becomes the tool's authorization problem. Common patterns we see in CVEs and AIID reports include over-broad tool permissions (an email-sending tool with no recipient allowlist), SSRF in browse-the-web tools, RCE in code-interpreter sandboxes that escape too easily, and confused-deputy attacks where the agent invokes a tool on behalf of an attacker-controlled prompt instead of the legitimate user. OpenAI's plugin ecosystem and ChatGPT's tool framework have shipped published vulnerabilities; LangChain, LangGraph, CrewAI, and AutoGen have each had agent-tool CVEs. Defenses: least-privilege tool scopes, human-in-the-loop on irreversible actions, separate trust contexts, and auditable tool invocation logs.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-46339 | 9router: unauthenticated RCE exposes LLM API keys | 9router | 10.0 |
| MEDIUM | CVE-2026-46341 | @apify/actors-mcp-server: URL bypass → LLM prompt injection | 6.1 | |
| HIGH | CVE-2026-46519 | mcp-server-kubernetes: auth bypass enables full cluster RCE | mcp-server-kubernetes | 8.8 |
| MEDIUM | CVE-2026-9468 | cline-mcp-memory-bank: path traversal in memory init | 6.3 | |
| HIGH | CVE-2026-45368 | Kirby CMS: Stored XSS via javascript: URI scheme bypass | getkirby/cms | - |
| CRITICAL | CVE-2026-31233 | guardrails-ai: RCE via malicious Hub package manifest | guardrails-ai | 9.8 |
| MEDIUM | CVE-2026-47128 | nono-cli: sandbox escape via Unix socket bypass | nono-cli | 6.1 |
| HIGH | CVE-2026-32905 | OpenClaw: auth bypass enables persistent device enrollment | openclaw | 8.3 |
| MEDIUM | CVE-2026-32906 | OpenClaw: privilege escalation bypasses Slack plugin approval gate | openclaw | 4.3 |
| HIGH | CVE-2026-35630 | OpenClaw: auth bypass enables unauthorized agent approval | openclaw | 8.0 |
| HIGH | CVE-2026-35674 | OpenClaw: scope bypass enables full agent admin takeover | openclaw | 8.8 |
| HIGH | CVE-2026-47397 | PraisonAI: arbitrary file write via hidden webpage metadata | PraisonAI | - |
| CRITICAL | CVE-2026-47391 | PraisonAI: Unauth RCE via A2A eval injection | PraisonAI | 9.8 |
| HIGH | CVE-2026-47394 | PraisonAI: MCP path traversal exfiltrates host credentials | PraisonAI | - |
| MEDIUM | CVE-2026-47390 | PraisonAI: SSRF bypass via loopback alias encodings | PraisonAI | 5.5 |
| CRITICAL | GHSA-8whc-2wmv-ww35 | AVideo YPTSocket: Stored DOM XSS enables admin takeover | WWBN/AVideo | 9.6 |
| MEDIUM | CVE-2026-11326 | OpenAI Atlas: XSS enables browser history exfiltration | - | |
| MEDIUM | CVE-2026-47250 | mcp-server-kubernetes: flag injection steals K8s tokens | mcp-server-kubernetes | 6.1 |
| HIGH | GHSA-wx3m-whqv-xv47 | skillctl: path traversal enables credential exfiltration | skillctl | - |
| LOW | CVE-2026-53809 | OpenClaw: policy bypass exposes restricted tool access | openclaw | 3.8 |