AI Threat Alert
Plugin
Plugins and tools are the bridge between an LLM and the world outside it: a web-fetch tool, a code interpreter, a shell, an email API, a calendar integration. Each tool the agent can invoke is a new piece of attack surface, and the agent's prompt-injection problem becomes the tool's authorization problem. Common patterns we see in CVEs and AIID reports include over-broad tool permissions (an email-sending tool with no recipient allowlist), SSRF in browse-the-web tools, RCE in code-interpreter sandboxes that escape too easily, and confused-deputy attacks where the agent invokes a tool on behalf of an attacker-controlled prompt instead of the legitimate user. OpenAI's plugin ecosystem and ChatGPT's tool framework have shipped published vulnerabilities; LangChain, LangGraph, CrewAI, and AutoGen have each had agent-tool CVEs. Defenses: least-privilege tool scopes, human-in-the-loop on irreversible actions, separate trust contexts, and auditable tool invocation logs.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| UNKNOWN | CVE-2025-15063 | Ollama: Command Injection enables RCE | - | |
| CRITICAL | CVE-2024-42835 | Langflow: Unauthenticated RCE via PythonCodeTool | langflow | 9.8 |
| UNKNOWN | CVE-2026-0769 | langflow: Code Injection enables RCE | langflow | - |
| UNKNOWN | CVE-2026-0771 | langflow: Code Injection enables RCE | langflow | - |
| HIGH | CVE-2024-11030 | GPT Academic: SSRF via unsanitized HotReload plugin | gpt_academic | 7.5 |
| HIGH | CVE-2024-11031 | GPT Academic: SSRF in Markdown plugin leaks credentials | gpt_academic | 7.5 |
| HIGH | CVE-2024-45848 | MindsDB: RCE via eval() injection in ChromaDB INSERT | 8.8 | |
| UNKNOWN | CVE-2025-34072 | Slack MCP: zero-click exfiltration via link unfurling | - | |
| MEDIUM | CVE-2025-11844 | smolagents: security flaw enables exploitation | smolagents | 5.4 |
| CRITICAL | CVE-2025-13374 | Kalrav: Arbitrary File Upload enables RCE | 9.8 | |
| MEDIUM | CVE-2026-25475 | OpenClaw: path traversal enables arbitrary file read | openclaw | 6.5 |
| CRITICAL | CVE-2026-25592 | semantic-kernel: Path Traversal enables file access | semantic-kernel | 9.9 |
| MEDIUM | CVE-2026-26972 | OpenClaw: path traversal allows arbitrary file write | openclaw | 6.7 |
| CRITICAL | CVE-2025-59528 | Flowise: Unauthenticated RCE via MCP config injection | flowise | 10.0 |
| CRITICAL | CVE-2025-61913 | Flowise: path traversal in file tools leads to RCE | flowise | 9.9 |
| HIGH | CVE-2025-56265 | n8n: unrestricted file upload RCE via Chat Trigger | n8n | 8.8 |
| HIGH | CVE-2025-62726 | n8n: security flaw enables exploitation | n8n | 8.8 |
| HIGH | CVE-2025-68613 | n8n: security flaw enables exploitation | n8n | 8.8 |
| MEDIUM | CVE-2025-61914 | n8n: XSS enables session hijacking | n8n | 5.4 |
| CRITICAL | CVE-2025-68668 | n8n: Protection Bypass circumvents security controls | n8n | 9.9 |