AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-5002: A vulnerability has been found in PromtEngineer localGPT up to 4d41c7d1713b16b216d8e062e51a5dd88b20b054. The impacted el

highvulnerabilityLLM-Specific

security

Source: NVD/CVE DatabaseMarch 28, 2026CVE-2026-5002

Summary

A vulnerability (CVE-2026-5002) was discovered in PromtEngineer localGPT that allows injection attacks (inserting malicious code into input) through the LLM Prompt Handler component in the backend/server.py file. An attacker can exploit this vulnerability remotely, and the exploit code has been publicly released. The vendor has not responded to disclosure attempts, and because the product uses rolling releases (continuous updates without traditional version numbers), specific patch information is unavailable.

Vulnerability Details

CVSS Score

7.3(high)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

network

Attack Complexity

low

Privileges Required

none

User Interaction

none

Disclosure Date

March 28, 2026

Classification

Attack Type

Prompt Injection

Attack SophisticationModerate

Impact (CIA+S)

integrity

AI Component TargetedAPI

Taxonomy References

CWE (Weakness Type)

CWE-74 CWE-707

MITRE ATLAS (AI/ML Threat Technique)

AML.T0051

Affected Vendors

Related Issues

high

AI Kill Chain in Action: Devin AI Exposes Ports to the Internet with Prompt Injection

Similar attackEmbrace The Red

medium

CVE-2024-45989: Monica AI Assistant desktop application v2.3.0 is vulnerable to Exposure of Sensitive Information to an Unauthorized Act

First tracked: March 28, 2026 at 02:07 PM

Classified by LLM (prompt v3) · confidence: 85%