Prompt Injection
Prompt injection is the most prevalent attack technique against LLM-based applications. The attacker embeds instructions inside untrusted input — a user message, a retrieved document, or a tool output — that the model then follows instead of (or in addition to) its system prompt. Variants include direct prompt injection (the attacker controls the user turn) and indirect prompt injection (instructions planted in content the LLM will later read, such as a web page or a PDF the application summarises). The OWASP LLM Top 10 ranks prompt injection as LLM01 — the highest-impact risk for production LLM applications. Real-world example: CVE-2024-11041 affected vLLM 0.5.5, where crafted prompts could trigger remote code execution via the OpenAI-compatible chat completion endpoint. Defenses include input classification, strict output parsing, separating trusted and untrusted context, and least-privilege tool design in agent frameworks.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | GHSA-vjv9-7m7j-h833 | praisonai (npm): allowlist bypass enables RCE | praisonai | 8.8 |
| CRITICAL | GHSA-vmmj-pfw7-fjwp | praisonai: sandbox escape gives RCE via codeMode tool | praisonai | 9.9 |
| MEDIUM | CVE-2026-22551 | @theia/ai-chat: prompt injection exfiltrates workspace secrets | @theia/ai-ide | - |
| HIGH | CVE-2026-44688 | Eclipse Theia: indirect prompt injection → RCE + exfil | @theia/ai-ide | - |
| HIGH | CVE-2026-46580 | Eclipse Theia: workspace prompt injection enables RCE/exfil | @theia/ai-editor | - |
| HIGH | GHSA-fq4x-789w-jg5h | agenticmail: email prompt injection → bypassPermissions RCE | @agenticmail/openclaw | - |
| HIGH | GHSA-xcqx-9jf5-w339 | mcp-searxng: DoS via unbounded URL response read | 7.5 | |
| MEDIUM | CVE-2026-12797 | litellm: auth bypass in banned keywords enterprise hook | litellm | 6.3 |
| MEDIUM | CVE-2026-55443 | LangChain: path traversal exposes files outside agent root | langchain | 5.5 |
| MEDIUM | CVE-2026-22170 | OpenClaw: empty allowlist bypasses BlueBubbles DM auth | OpenClaw | 6.5 |
| MEDIUM | CVE-2026-32005 | OpenClaw: auth bypass enables AI agent session poisoning | OpenClaw | 6.8 |
| MEDIUM | CVE-2026-32899 | OpenClaw: sender-policy bypass injects unauthorized agent events | OpenClaw | 4.3 |
| MEDIUM | CVE-2026-32923 | OpenClaw: auth bypass enables Discord reaction context injection | OpenClaw | 5.4 |
| MEDIUM | CVE-2026-35628 | OpenClaw: webhook brute-force bypasses AI agent auth | OpenClaw | 4.8 |
| HIGH | CVE-2026-55249 | @rtk-ai/rtk-rewrite: RCE via shell injection in exec tool | openclaw | 8.8 |
| MEDIUM | CVE-2026-41863 | Spring AI: path traversal via LLM-chosen filenames | org.springframework.ai:spring-ai-anthropic | 6.5 |
| HIGH | CVE-2026-10564 | Langflow: SSRF via RSS/SearXNG exposes cloud IAM creds | langflow | 8.2 |
| HIGH | CVE-2026-50180 | langroid: SQL blocklist bypass leaks Postgres files | langroid | - |
| MEDIUM | CVE-2026-14898 | OpenAI Codex: prompt injection exfils data via images | 6.5 | |
| CRITICAL | CVE-2026-55615 | Langroid: unvalidated LLM Cypher enables graph RCE | langroid | - |