Plugin
Plugins and tools are the bridge between an LLM and the world outside it: a web-fetch tool, a code interpreter, a shell, an email API, a calendar integration. Each tool the agent can invoke is a new piece of attack surface, and the agent's prompt-injection problem becomes the tool's authorization problem. Common patterns we see in CVEs and AIID reports include over-broad tool permissions (an email-sending tool with no recipient allowlist), SSRF in browse-the-web tools, RCE in code-interpreter sandboxes that escape too easily, and confused-deputy attacks where the agent invokes a tool on behalf of an attacker-controlled prompt instead of the legitimate user. OpenAI's plugin ecosystem and ChatGPT's tool framework have shipped published vulnerabilities; LangChain, LangGraph, CrewAI, and AutoGen have each had agent-tool CVEs. Defenses: least-privilege tool scopes, human-in-the-loop on irreversible actions, separate trust contexts, and auditable tool invocation logs.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-21877 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2026-0863 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2026-1470 | n8n: Code Injection enables RCE | n8n | 9.9 |
| CRITICAL | CVE-2026-25053 | n8n: Command Injection enables RCE | n8n | 9.9 |
| HIGH | CVE-2026-25056 | n8n: Arbitrary File Upload enables RCE | n8n | 8.8 |
| CRITICAL | CVE-2026-25115 | n8n: Protection Bypass circumvents security controls | n8n | 9.9 |
| CRITICAL | CVE-2026-33309 | langflow: Path Traversal enables file access | langflow | 9.9 |
| CRITICAL | CVE-2026-27825 | mcp-atlassian: Path Traversal enables file access | mcp-atlassian | 9.1 |
| HIGH | CVE-2026-27826 | mcp-atlassian: SSRF allows internal network access | mcp-atlassian | 8.2 |
| CRITICAL | CVE-2026-25481 | langroid: Code Injection enables RCE | langroid | - |
| CRITICAL | CVE-2026-25130 | cai-framework: Command Injection enables RCE | 9.7 | |
| MEDIUM | GHSA-gpx9-96j6-pp87 | agentos-taskweaver: Protection Bypass circumvents security controls | agentos-taskweaver | 6.5 |
| HIGH | CVE-2025-64496 | open-webui: Code Injection enables RCE | open-webui | 7.3 |
| CRITICAL | CVE-2024-11958 | llama-index DuckDB retriever: SQLi enables RCE | llama-index-retrievers-duckdb-retriever | 9.8 |
| HIGH | CVE-2025-30370 | jupyterlab-git: command injection via malicious repo name | jupyterlab-git | 7.4 |
| CRITICAL | CVE-2024-12909 | llama-index finchat: SQL injection enables RCE | llama-index-packs-finchat | 10.0 |
| MEDIUM | CVE-2024-7037 | open-webui: path traversal → arbitrary file write/RCE | open-webui | 6.5 |
| HIGH | CVE-2026-33696 | n8n: Prototype pollution enables RCE via workflow nodes | n8n | 8.8 |
| HIGH | CVE-2026-33713 | n8n: SQLi in Data Table node, full DB compromise | n8n | 8.8 |
| HIGH | CVE-2026-33989 | @mobilenext/mobile-mcp: path traversal via AI agent tool | @mobilenext/mobile-mcp | 8.1 |