AML.T0051.000

Direct

An adversary may inject prompts directly as a user of the LLM. This type of injection may be used by the adversary to gain a foothold in the system or to misuse the LLM itself, as for example to generate harmful content.

39 CVEs mapped View on MITRE ATLAS →

Severity	CVE	Headline	Package	CVSS
CRITICAL	CVE-2026-39888	praisonaiagents: sandbox escape enables host RCE	praisonaiagents	10.0
CRITICAL	CVE-2026-30741	OpenClaw: RCE via request-side prompt injection	openclaw	9.8
CRITICAL	CVE-2024-7042	LangChainJS: prompt injection enables full graph DB takeover	langchain	9.8
CRITICAL	CVE-2026-41265	Flowise: RCE via prompt injection in Airtable Agent	flowise	9.8
CRITICAL	CVE-2023-29374	LangChain: RCE via prompt injection in LLMMathChain	langchain	9.8
CRITICAL	CVE-2023-38896	LangChain: RCE via unsandboxed LLM code execution	langchain	9.8
CRITICAL	CVE-2023-38860	LangChain: RCE via unsanitized prompt parameter	langchain	9.8
CRITICAL	CVE-2023-36095	LangChain PALChain: RCE via unsanitized exec() calls	langchain	9.8
CRITICAL	CVE-2026-41264	Flowise: prompt injection → unsandboxed RCE via CSV Agent	flowise-components	9.8
CRITICAL	CVE-2026-27966	langflow: Code Injection enables RCE	langflow	9.8
CRITICAL	CVE-2024-8309	LangChain GraphCypher: prompt injection enables DB wipe	langchain	9.8
CRITICAL	CVE-2024-12366	PandasAI: prompt injection enables unauthenticated RCE		9.8
CRITICAL	CVE-2024-23751	LlamaIndex: SQL injection in Text-to-SQL feature	llamaindex	9.8
CRITICAL	CVE-2023-32785	LangChain: prompt injection → SQL RCE (CVSS 9.8)	langchain	9.8
CRITICAL	CVE-2026-44211	cline: WebSocket auth bypass enables terminal RCE		9.6
HIGH	CVE-2026-41138	Flowise: RCE via unsanitized input in AirtableAgent	flowise	8.8
HIGH	CVE-2026-39891	praisonai: SSTI enables RCE via agent instructions	praisonai	8.8
HIGH	GHSA-f228-chmx-v6j6	Flowise: prompt injection RCE via AirtableAgent	flowise-components	8.3
HIGH	CVE-2026-41271	Flowise: SSRF via prompt template injection in API Chain	flowise	8.3
HIGH	GHSA-hr5v-j9h9-xjhg	OpenClaw: sandbox escape via mediaUrl path traversal	openclaw	7.7
HIGH	CVE-2023-32786	LangChain: prompt injection triggers SSRF via URL fetch	langchain	7.5
HIGH	CVE-2026-26321	OpenClaw: path traversal enables local file exfiltration	openclaw	7.5
HIGH	CVE-2024-58339	llamaindex: Resource Exhaustion enables DoS	llamaindex	7.5
HIGH	CVE-2024-58340	langchain: security flaw enables exploitation	langchain	7.5
HIGH	GHSA-6r77-hqx7-7vw8	FlowiseAI: SSRF via prompt injection in API Chain	flowise-components	7.1
HIGH	CVE-2024-12911	llama-index: SQLi+DoS via prompt injection in query engine	llamaindex	7.1
MEDIUM	GHSA-gpx9-96j6-pp87	agentos-taskweaver: Protection Bypass circumvents security controls		6.5
MEDIUM	CVE-2026-44222	vLLM: token injection DoS via multimodal placeholders	vllm	6.5
MEDIUM	CVE-2026-40087	LangChain: template injection leaks object attributes	langchain-core	5.3
MEDIUM	CVE-2026-40151	PraisonAI: unauthenticated agent config and system prompt disclosure	PraisonAI	5.3
MEDIUM	GHSA-926x-3r5x-gfhw	LangChain: f-string template injection exposes object internals	langchain-core	5.3
CRITICAL	GHSA-v38x-c887-992f	Flowise: prompt injection bypasses Python sandbox RCE	flowise-components	—
HIGH	CVE-2025-65106	langchain-core: security flaw enables exploitation	langchain-core	—
CRITICAL	CVE-2026-25481	langroid: Code Injection enables RCE		—
UNKNOWN	CVE-2026-33873	Langflow: server-side RCE via LLM-generated code exec	langflow	—
UNKNOWN	CVE-2026-4399	1millionbot Millie: Boolean prompt injection bypasses restrictions		—
UNKNOWN	CVE-2024-10950	gpt_academic: RCE via unsandboxed prompt injection	gpt_academic	—
HIGH	CVE-2026-40160	praisonaiagents: SSRF in web_crawl exposes cloud metadata	praisonaiagents	—
HIGH	GHSA-28g4-38q8-3cwc	Flowise: Cypher injection allows full Neo4j DB wipe	flowise-components	—