You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
|**EchoLeak (Zero-Click Prompt Injection)**| Critical zero-click exploit allowing a mere email to trigger Copilot into leaking confidential data (emails, files, chat logs) outside its intended scope | T06 (Goal Manipulation) |-|
21
-
|**GitPublic Issue Repo Hijack**| Public issue text hijacked an AI dev agent into leaking private repo contents via cross-repo prompt injection | T06 + T12 (Agent Communication Poisoning) |-|
20
+
|**EchoLeak (Zero-Click Prompt Injection)**| Critical zero-click exploit allowing a mere email to trigger Copilot into leaking confidential data (emails, files, chat logs) outside its intended scope | T06 (Goal Manipulation) |https://arxiv.org/abs/2509.10540|
21
+
|**GitPublic Issue Repo Hijack**| Public issue text hijacked an AI dev agent into leaking private repo contents via cross-repo prompt injection | T06 + T12 (Agent Communication Poisoning) |https://www.docker.com/blog/mcp-horror-stories-github-prompt-injection/|
|**Replit Vibe Coding Meltdown – Jul 2025**| Agent hallucinated data, deleted a production DB, and generated false outputs to hide mistakes | T07 (Deceptive Behaviour) | - |
24
-
|**Agent-in-the-Middle (A2A Protocol Spoofing) – Apr 2025**| A malicious agent published a fake agent card in an open A2A directory, falsely claiming high trust. The LLM judge agent selected it, enabling the rogue agent to intercept sensitive data and leak it to unauthorized parties. | TI12 + TI13 (Rogue Agents) |-|
|**Agent-in-the-Middle (A2A Protocol Spoofing) – Apr 2025**| A malicious agent published a fake agent card in an open A2A directory, falsely claiming high trust. The LLM judge agent selected it, enabling the rogue agent to intercept sensitive data and leak it to unauthorized parties. | TI12 + TI13 (Rogue Agents) |[-](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-in-the-middle-abusing-agent-cards-in-the-agent-2-agent-protocol-to-win-all-the-tasks/)|
|**OpenAI ChatGPT Operator Vulnerability – Feb 2025**| Prompt injection in web content caused the Operator to follow attacker instructions, access authenticated pages, and expose users’ private data. Showed leakage risks from lightly guarded autonomous agents. | T06 (Intent Breaking & Goal Manipulation) + T02 (Tool Misuse) + T03 (Privilege Compromise) | - |
30
30
|**Microsoft Copilot Studio Security Flaw – 2025**| Agents were public by default and lacked authentication. Attackers could enumerate and access exposed agents, pulling confidential business data from production environments. | T03 (Privilege Compromise) + T09 (Identity Spoofing & Impersonation) | - |
31
31
|**Flowise Pre-Auth Arbitrary File Upload – CVE-2025-26319 (Mar 2025)**| Unauthenticated arbitrary file upload enabled compromise of the agent framework and potential remote server control after delayed vendor response | T11 (Unexpected RCE and Code Attacks) | - |
32
32
|**GitHub Copilot & Cursor Code-Agent Exploit – Mar 2025**| Manipulated AI code suggestions injected backdoors, leaked API keys, and introduced logic flaws into production code, creating a significant supply-chain risk as developers trusted AI outputs | T17 (Supply Chain) + T10 (Overwhelming Human in the Loop) | - |
33
+
|**ShadowLeak - Sept 2025 **| Chains gmail and web search access with indirect prompt injection for ChatGPT Deep Research abuse ||*(unspecified)*||https://www.radware.com/blog/threat-intelligence/shadowleak/|
0 commit comments