AI Threat Alert
Prompt Injection
Prompt injection is the most prevalent attack technique against LLM-based applications. The attacker embeds instructions inside untrusted input — a user message, a retrieved document, or a tool output — that the model then follows instead of (or in addition to) its system prompt. Variants include direct prompt injection (the attacker controls the user turn) and indirect prompt injection (instructions planted in content the LLM will later read, such as a web page or a PDF the application summarises). The OWASP LLM Top 10 ranks prompt injection as LLM01 — the highest-impact risk for production LLM applications. Real-world example: CVE-2024-11041 affected vLLM 0.5.5, where crafted prompts could trigger remote code execution via the OpenAI-compatible chat completion endpoint. Defenses include input classification, strict output parsing, separating trusted and untrusted context, and least-privilege tool design in agent frameworks.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| UNKNOWN | CVE-2025-59532 | OpenAI Codex CLI: sandbox escape via model-generated cwd | - | |
| UNKNOWN | CVE-2024-48919 | Cursor IDE: prompt injection triggers terminal RCE | - | |
| CRITICAL | CVE-2024-12366 | PandasAI: prompt injection enables unauthenticated RCE | 9.8 | |
| UNKNOWN | CVE-2024-10950 | gpt_academic: RCE via unsandboxed prompt injection | gpt_academic | - |
| HIGH | CVE-2024-12911 | llama-index: SQLi+DoS via prompt injection in query engine | llamaindex | 7.1 |
| HIGH | CVE-2025-66404 | mcp-server-kubernetes: Command Injection enables RCE | 8.8 | |
| LOW | CVE-2026-24764 | OpenClaw: indirect prompt injection via Slack metadata | openclaw | 3.7 |
| HIGH | CVE-2026-26321 | OpenClaw: path traversal enables local file exfiltration | openclaw | 7.5 |
| CRITICAL | CVE-2024-23751 | LlamaIndex: SQL injection in Text-to-SQL feature | llamaindex | 9.8 |
| UNKNOWN | CVE-2025-34072 | Slack MCP: zero-click exfiltration via link unfurling | - | |
| UNKNOWN | CVE-2025-55012 | Zed Agent Panel: AI agent RCE via permissions bypass | - | |
| CRITICAL | CVE-2025-67511 | cai-framework: Command Injection enables RCE | 9.6 | |
| HIGH | CVE-2026-27001 | OpenClaw: prompt injection via unsanitized workspace path | openclaw | 7.8 |
| CRITICAL | CVE-2026-27825 | mcp-atlassian: Path Traversal enables file access | mcp-atlassian | 9.1 |
| HIGH | CVE-2026-27826 | mcp-atlassian: SSRF allows internal network access | mcp-atlassian | 8.2 |
| CRITICAL | CVE-2026-25481 | langroid: Code Injection enables RCE | langroid | - |
| CRITICAL | CVE-2026-25130 | cai-framework: Command Injection enables RCE | 9.7 | |
| MEDIUM | GHSA-gpx9-96j6-pp87 | agentos-taskweaver: Protection Bypass circumvents security controls | agentos-taskweaver | 6.5 |
| CRITICAL | CVE-2023-32785 | LangChain: prompt injection → SQL RCE (CVSS 9.8) | langchain | 9.8 |
| UNKNOWN | CVE-2026-33873 | Langflow: server-side RCE via LLM-generated code exec | langflow | - |