AI Threat Alert
Prompt Injection
Prompt injection is the most prevalent attack technique against LLM-based applications. The attacker embeds instructions inside untrusted input — a user message, a retrieved document, or a tool output — that the model then follows instead of (or in addition to) its system prompt. Variants include direct prompt injection (the attacker controls the user turn) and indirect prompt injection (instructions planted in content the LLM will later read, such as a web page or a PDF the application summarises). The OWASP LLM Top 10 ranks prompt injection as LLM01 — the highest-impact risk for production LLM applications. Real-world example: CVE-2024-11041 affected vLLM 0.5.5, where crafted prompts could trigger remote code execution via the OpenAI-compatible chat completion endpoint. Defenses include input classification, strict output parsing, separating trusted and untrusted context, and least-privilege tool design in agent frameworks.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| CRITICAL | CVE-2026-27966 | langflow: Code Injection enables RCE | langflow | 9.8 |
| HIGH | CVE-2026-25750 | langsmith: security flaw enables exploitation | langsmith | 8.1 |
| UNKNOWN | CVE-2026-25083 | GROWI: Missing Auth allows unauthorized operations | - | |
| CRITICAL | CVE-2026-28451 | OpenClaw: SSRF via Feishu extension exposes internal services | openclaw | 9.3 |
| CRITICAL | CVE-2026-30741 | OpenClaw: RCE via request-side prompt injection | openclaw | 9.8 |
| MEDIUM | CVE-2026-27578 | n8n: XSS enables session hijacking | n8n | 5.4 |
| CRITICAL | CVE-2023-29374 | LangChain: RCE via prompt injection in LLMMathChain | langchain | 9.8 |
| CRITICAL | CVE-2023-36095 | LangChain PALChain: RCE via unsanitized exec() calls | langchain | 9.8 |
| CRITICAL | CVE-2023-38860 | LangChain: RCE via unsanitized prompt parameter | langchain | 9.8 |
| CRITICAL | CVE-2023-38896 | LangChain: RCE via unsandboxed LLM code execution | langchain | 9.8 |
| CRITICAL | CVE-2023-39659 | LangChain: RCE via unsanitized PythonAstREPL input | langchain | 9.8 |
| HIGH | CVE-2023-32786 | LangChain: prompt injection triggers SSRF via URL fetch | langchain | 7.5 |
| HIGH | CVE-2024-38459 | LangChain: Python REPL code execution without opt-in | langchain-experimental | 7.8 |
| HIGH | CVE-2024-21513 | langchain-experimental: RCE via eval() in VectorSQL chain | langchain-experimental | 8.5 |
| CRITICAL | CVE-2024-7042 | LangChainJS: prompt injection enables full graph DB takeover | langchain | 9.8 |
| CRITICAL | CVE-2024-8309 | LangChain GraphCypher: prompt injection enables DB wipe | langchain | 9.8 |
| CRITICAL | CVE-2025-46059 | LangChain GmailToolkit: indirect prompt injection to RCE | 9.8 | |
| HIGH | CVE-2025-65106 | langchain-core: security flaw enables exploitation | langchain-core | - |
| HIGH | CVE-2024-58340 | langchain: security flaw enables exploitation | langchain | 7.5 |
| HIGH | CVE-2025-5018 | Hive Support WP: OpenAI key theft + prompt hijack | 7.1 |
Page 1 of 6