arxiv.org
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-22.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-22 2026 | A Survey of the Overlooked Dangers of Template Engines (arXiv 2024)SSTI | Survey of template engines, focusing on Remote Code Execution (RCE) via Server-Side Template Injection (SSTI). This paper analyzes 34 template engines across eight languages, categorizing RCE paths and mitigation strategies. It highlights common vulnerabilities, information disclosure, unauthorized access, and DoS, emphasizing RCE as a critical threat often overlooked in current research. The work also examines real-world SSTI instances and CVEs from platforms like HackerOne. |
| 2026-04-22 2026 | When AI Meets the Web: Prompt Injection Risks in Third-Party AI Chatbot PluginsAI | Survey of prompt injection risks in third-party AI chatbot plugins, analyzing 17 plugins used by over 10,000 websites. Eight plugins fail to enforce conversation history integrity, amplifying direct prompt injection by allowing forged system messages. Fifteen plugins indiscriminately ingest third-party content for web-scraping, enabling indirect prompt injection when attackers poison external data. This study systematically evaluates these vulnerabilities, showing how insecure plugin practices undermine LLM-level defenses. |
| 2026-04-22 2026 | Prompt Injection Attacks on Agentic Coding Assistants: A Systematic AnalysisAI | Analysis of prompt injection vulnerabilities affecting agentic AI coding assistants like Claude Code, GitHub Copilot, and Cursor, which integrate LLMs with external tools and protocols such as MCP. This work synthesizes findings from 78 studies, detailing 42 attack techniques including input manipulation, tool poisoning, and protocol exploitation. It identifies that over 85% of attacks succeed against current defenses, often enabling arbitrary code execution and system compromise through vulnerabilities in skill-based architectures and protocol ecosystems. |
| 2026-04-22 2026 | Prompt Injection 2.0: Hybrid AI ThreatsAI | Library for analyzing Prompt Injection 2.0, which combines LLM manipulation with traditional exploits like XSS and CSRF. It builds upon Preamble's research and mitigation technologies, evaluating them against contemporary threats such as AI worms and multi-agent infections. The library analyzes how these hybrid attacks bypass security controls, referencing CVE-2024-5565 and DeepSeek XSS exploits, and proposes architectural solutions involving prompt isolation and runtime security. |
| 2026-04-22 2026 | Architecting Secure AI Agents: System-Level Defenses Against Indirect Prompt InjectionAI | Library for architecting secure AI agents, focusing on system-level defenses against indirect prompt injection. It proposes dynamic replanning, constrained LLM decision-making, and treating personalization and human interaction as core design elements. The work critiques existing benchmarks, highlighting the importance of system-level structures for controlling agent behavior and integrating rule-based and model-based security checks. |
| 2026-04-22 2026 | deepSURF: Detecting Memory Safety Vulnerabilities in Rust Through Fuzzing LLM-Augmented HarnessesFuzzing | Tool integrating static analysis and LLM-guided fuzzing to detect memory safety vulnerabilities in Rust's unsafe code. deepSURF handles generics by substituting them with custom types and LLM-augmented harnesses for complex API interactions. Evaluation on 27 Rust crates revealed 20 known and 6 previously unknown memory safety bugs, surpassing state-of-the-art tools. |
| 2026-04-22 2026 | Fixing Security Vulnerabilities with AI in OSS-FuzzFuzzing | Library that customizes the AutoCodeRover LLM agent, named CodeRover-S, for autonomously fixing security vulnerabilities detected by OSS-Fuzz. This approach leverages exploit input from fuzzing campaigns to extract dynamic call graph information and augment vulnerability reports. CodeRover-S aims to improve patch generation success rates by incorporating type-based analysis at identified faulty program locations, focusing on dynamic attributes for patch correctness over static code similarity metrics. |
| 2026-04-22 2026 | A Survey of Network Protocol Fuzzing: Model, Techniques and DirectionsFuzzing | Survey of network protocol fuzzing techniques; this paper systematically reviews advancements, proposes a unified process model, and discusses techniques for syntax acquisition, test case generation, execution, monitoring, and feedback utilization. It highlights challenges unique to network protocols, such as statefulness and structured input, and points to promising research directions, referencing vulnerabilities like Heartbleed (CVE-2014-0160) found in software like OpenSSL. |
| 2026-04-22 2026 | Synthesizing XSS Polyglots with Monte Carlo Tree Search (arXiv 2025)XSS | Synthesizing XSS Polyglots with Monte Carlo Tree Search (arXiv 2025) |
| 2026-04-19 2026 | Prompt Injection Attack Against LLM-Integrated Applications — arXivAI | Survey of prompt injection attacks against LLM-integrated applications, detailing the limitations of current methods and introducing HouYi, a novel black-box attack technique. HouYi, inspired by traditional web injection, comprises a pre-constructed prompt, an injection prompt for context partitioning, and a malicious payload. The study demonstrates severe outcomes like unrestricted LLM usage and application prompt theft across 36 real-world applications, with 31 found vulnerable and 10 vendors, including Notion, validating discoveries. |
| 2026-04-17 2026 | Closing the Chain: How to reduce SolarWinds/Log4j/XZ risk (arXiv)Supply Chain | Analysis of SolarWinds, Log4j, and XZ Utils attacks systematically maps attacker techniques to 73 mitigation tasks across 10 software supply chain frameworks. Prioritized mitigation tasks include role-based access control, system monitoring, and boundary protection. The analysis also identified critical missing tasks, such as sustainable open-source software support and environmental scanning tools, highlighting continued vulnerabilities in existing frameworks. |
| 2026-04-17 2026 | SBOM Literature Review (arXiv)Supply Chain | Survey of Software Bill of Materials (SBOM) literature systematically reviews 40 studies on SBOMs for software supply chain security, identifying five key application areas: vulnerability management, transparency, component assessment, risk assessment, and integrity. Adoption barriers include generation tooling, data privacy, standardization issues with formats like SPDX and CycloneDX, and challenges with analysis and maintenance. The review maps these barriers to the ISO/IEC 25019:2023 Quality-in-Use model, highlighting deficiencies in trustworthiness and usability, and notes gaps in machine learning and software quality assurance applications. |
| 2026-04-16 2026 | Empirical Study on RCE in ML Model Hosting EcosystemsRCE | Survey of Remote Code Execution risks in ML model hosting ecosystems, analyzing custom code execution on platforms like Hugging Face and ModelScope. The study employs static analysis tools Bandit, CodeQL, and Semgrep, alongside YARA for pattern detection, to identify vulnerabilities. It also examines platform security mechanisms and developer discussions to understand perceptions, revealing widespread unsafe defaults and developer confusion about executing remote code. |
| 2026-04-16 2026 | The Art of Hide and Seek: Pickle-Based Model Supply Chain PoisoningDeser | Library for detecting and bypassing pickle-based model supply chain poisoning in Python AI/ML frameworks. It systematically discloses the poisoning surface across model loading paths and risky functions, identifying 22 overlooked loading paths and 133 exploitable gadgets. The research also introduces Exception-Oriented Programming (EOP) to bypass scanners, demonstrating robust vulnerabilities missed by current detection solutions like PickleScan and ModelScan, and leading to a $6000 bug bounty. |
| 2026-04-16 2026 | Bypassing LLM Guardrails: Evasion Attacks against Prompt Injection DetectionAI | Analysis of evasion attacks against LLM guardrail systems, detailing two methods: character injection and algorithmic Adversarial Machine Learning (AML). Tested against Azure Prompt Shield and Meta's Prompt Guard, these techniques achieved up to 100% evasion success, maintaining adversarial utility. Attack Success Rates against black-box targets were enhanced by leveraging word importance ranking from offline white-box models, exposing vulnerabilities in current LLM protection mechanisms. |
| 2026-04-16 2026 | EchoLeak: First Real-World Zero-Click Prompt Injection ExploitAI | Writeup of EchoLeak (CVE-2025-32711), the first zero-click prompt injection exploit targeting Microsoft 365 Copilot. This vulnerability allowed unauthenticated data exfiltration via a crafted email by chaining multiple bypasses, including evading XPIA classifiers, using reference-style Markdown, exploiting auto-fetched images, and abusing a Microsoft Teams proxy within the content security policy. The paper analyzes defense failures and proposes mitigations such as prompt partitioning and enhanced filtering, providing generalizable lessons for secure AI copilots. |
| 2026-04-16 2026 | The Dark Side of LLMs: Agent-based Attacks for Complete Computer TakeoverAI | Survey of LLM agent vulnerabilities; demonstrates how 94.4% of 18 tested LLMs succumb to Direct Prompt Injection and 83.3% to RAG Backdoor Attacks, enabling malware execution. Inter-Agent Trust Exploitation compromises 100.0% of models, showcasing context-dependent security behaviors that create exploitable blind spots within multi-agent systems. |
| 2026-04-16 2026 | MCP Safety Audit: LLMs with MCP Allow Major Security ExploitsAI | Tool for auditing Model Context Protocol (MCP) servers, McpSafetyScanner automatically detects vulnerabilities like malicious code execution, remote access control, and credential theft in generative AI applications. It identifies adversarial samples, searches for related exploits, and generates remediation reports for MCP developers. The tool aims to proactively mitigate security risks introduced by LLMs using the MCP framework, addressing issues present in industry-leading LLMs such as Claude and Llama. |
| 2026-04-11 2026 | G2Fuzz: Grammar-Aware Fuzzing with LLMsFuzzing | Library for grammar-aware fuzzing, G2Fuzz, leverages LLMs to synthesize and mutate Python scripts that generate inputs conforming to complex, non-textual grammars like TIFF images and MP4 audio. It combines LLM-driven "holistic search" for novel input generation with traditional fuzzers like AFL++ for efficient "local search." This hybrid approach significantly enhances code coverage and bug discovery, outperforming tools such as AFL++, Fuzztruction, and FormatFuzzer on benchmarks like UNIFUZZ and FuzzBench, and has discovered bugs including those acknowledged by CVEs. |
| 2026-04-11 2026 | Involuntary Jailbreak: On Self-Prompting AttacksAI | Library disclosing "involuntary jailbreak," a new LLM vulnerability. This technique employs a single universal prompt to compel models like Claude Opus 4.1, Grok 4, Gemini 2.5 Pro, and GPT 4.1 to generate previously rejected questions and their detailed answers, potentially compromising the entire guardrail structure rather than localized components. |
| 2026-04-11 2026 | Practical Poisoning Attacks against Retrieval-Augmented GenerationAI | Library introducing CorruptRAG, a novel poisoning attack against Retrieval-Augmented Generation (RAG) systems. This technique injects a single poisoned text into the knowledge database, significantly enhancing attack feasibility and stealth compared to prior methods that required numerous poisoned entries. Experiments on large-scale datasets validate CorruptRAG's effectiveness in compromising RAG outputs. |
| 2026-04-11 2026 | RAG Safety: Exploring Knowledge Poisoning Attacks to RAGAI | Analysis of knowledge poisoning attacks targeting Retrieval-Augmented Generation (RAG) systems, specifically focusing on KG-RAG. This work introduces a practical, stealthy attack strategy that inserts perturbation triples into knowledge graphs to create misleading inference chains, degrading KG-RAG performance. Experiments demonstrate the attack's effectiveness against four recent KG-RAG methods with minimal KG perturbations. |
| 2026-04-11 2026 | Benchmarking Poisoning Attacks against Retrieval-Augmented GenerationAI | Benchmark framework for evaluating poisoning attacks on Retrieval-Augmented Generation (RAG) systems. This benchmark includes 5 standard QA datasets, 10 expanded variants, 13 poisoning attack methods, and 7 defense mechanisms. Findings reveal that while current attacks are effective on standard datasets, their impact diminishes on expanded versions, and advanced RAG architectures like sequential, branching, conditional, loop, conversational, multimodal RAG, and RAG-based LLM agents remain vulnerable, with existing defenses proving insufficient. |
| 2026-04-10 2026 | Multi-target Coverage-based Greybox FuzzerFuzzing | Library implementing Multi-target Coverage-based Greybox Fuzzing (MTCFuzz) for architectures where operating systems and firmware cooperate. It leverages code coverage from both components within a QEMU virtualization environment to achieve deeper system exploration than single-target fuzzing, addressing issues like those observed with OpenSBI bugs. |
| 2026-04-10 2026 | PickleBall: Secure Deserialization of Pickle-based ML ModelsDeser | Library for securely deserializing pickle-based machine learning models. PickleBall statically analyzes model source code to generate custom policies for safe load-time behavior, enforcing them dynamically as a replacement for the standard pickle module. This approach correctly loads 79.8% of benign models while rejecting all tested malicious examples, offering a significant improvement over existing model scanners and loaders. |
| 2026-04-10 2026 | Deserialization Gadget Chains in Android: An In-Depth StudyDeser | Analysis of Java deserialization gadget chains in Android, using a novel detection tool to analyze the Android SDK and third-party libraries. The study found that the Android SDK contains trampoline gadgets similar to the Java Class Library and can trigger Java native serialization via the Parcel API. However, despite extensive testing, no security-critical gadget chains were discovered in the analyzed Android codebases, suggesting the problem is less prevalent than commonly assumed. |
| 2026-04-06 2026 | Enhancing REST API Fuzzing with Access Policy Violation DetectionAPI SecFuzzing | Library for enhancing REST API fuzzing by integrating novel automated oracles. These oracles detect violations of access policies, specifically addressing Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA), alongside traditional attacks like SQL Injection and XSS. The techniques are integrated into EvoMaster, a state-of-the-art REST API fuzzer, and can generate executable test cases in multiple programming languages upon detecting security faults. Experiments demonstrate improved detection of security issues compared to existing methods. |
| 2026-04-06 2026 | Fuzzing REST APIs in Industry: Necessary Features and Lessons LearnedFuzzing | Tool detailing the integration of the open-source fuzzer EvoMaster into industrial REST API testing at Volkswagen AG. It shares lessons learned and discusses necessary features for academic prototypes to achieve real impact in software engineering, based on evaluations of four APIs and a user study with eleven testing specialists. |
| 2026-04-03 2026 | Red Teaming the Mind of the Machine: Evaluation of Prompt Injection and Jailbreak VulnerabilitiesAI | Survey of prompt injection and jailbreak vulnerabilities against state-of-the-art LLMs including GPT-4, Claude 2, Mistral 7B, and Vicuna. This research categorizes over 1,400 adversarial prompts and analyzes their success rates, generalizability, and construction logic, drawing from public repositories and forums. The study also proposes layered mitigation strategies and recommends a hybrid red-teaming and sandboxing approach for robust AI security, noting prompt injection as a critical vulnerability identified by OWASP. |
| 2026-04-03 2026 | MALF: A Multi-Agent LLM Framework for Intelligent FuzzingFuzzing | Framework MALF integrates multi-agent large language models for intelligent fuzzing of industrial control protocols like Modbus/TCP, S7Comm, and Ethernet/IP. It utilizes Retrieval-Augmented Generation and QLoRA fine-tuning for protocol-aware input generation, optimizing seed selection, mutation strategies, and feedback loops. In real-world ICS environments, MALF identified critical vulnerabilities, including zero-days registered by CNVD, surpassing traditional fuzzing methods with higher test case pass rates and improved exception trigger generation. |
| 2026-04-03 2026 | A Large-Scale Security-Oriented Static Analysis of Python Packages in PyPIPython | A Large-Scale Security-Oriented Static Analysis of Python Packages in PyPI |