AI Threat Alert
Prompt Injection
Prompt injection is the most prevalent attack technique against LLM-based applications. The attacker embeds instructions inside untrusted input — a user message, a retrieved document, or a tool output — that the model then follows instead of (or in addition to) its system prompt. Variants include direct prompt injection (the attacker controls the user turn) and indirect prompt injection (instructions planted in content the LLM will later read, such as a web page or a PDF the application summarises). The OWASP LLM Top 10 ranks prompt injection as LLM01 — the highest-impact risk for production LLM applications. Real-world example: CVE-2024-11041 affected vLLM 0.5.5, where crafted prompts could trigger remote code execution via the OpenAI-compatible chat completion endpoint. Defenses include input classification, strict output parsing, separating trusted and untrusted context, and least-privilege tool design in agent frameworks.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| MEDIUM | CVE-2026-40112 | PraisonAI: XSS via no-op HTML sanitizer in agent output | praisonai | 5.4 |
| MEDIUM | CVE-2026-40117 | PraisonAI: arbitrary file read via unguarded skill tool | praisonaiagents | 6.2 |
| HIGH | CVE-2026-40150 | PraisonAIAgents: SSRF exposes cloud metadata via web_crawl | praisonaiagents | 7.7 |
| MEDIUM | GHSA-ffp3-3562-8cv3 | PraisonAI: tool approval bypass leaks env credentials | praisonaiagents | 5.5 |
| HIGH | CVE-2026-40160 | praisonaiagents: SSRF in web_crawl exposes cloud metadata | praisonaiagents | - |
| HIGH | GHSA-qwgj-rrpj-75xm | PraisonAI: hardcoded approval bypass enables RCE | PraisonAI | 8.8 |
| HIGH | CVE-2026-40153 | praisonaiagents: env var expansion exposes production secrets | praisonaiagents | 7.4 |
| HIGH | GHSA-p4h8-56qp-hpgv | mcp-ssh: argument injection enables LLM-driven local RCE | - | |
| HIGH | GHSA-6r77-hqx7-7vw8 | FlowiseAI: SSRF via prompt injection in API Chain | flowise-components | 7.1 |
| HIGH | GHSA-f228-chmx-v6j6 | Flowise: prompt injection RCE via AirtableAgent | flowise-components | 8.3 |
| MEDIUM | GHSA-7g8c-cfr3-vqqr | openclaw: trust escalation via unsanitized agent hook events | openclaw | - |
| CRITICAL | GHSA-v38x-c887-992f | Flowise: prompt injection bypasses Python sandbox RCE | flowise-components | - |
| HIGH | CVE-2026-39861 | Claude Code: sandbox escape via symlink allows arbitrary write | @anthropic-ai/claude-code | - |
| CRITICAL | CVE-2026-41264 | Flowise: prompt injection → unsandboxed RCE via CSV Agent | flowise-components | 9.8 |
| HIGH | GHSA-2r2p-4cgf-hv7h | engramx: CSRF injects persistent prompts into AI agents | - | |
| CRITICAL | CVE-2026-41265 | Flowise: RCE via prompt injection in Airtable Agent | flowise | 9.8 |
| HIGH | CVE-2026-41138 | Flowise: RCE via unsanitized input in AirtableAgent | flowise | 8.8 |
| HIGH | CVE-2026-41271 | Flowise: SSRF via prompt template injection in API Chain | flowise | 8.3 |
| CRITICAL | GHSA-wpqr-6v78-jr5g | Gemini CLI: RCE via malicious workspace in CI/CD | @google/gemini-cli | 10.0 |
| MEDIUM | GHSA-7jm2-g593-4qrc | openclaw: config guard bypass, persistent settings mutation | openclaw | - |