Plugin
Plugins and tools are the bridge between an LLM and the world outside it: a web-fetch tool, a code interpreter, a shell, an email API, a calendar integration. Each tool the agent can invoke is a new piece of attack surface, and the agent's prompt-injection problem becomes the tool's authorization problem. Common patterns we see in CVEs and AIID reports include over-broad tool permissions (an email-sending tool with no recipient allowlist), SSRF in browse-the-web tools, RCE in code-interpreter sandboxes that escape too easily, and confused-deputy attacks where the agent invokes a tool on behalf of an attacker-controlled prompt instead of the legitimate user. OpenAI's plugin ecosystem and ChatGPT's tool framework have shipped published vulnerabilities; LangChain, LangGraph, CrewAI, and AutoGen have each had agent-tool CVEs. Defenses: least-privilege tool scopes, human-in-the-loop on irreversible actions, separate trust contexts, and auditable tool invocation logs.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| UNKNOWN | CVE-2026-54310 | n8n: SQL injection in Postgres nodes, CVSS 9.9 | n8n | - |
| UNKNOWN | CVE-2026-49465 | n8n: Git node path traversal bypasses file sandbox | n8n | - |
| UNKNOWN | CVE-2026-49444 | n8n: Python sandbox escape enables container RCE | n8n | - |
| HIGH | CVE-2026-53840 | OpenClaw: credential exfiltration via MCP header forwarding | openclaw | 7.1 |
| MEDIUM | CVE-2026-53851 | OpenClaw: Slack reaction bypass triggers agent pipeline | openclaw | 5.3 |
| HIGH | CVE-2026-53855 | OpenClaw: allowlist bypass enables shell code execution | openclaw | 8.1 |
| HIGH | CVE-2026-53863 | OpenClaw: access control bypass via unvalidated group ID | openclaw | 7.1 |
| HIGH | CVE-2026-53864 | OpenClaw: env var bypass enables child process code exec | openclaw | 8.1 |
| UNKNOWN | CVE-2026-54304 | n8n: credential exfiltration via SecurityScorecard SSRF node | n8n | - |
| UNKNOWN | CVE-2026-54309 | n8n: MCP browser auth bypass allows full browser takeover | n8n | - |
| UNKNOWN | CVE-2026-54305 | n8n: IDOR enables OAuth credential hijack in agent workflows | n8n | - |
| UNKNOWN | CVE-2026-54302 | n8n: stored XSS in Chat Trigger enables session hijack | n8n | - |
| MEDIUM | CVE-2026-54303 | n8n: reflected XSS in trigger nodes enables session hijack | n8n | - |
| UNKNOWN | CVE-2026-54312 | n8n: prototype pollution renders instance non-functional | n8n | - |
| HIGH | CVE-2025-60223 | WPBot Pro: subscriber file deletion → system DoS | wpbot-pro | 7.7 |
| HIGH | CVE-2026-54011 | Open WebUI: Stored XSS via Mermaid loose mode in preview | open-webui | 8.7 |
| HIGH | GHSA-4pcv-mg8v-vrgf | praisonaiagents: SSRF + prompt injection, IAM cred exposure | praisonaiagents | 8.8 |
| CRITICAL | GHSA-29w3-p9w9-wc47 | PraisonAI: multiedit path traversal, arbitrary file R/W | praisonai | 9.1 |
| HIGH | GHSA-c969-5x3p-vq3v | praisonaiagents: IMAP injection via prompt → email exfil | praisonaiagents | 8.1 |
| CRITICAL | GHSA-p75f-6fp4-p57w | PraisonAI: unauthenticated RCE via MCP connect endpoint | praisonai | 9.8 |