Flowise: Remote code execution vulnerability in AirtableAgent.ts caused by lack

JSONalyzeQueryEngine` in the run-llama/llama_index repository allows for SQL injection via prompt injection. This can lead to arbitrary file creation and Denial-of-Service (DoS) attacks. The vulnerability affects

server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection

Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains

PraisonAIAgents: Environment Variable Secret Exfiltration via os.path.expandvars() Bypassing shell=False

@mobilenext/mobile-mcp: Arbitrary Android Intent Execution via mobile_open_url

Langchain through 0.0.155, prompt injection allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing SSRF and potentially injecting content into downstream tasks

Open WebUI: Redis Cache Keys tool_servers and terminal_servers

blocklisting, or private network checks are applied before fetching. This allows an attacker (or prompt injection in crawled content) to force the agent to fetch cloud metadata endpoints, internal services

read them directly. If an attacker can influence tool calls (directly or via prompt injection), they may be able to exfiltrate local files by supplying paths such as `/etc/passwd

output. An attacker who can supply or influence the parsed text (for example via prompt injection in downstream applications that pass LLM output directly into MRKLOutputParser.parse

server to make arbitrary HTTP requests to internal and external systems. By injecting malicious prompt templates, attackers can bypass the intended API documentation constraints and redirect requests to sensitive internal

MCP Server Kubernetes is an MCP Server that can connect

Anthropic Claude Code CLI and Claude Agent SDK contain an OS command injection vulnerability in the prompt editor invocation utility that allows attackers to execute arbitrary commands by crafting malicious

characters (for example newlines or Unicode bidi/zero-width markers), those characters could break the prompt structure and inject attacker-controlled instructions. Starting in version 2026.2.15, the workspace path is saniti

Open WebUI has Knowledge Base Destruction and RAG Poisoning via

From versions 0.3.79 and prior and 1.0.0 to 1.0.6, a template injection vulnerability exists in LangChain's prompt template system that allows attackers to access Python object internals through template

MCP Atlassian has SSRF via unvalidated X-Atlassian-Jira-Url

OpenClaw: Lower-trust background runtime output is injected into trusted

LangChain vulnerable to unsafe deserialization of attacker-controlled objects through