Plugin
Plugins and tools are the bridge between an LLM and the world outside it: a web-fetch tool, a code interpreter, a shell, an email API, a calendar integration. Each tool the agent can invoke is a new piece of attack surface, and the agent's prompt-injection problem becomes the tool's authorization problem. Common patterns we see in CVEs and AIID reports include over-broad tool permissions (an email-sending tool with no recipient allowlist), SSRF in browse-the-web tools, RCE in code-interpreter sandboxes that escape too easily, and confused-deputy attacks where the agent invokes a tool on behalf of an attacker-controlled prompt instead of the legitimate user. OpenAI's plugin ecosystem and ChatGPT's tool framework have shipped published vulnerabilities; LangChain, LangGraph, CrewAI, and AutoGen have each had agent-tool CVEs. Defenses: least-privilege tool scopes, human-in-the-loop on irreversible actions, separate trust contexts, and auditable tool invocation logs.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-49357 | line-desktop-mcp: unauthenticated HTTP exposes LINE chats | line-desktop-mcp | - |
| HIGH | CVE-2026-54528 | jupyterlab-git: excluded_paths bypass exposes secrets | jupyterlab-git | 7.1 |
| UNKNOWN | CVE-2026-54527 | jupyterlab-git: stored XSS escalates to full RCE | @jupyterlab/git | - |
| HIGH | CVE-2026-54317 | Home Assistant Konnected: auth bypass leaks alarm panel state | homeassistant | 7.6 |
| HIGH | CVE-2026-53488 | containerd: label injection enables host RCE via CRI plugin | github.com/containerd/containerd/v2 | - |
| HIGH | GHSA-mrvx-jmjw-vggc | mcp-searxng: SSRF via DNS rebinding in web_url_read | 7.1 | |
| HIGH | GHSA-xcqx-9jf5-w339 | mcp-searxng: DoS via unbounded URL response read | 7.5 | |
| CRITICAL | CVE-2024-58351 | Flowise: RCE and sandbox escape via overrideConfig | Flowise | 9.8 |
| MEDIUM | CVE-2025-71331 | Flowise: XSS enables session hijacking in AI agent UI | Flowise | 6.1 |
| MEDIUM | CVE-2026-12798 | litellm: SSRF in MCP OpenAPI spec loader endpoint | litellm | 6.3 |
| MEDIUM | CVE-2026-56393 | Craft CMS: stored XSS hijacks admin panel sessions | 4.8 | |
| MEDIUM | CVE-2026-56357 | n8n: webhook forgery enables unauthorized workflow execution | n8n | 4.0 |
| CRITICAL | CVE-2026-56274 | Flowise: RCE via MCP server command validation bypass | Flowise | 9.9 |
| MEDIUM | CVE-2026-22168 | OpenClaw: cmd.exe argument smuggling evades approval log | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-22169 | OpenClaw: safeBins allowlist bypass enables command exec | OpenClaw | 6.7 |
| MEDIUM | CVE-2026-22170 | OpenClaw: empty allowlist bypasses BlueBubbles DM auth | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-22180 | OpenClaw: path traversal enables arbitrary file writes | OpenClaw | 5.3 |
| HIGH | CVE-2026-22179 | OpenClaw: allowlist bypass enables arbitrary OS command exec | OpenClaw | 7.2 |
| HIGH | CVE-2026-22171 | OpenClaw: path traversal allows arbitrary file write | OpenClaw | 8.2 |
| HIGH | CVE-2026-27566 | OpenClaw: allowlist bypass enables arbitrary OS command exec | OpenClaw | 7.1 |