Plugin
Plugins and tools are the bridge between an LLM and the world outside it: a web-fetch tool, a code interpreter, a shell, an email API, a calendar integration. Each tool the agent can invoke is a new piece of attack surface, and the agent's prompt-injection problem becomes the tool's authorization problem. Common patterns we see in CVEs and AIID reports include over-broad tool permissions (an email-sending tool with no recipient allowlist), SSRF in browse-the-web tools, RCE in code-interpreter sandboxes that escape too easily, and confused-deputy attacks where the agent invokes a tool on behalf of an attacker-controlled prompt instead of the legitimate user. OpenAI's plugin ecosystem and ChatGPT's tool framework have shipped published vulnerabilities; LangChain, LangGraph, CrewAI, and AutoGen have each had agent-tool CVEs. Defenses: least-privilege tool scopes, human-in-the-loop on irreversible actions, separate trust contexts, and auditable tool invocation logs.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | GHSA-7cqp-7cfv-6c3q | AVideo Meet: Stored XSS via User-Agent → admin takeover | wwbn/avideo | - |
| HIGH | CVE-2026-55249 | @rtk-ai/rtk-rewrite: RCE via shell injection in exec tool | openclaw | 8.8 |
| MEDIUM | CVE-2026-56358 | n8n: stored XSS in Form Trigger enables form hijacking | n8n | 5.4 |
| CRITICAL | CVE-2026-12537 | Gemini CLI: OS command injection enables pre-sandbox RCE | run-gemini-cli GitHub Action | - |
| CRITICAL | CVE-2025-71338 | Flowise: unauthenticated file write enables RCE | Flowise | 10.0 |
| MEDIUM | CVE-2026-9699 | Mattermost: OpenAI API key leaks into logs on auth errors | 6.8 | |
| HIGH | CVE-2026-57527 | ZAP: insecure deserialization RCE via ViewState add-on | 8.8 | |
| MEDIUM | CVE-2026-58057 | Flowise: NODE_OPTIONS denylist bypass allows RCE | flowise | 5.0 |
| HIGH | CVE-2026-57947 | Pinpoint APM: SSRF via alarm webhook registration | pinpoint | 8.5 |
| HIGH | CVE-2026-10564 | Langflow: SSRF via RSS/SearXNG exposes cloud IAM creds | langflow | 8.2 |
| CRITICAL | CVE-2026-10134 | Langflow: unauthenticated RCE via tool_code injection | langflow | 10.0 |
| CRITICAL | CVE-2026-7663 | Langflow: auth bypass in MCP transport exposes projects | langflow | 9.8 |
| UNKNOWN | CVE-2026-56277 | Flowise: wildcard CORS on TTS endpoint abuses creds | Flowise | - |
| MEDIUM | CVE-2026-56356 | n8n: stored XSS in Chat Trigger Custom CSS field | n8n | 5.4 |
| MEDIUM | CVE-2026-56777 | n8n: AST validator bypass leaks env vars in Python node | n8n | 5.0 |
| HIGH | CVE-2026-13731 | WPBot: unauthenticated stored XSS via chatbot conversation field | wpbot | 7.2 |
| HIGH | CVE-2026-49857 | auth-fetch-mcp: SSRF bypass via IPv6 loopback | auth-fetch-mcp | 7.4 |
| MEDIUM | GHSA-9c3v-684m-579c | OpenClaw: MCP SSE redirect leaks Authorization headers | openclaw | 6.5 |
| MEDIUM | CVE-2026-50280 | Craft CMS: entry section permission bypass | - | |
| HIGH | CVE-2025-69134 | OpenAI Chatbot WP Helper: unauth content deletion | OpenAI Chatbot for WordPress – Helper | 7.5 |