AI Threat Alert
Prompt Injection
Prompt injection is the most prevalent attack technique against LLM-based applications. The attacker embeds instructions inside untrusted input — a user message, a retrieved document, or a tool output — that the model then follows instead of (or in addition to) its system prompt. Variants include direct prompt injection (the attacker controls the user turn) and indirect prompt injection (instructions planted in content the LLM will later read, such as a web page or a PDF the application summarises). The OWASP LLM Top 10 ranks prompt injection as LLM01 — the highest-impact risk for production LLM applications. Real-world example: CVE-2024-11041 affected vLLM 0.5.5, where crafted prompts could trigger remote code execution via the OpenAI-compatible chat completion endpoint. Defenses include input classification, strict output parsing, separating trusted and untrusted context, and least-privilege tool design in agent frameworks.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-28788 | Open WebUI: BOLA enables RAG poisoning via file overwrite | open-webui | 7.1 |
| HIGH | CVE-2026-33989 | @mobilenext/mobile-mcp: path traversal via AI agent tool | @mobilenext/mobile-mcp | 8.1 |
| HIGH | CVE-2026-2285 | CrewAI: arbitrary file read via JSON loader tool | 7.5 | |
| HIGH | CVE-2026-4399 | 1millionbot Millie: Boolean prompt injection bypasses restrictions | 7.5 | |
| MEDIUM | CVE-2026-34451 | anthropic-ai/sdk: memory tool path traversal escape | @anthropic-ai/sdk | - |
| HIGH | CVE-2026-34954 | praisonaiagents: SSRF leaks cloud IAM credentials | praisonaiagents | 8.6 |
| HIGH | CVE-2026-34955 | PraisonAI: sandbox escape via shell=True blocklist bypass | praisonai | 8.8 |
| HIGH | CVE-2026-34937 | PraisonAI: OS command injection via run_python() shell escape | praisonaiagents | 7.8 |
| CRITICAL | CVE-2026-34938 | praisonaiagents: sandbox bypass enables full host RCE | praisonaiagents | 10.0 |
| HIGH | CVE-2026-35394 | mobile-mcp: intent injection enables device control via AI agent | @mobilenext/mobile-mcp | 8.3 |
| CRITICAL | CVE-2026-39305 | PraisonAI: path traversal enables arbitrary file write/RCE | PraisonAI | 9.0 |
| MEDIUM | GHSA-846p-hgpv-vphc | OpenClaw: path traversal → host file exfiltration via QQ Bot | openclaw | - |
| MEDIUM | CVE-2026-39398 | openclaw-claude-bridge: sandbox bypass exposes CLI tools | claude-code | - |
| HIGH | CVE-2026-39891 | praisonai: SSTI enables RCE via agent instructions | praisonai | 8.8 |
| CRITICAL | GHSA-2763-cj5r-c79m | PraisonAI: RCE via shell injection in agent workflows | PraisonAI | 9.7 |
| MEDIUM | GHSA-926x-3r5x-gfhw | LangChain: f-string template injection exposes object internals | langchain-core | 5.3 |
| HIGH | GHSA-jf56-mccx-5f3f | OpenClaw: wake hook trust violation elevates to System prompt | openclaw | - |
| HIGH | GHSA-gfmx-pph7-g46x | openclaw: trust boundary bypass enables prompt injection | openclaw | - |
| MEDIUM | CVE-2026-40087 | LangChain: template injection leaks object attributes | langchain-core | 5.3 |
| CRITICAL | CVE-2026-40111 | PraisonAI: RCE via shell injection in memory hooks executor | praisonaiagents | - |