Plugin
Plugins and tools are the bridge between an LLM and the world outside it: a web-fetch tool, a code interpreter, a shell, an email API, a calendar integration. Each tool the agent can invoke is a new piece of attack surface, and the agent's prompt-injection problem becomes the tool's authorization problem. Common patterns we see in CVEs and AIID reports include over-broad tool permissions (an email-sending tool with no recipient allowlist), SSRF in browse-the-web tools, RCE in code-interpreter sandboxes that escape too easily, and confused-deputy attacks where the agent invokes a tool on behalf of an attacker-controlled prompt instead of the legitimate user. OpenAI's plugin ecosystem and ChatGPT's tool framework have shipped published vulnerabilities; LangChain, LangGraph, CrewAI, and AutoGen have each had agent-tool CVEs. Defenses: least-privilege tool scopes, human-in-the-loop on irreversible actions, separate trust contexts, and auditable tool invocation logs.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | GHSA-x92v-rpx6-p6cw | PraisonAI: webhook auth bypass enables agent prompt injection | praisonai | 8.6 |
| HIGH | GHSA-vxgj-xg5c-p4h7 | praisonaiagents: SSRF DNS bypass exposes internal services | praisonaiagents | 8.5 |
| CRITICAL | GHSA-4869-x4pr-q22x | PraisonAI: Unauthenticated RCE via Jobs API auth bypass | praisonaiagents | 9.8 |
| MEDIUM | GHSA-pv2j-rghr-v5r9 | praisonaiagents: sandbox escape via format-spec read | praisonaiagents | 6.5 |
| MEDIUM | GHSA-6h9p-93hq-q7h6 | praisonaiagents: SSRF bypass via SpiderTools redirect | praisonaiagents | 6.5 |
| HIGH | GHSA-w6h2-fr4q-xvxv | PraisonAI: file tool shell injection enables RCE | praisonai | 8.8 |
| HIGH | GHSA-j7qx-p75m-wp7g | PraisonAI: path traversal exposes arbitrary host files | praisonai | 7.5 |
| HIGH | GHSA-vmf9-xx9w-86wx | PraisonAI: DNS rebinding exposes MCP agent tools | praisonai | 8.3 |
| HIGH | GHSA-8579-rgg5-ph2m | praisonai: Discord approval bypass executes agent tools | praisonai | 8.8 |
| HIGH | GHSA-5jv7-2mjm-h6qj | praisonai: shell allowlist bypass enables OS command injection | praisonai | 8.8 |
| CRITICAL | GHSA-p69m-4f92-2v84 | praisonai: sandbox escape in codeMode → full host RCE | praisonai | 9.8 |
| CRITICAL | GHSA-vmmj-pfw7-fjwp | praisonai: sandbox escape gives RCE via codeMode tool | praisonai | 9.9 |
| HIGH | CVE-2026-54002 | Kirby CMS: stored XSS bypasses DOM sanitizer via unwrap flaw | getkirby/cms | - |
| MEDIUM | CVE-2026-50188 | Kirby CMS: CRLF injection overrides outbound HTTP headers | getkirby/cms | - |
| UNKNOWN | CVE-2026-49276 | Kirby CMS: XSS via writer field malicious links | getkirby/cms | - |
| MEDIUM | CVE-2026-22551 | @theia/ai-chat: prompt injection exfiltrates workspace secrets | @theia/ai-ide | - |
| HIGH | CVE-2026-46580 | Eclipse Theia: workspace prompt injection enables RCE/exfil | @theia/ai-editor | - |
| MEDIUM | CVE-2026-56074 | PraisonAI: tool approval bypass enables credential theft | PraisonAI | 5.5 |
| MEDIUM | GHSA-vmhf-c436-hxj4 | JupyterLab: XSS via malicious PyPI extension URL | jupyterlab | - |
| HIGH | GHSA-vcv2-r9jh-99m5 | agentic-flow: MCP tool args enable OS command injection RCE | 8.8 |