945 matches found
EUVD-2026-41530
A vulnerability exists in the Kong Konnect Model Context Protocol MCP server prior to version 1.0.0, which could allow a remote attacker to perform an indirect prompt injection attack and execute unintended API requests...
CVE-2026-13341
A vulnerability exists in the Kong Konnect Model Context Protocol MCP server prior to version 1.0.0, which could allow a remote attacker to perform an indirect prompt injection attack and execute unintended API requests...
CVE-2026-13341
Kong Konnect MCP server (before 1.0.0) is affected. A remote attacker could perform an indirect prompt injection and cause unintended API requests due to the MCP component. Impact aligns with high-severity potential exposure (CVSS 7.4); exploit details are not provided in the sources. Remediation...
Flowise CSV Agent Prompt Injection RCE
This vulnerability allows remote attackers to execute arbitrary code on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific flaw exists within the run method of the CSVAgents class. The issue results from the lack of proper...
CVE-2026-10564
IBM Langflow OSS 1.0.0 through 1.9.6 contains a Server-Side Request Forgery SSRF. The legacy RSSReaderComponent in rss.py and SearXNG component in searxng.py make unvalidated HTTP requests to user-controlled URLs, bypassing SSRF protections introduced in version 1.9.3. An authenticated attacker c...
CVE-2026-10564 SSRF Vulnerability in Langflow OSS Legacy Components Bypasses Protection
IBM Langflow OSS 1.0.0 through 1.9.6 contains a Server-Side Request Forgery SSRF. The legacy RSSReaderComponent in rss.py and SearXNG component in searxng.py make unvalidated HTTP requests to user-controlled URLs, bypassing SSRF protections introduced in version 1.9.3. An authenticated attacker c...
EUVD-2026-40400
IBM Langflow OSS 1.0.0 through 1.9.6 contains a Server-Side Request Forgery SSRF. The legacy RSSReaderComponent in rss.py and SearXNG component in searxng.py make unvalidated HTTP requests to user-controlled URLs, bypassing SSRF protections introduced in version 1.9.3. An authenticated attacker c...
PT-2026-53959
Name of the Vulnerable Software and Affected Versions IBM Langflow OSS versions 1.0.0 through 1.9.6 Description An authenticated attacker can perform a Server-Side Request Forgery SSRF, which occurs when a server is tricked into making requests to an unintended location. The issue exists because...
CVE-2026-55607
Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git fsmonitor...
EUVD-2026-40117
Claude Code is an agentic coding tool. From 2.1.38 until 2.1.163, Claude Code's worktree handling allowed creation of worktrees named ".git" and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. By exploiting symlink manipulation and git fsmonitor...
CVE-2026-55607
CVE-2026-55607 affects Claude Code 2.1.38–2.1.163; worktree handling allowed creation of ".git" worktrees and navigation outside the sandbox, enabling git directory confusion. Exploit via symlink manipulation and git fsmonitor during worktree operations could overwrite home-dir files (e.g., .zshe...
PYSEC-2026-303 CAI find_file Agent Tool has Command Injection Vulnerability Through Argument Injection
Summary The CAI Cybersecurity AI framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed directly to shell commands via subprocess.Popen with shell=True, allowing attackers to execute arbitrary commands on the host system. Vulnerable...
PYSEC-2026-382 Langroid has Prompt to SQL Injection, Leading to RCE
Security Vulnerability Report: Prompt to SQL Injection leading to RCE in latest Langroid Affected Scope langroid @localhost:5432/postgres" Create SQL Chat Agent config = SQLChatAgentConfig databaseuri=DATABASEURI, llm=OpenAIGPTConfig apibase=os.getenv...
PYSEC-2026-372 Langchain SQL Injection vulnerability
In Langchain before 0.0.247, prompt injection allows execution of arbitrary code against the SQL service provided by the chain...
PYSEC-2026-562 vanna vulnerable to remote code execution caused by prompt injection
In the latest version of vanna-ai/vanna, the vanna.ask function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the exec function in...
PYSEC-2026-561 Vanna prompt injection code execution
The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Specifically - allowing external input to the library’s “ask” method with...
PYSEC-2026-397 llama-index-core Prompt Injection vulnerability leading to Arbitrary Code Execution
A vulnerability was identified in the executils class of the llamaindex package, specifically within the safeeval function, allowing for prompt injection leading to arbitrary code execution. This issue arises due to insufficient validation of input, which can be exploited to bypass method...
PYSEC-2026-448 PandasAI interactive prompt function Remote Code Execution (RCE)
PandasAI uses an interactive prompt function that is vulnerable to prompt injection and run arbitrary Python code that can lead to Remote Code Execution RCE instead of the intended explanation of the natural language processing by the LLM. The security controls of PandasAI 2.4.3 and earlier fail ...
PT-2026-52680
Name of the Vulnerable Software and Affected Versions Claude Code affected versions not specified Description A prompt injection flaw allows for a full sandbox escape, leading to arbitrary code execution on the host system. This issue persists even when the software is configured with read-only...
Malicious code in unsafe-malicious-package (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3579cb796e48f446b07e2dbbce2e301d1a3e87d8a9a35ed1dbe825fc53f29da9 On npm install, the package's postinstall lifecycle script scripts/postinstall.js reads the installer's AWS credentials file at /.aws/credentials and...