Prompt Injection
Prompt injection is the most prevalent attack technique against LLM-based applications. The attacker embeds instructions inside untrusted input — a user message, a retrieved document, or a tool output — that the model then follows instead of (or in addition to) its system prompt. Variants include direct prompt injection (the attacker controls the user turn) and indirect prompt injection (instructions planted in content the LLM will later read, such as a web page or a PDF the application summarises). The OWASP LLM Top 10 ranks prompt injection as LLM01 — the highest-impact risk for production LLM applications. Real-world example: CVE-2024-11041 affected vLLM 0.5.5, where crafted prompts could trigger remote code execution via the OpenAI-compatible chat completion endpoint. Defenses include input classification, strict output parsing, separating trusted and untrusted context, and least-privilege tool design in agent frameworks.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2026-45310 | deepseek-tui: SSRF bypass leaks cloud IAM credentials | deepseek-tui | 7.4 |
| HIGH | GHSA-hv85-774v-26fg | auth-fetch-mcp: SSRF + disk-exfil via unvalidated tool URLs | auth-fetch-mcp | 8.2 |
| MEDIUM | CVE-2026-46341 | @apify/actors-mcp-server: URL bypass → LLM prompt injection | 6.1 | |
| CRITICAL | CVE-2026-25879 | langroid: Prompt-to-SQL injection enables RCE on DB host | langroid | 9.8 |
| HIGH | CVE-2026-47397 | PraisonAI: arbitrary file write via hidden webpage metadata | PraisonAI | - |
| CRITICAL | CVE-2026-47391 | PraisonAI: Unauth RCE via A2A eval injection | PraisonAI | 9.8 |
| MEDIUM | CVE-2026-47395 | PraisonAI: SSRF via @url mention exposes localhost services | PraisonAI | 5.5 |
| MEDIUM | CVE-2026-47250 | mcp-server-kubernetes: flag injection steals K8s tokens | mcp-server-kubernetes | 6.1 |
| MEDIUM | CVE-2026-53851 | OpenClaw: Slack reaction bypass triggers agent pipeline | openclaw | 5.3 |
| LOW | CVE-2026-54326 | pi-coding-agent: XSS in HTML exports via prompt injection | 2.5 | |
| HIGH | CVE-2026-54007 | open-webui: cross-origin postMessage forces model execution | open-webui | - |
| MEDIUM | GHSA-8jr5-v98p-w75m | vllm: EXIF/tRNS preprocessing gap enables adversarial input | vllm | 4.8 |
| HIGH | GHSA-4pcv-mg8v-vrgf | praisonaiagents: SSRF + prompt injection, IAM cred exposure | praisonaiagents | 8.8 |
| HIGH | GHSA-c969-5x3p-vq3v | praisonaiagents: IMAP injection via prompt → email exfil | praisonaiagents | 8.1 |
| HIGH | GHSA-x92v-rpx6-p6cw | PraisonAI: webhook auth bypass enables agent prompt injection | praisonai | 8.6 |
| CRITICAL | GHSA-4869-x4pr-q22x | PraisonAI: Unauthenticated RCE via Jobs API auth bypass | praisonaiagents | 9.8 |
| MEDIUM | GHSA-pv2j-rghr-v5r9 | praisonaiagents: sandbox escape via format-spec read | praisonaiagents | 6.5 |
| HIGH | GHSA-fc26-m9pf-v56q | PraisonAI LinearBot: webhook auth bypass enables agent exec | praisonai | 8.6 |
| HIGH | GHSA-5jv7-2mjm-h6qj | praisonai: shell allowlist bypass enables OS command injection | praisonai | 8.8 |
| CRITICAL | GHSA-p69m-4f92-2v84 | praisonai: sandbox escape in codeMode → full host RCE | praisonai | 9.8 |