Plugin
Plugins and tools are the bridge between an LLM and the world outside it: a web-fetch tool, a code interpreter, a shell, an email API, a calendar integration. Each tool the agent can invoke is a new piece of attack surface, and the agent's prompt-injection problem becomes the tool's authorization problem. Common patterns we see in CVEs and AIID reports include over-broad tool permissions (an email-sending tool with no recipient allowlist), SSRF in browse-the-web tools, RCE in code-interpreter sandboxes that escape too easily, and confused-deputy attacks where the agent invokes a tool on behalf of an attacker-controlled prompt instead of the legitimate user. OpenAI's plugin ecosystem and ChatGPT's tool framework have shipped published vulnerabilities; LangChain, LangGraph, CrewAI, and AutoGen have each had agent-tool CVEs. Defenses: least-privilege tool scopes, human-in-the-loop on irreversible actions, separate trust contexts, and auditable tool invocation logs.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | GHSA-hw9r-h9mr-4jff | OpenClaw: chat.send routing bypasses admin auth scopes | openclaw | 8.8 |
| HIGH | GHSA-mgq6-vr84-7m2j | OpenClaw: QQBot approval button auth bypass | openclaw | 8.0 |
| MEDIUM | CVE-2026-9557 | Mautic Focus: SSRF enables internal network recon | mautic/core | 6.4 |
| HIGH | CVE-2025-71380 | n8n: authenticated RCE via Execute Command node | n8n | 8.8 |
| HIGH | CVE-2026-55431 | Coder: session token leak via workspace app URL | github.com/coder/coder/v2 | 7.7 |
| HIGH | CVE-2026-6101 | AMP for WP: unsafe ZIP extraction enables file write | 7.5 | |
| MEDIUM | CVE-2026-34225 | open-webui: blind SSRF via image-edit URL fetch | open-webui | 4.3 |
| HIGH | CVE-2025-46719 | Open WebUI: chat XSS steals tokens, admin RCE | open-webui | - |
| CRITICAL | CVE-2026-1114 | lollms: weak JWT secret allows admin takeover | lollms | 9.8 |
| HIGH | CVE-2026-57252 | Foxit PDF: use-after-free in attachment panel via JS page deletion | 7.8 | |
| MEDIUM | CVE-2026-56360 | n8n: unsigned Zendesk webhook allows workflow forgery | n8n | 4.0 |
| HIGH | CVE-2026-56776 | n8n: workflow:read scope bypass triggers execution | n8n | 7.4 |
| HIGH | CVE-2026-59257 | n8n: SQL injection via MySQL v1 node expressions | n8n | 8.8 |
| MEDIUM | CVE-2026-60092 | AVideo Meet: stored XSS via unescaped User-Agent | 6.1 | |
| UNKNOWN | CVE-2026-59821 | LiteLLM: code exec via unsandboxed Custom Guardrails | litellm | - |
Page 23 of 23