Compromise OpenClaw with Prompt Injections in Message Objects

Executive Summary As powerful personal AI assistants become increasingly widespread, their ability to access tools, files, and external services also makes them susceptible to prompt injection attacks, where malicious content can manipulate their behavior. This research evaluated OpenClaw against...

CERT-In Recommends 12-Hour Patching for Internet-Facing Flaws Amid AI-Assisted Attacks

The Indian Computer Emergency Response Team CERT-In has issued new guidelines requiring organizations to patch critical security vulnerabilities in internet-exposed systems within 12 hours of being flagged where "feasible" to safeguard against potential threats stemming from threat actors' abuse ...

SecureMCP: A Policy-Enforced LLM Data Access Framework for AIoT Systems Via Model Context Protocol

The deployment of Large Language Model LLM-generated SQL queries in Artificial Intelligence of Things AIoT systems introduces critical security risks, as prompt injection attacks can manipulate LLMs into producing unauthorized queries that expose sensitive data or execute destructive operations...

Your Agent Is More Brittle Than You Think: Uncovering Indirect Injection Vulnerabilities in Agentic LLMs

The rapid deployment of open-source frameworks has significantly advanced the development of modern multi-agent systems. However, expanded action spaces, including uncontrolled privilege exposure and hidden inter-system interactions, pose severe security challenges. Specifically, Indirect Prompt...

CVE-2026-31854

Cursor is a code editor built for programming with AI. Prior to 2.0 ,if a visited website contains maliciously crafted instructions, the model may attempt to follow them in order to “assist” the user. When combined with a bypass of the command whitelist mechanism, such indirect prompt injections...

SoK: The Attack Surface of Agentic AI -- Tools, and Autonomy

Recent AI systems combine large language models with tools, external knowledge via retrieval-augmented generation RAG, and even autonomous multi-agent decision loops. This agentic AI paradigm greatly expands capabilities - but also vastly enlarges the attack surface. In this systematization, we m...

How Vulnerable Are AI Agents to Indirect Prompt Injections? Insights from a Large-Scale Public Competition

LLM based agents are increasingly deployed in high stakes settings where they process external data sources such as emails, documents, and code repositories. This creates exposure to indirect prompt injection attacks, where adversarial instructions embedded in external content manipulate agent...

CVE-2026-31854

Cursor is a code editor built for programming with AI. Prior to 2.0 ,if a visited website contains maliciously crafted instructions, the model may attempt to follow them in order to “assist” the user. When combined with a bypass of the command whitelist mechanism, such indirect prompt injections...

EUVD-2026-11245

Cursor is a code editor built for programming with AI. Prior to 2.0 ,if a visited website contains maliciously crafted instructions, the model may attempt to follow them in order to “assist” the user. When combined with a bypass of the command whitelist mechanism, such indirect prompt injections...

Skill-Inject: Measuring Agent Vulnerability to Skill File Attacks

LLM agents are evolving rapidly, powered by code execution, tools, and the recently introduced agent skills feature. Skills allow users to extend LLM applications with specialized third-party code, knowledge, and instructions. Although this can extend agent capabilities to new domains, it creates...

The Promptware Kill Chain: How Prompt Injections Gradually Evolved into a Multi-Step Malware

Whitepaper called The Promptware Kill Chain: How Prompt Injections Gradually Evolved Into A Multi-Step Malware...

AI (Artificial Intelligence) - Moderately critical - Cross-Site Scripting - SA-CONTRIB-2025-119

This modules provides the ability to chat with an AI Agent using a large-language model LLM provider for different purposes. The module doesn’t sufficiently filter LLM responses. This leads to a cross-site scripting XSS vulnerability where an attacker can use prompt injections on user-generated...

Gemini AI flaws could have exposed your data

Security researchers discovered three vulnerabilities in Google's Gemini artificial intelligence AI assistant. Although now patched, this "Trifecta", as the researchers called it, raises important questions about how safe AI tools really are, especially as they become a part of services many of u...

Better Privilege Separation for Agents by Restricting Data Types

Large language models LLMs have become increasingly popular due to their ability to interact with unstructured content. As such, LLMs are now a key driver behind the automation of language processing systems, such as AI agents. Unfortunately, these advantages have come with a vulnerability to...

Safeguarding VS Code against prompt injections

The Copilot Chat extension for VS Code has been evolving rapidly over the past few months, adding a wide range of new features. Its new agent mode lets you use multiple large language models LLMs, built-in tools, and MCP servers to write code, make commit requests, and integrate with external...

How Not to Detect Prompt Injections with an LLM

Whitepaper called How Not To Detect Prompt Injections With An LLM...

Leaky Thoughts: Large Reasoning Models Are Not Private Thinkers

We study privacy leakage in the reasoning traces of large reasoning models used as personal agents. Unlike final outputs, reasoning traces are often assumed to be internal and safe. We challenge this assumption by showing that reasoning traces frequently contain sensitive user data, which can be...

Design Patterns for Securing LLM Agents against Prompt Injections

As AI agents powered by Large Language Models LLMs become increasingly versatile and capable of addressing a broad spectrum of tasks, ensuring their security has become a critical challenge. Among the most pressing threats are prompt injection attacks, which exploit the agent's resilience on...

Can Large Language Models Really Recognize Your Name?

Large language models LLMs are increasingly being used to protect sensitive user data. However, current LLM-based privacy solutions assume that these models can reliably detect personally identifiable information PII, particularly named entities. In this paper, we challenge that assumption by...

Lessons from Defending Gemini against Indirect Prompt Injections

Gemini is increasingly used to perform tasks on behalf of users, where function-calling and tool-use capabilities enable the model to access user data. Some tools, however, require access to untrusted data introducing risk. Adversaries can embed malicious instructions in untrusted data which caus...